Describe PKCE requirements for WebID-OIDC protocol

[acoburn]

The current WebID-OIDC protocol definition does not mention PKCE as a mechanism for securing authentication tokens. There are good reasons why this should be used in the interaction between a client (relying party) and identity provider (it helps to avoid replay attacks in the token request interaction).

Should this mechanism be required by the WebID-OIDC specification?

[kjetilk]

The discussion on this issue is ongoing in the Authentication Panel.

[elf-pavlik]

@acoburn please re-open if latest draft doesn't address this issue https://github.com/solid/authentication-panel/blob/master/oidc-authentication.md