Technical Summary
OAuth 2.0 public clients utilizing the Authorization Code Grant
are susceptible to the authorization code interception attack.
This specification describes the attack as well as a technique
to mitigate against the threat.
Working Group Summary
The working group last call for this document was started
soon after the document was adopted as a WG item. A substantial
number of comments were received and the subsequent document
versions addressed those comments. No difficult decisions
had to be made by the chairs or the group.
Document Quality
PingIdentity, Google, and Deutsche Telekom have implementations
of the plain code challenge method. Additional information on
implementations can be found in the shepherd report.
Review from an ABNF expert is requested. Specific questions are
included in the shepherd writeup.
Personnel
Hannes Tschofenig is the document shepherd and the responsible area
director is Kathleen Moriarty.
IANA Note
This document allocates three new parameters to the existing OAuth
parameter registry (see Section 6.1) and creates a new registry
called 'PKCE Code Challenge Method' registry, with expert review required, RFC5226.
This document adds two values to the PKCE Code Challenge Method registry, as defined
in Section 6.2.2.