Improvements to text about PKCE / IAR vs PAR / security BCP. #624
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jogu
force-pushed
the
pkce-etc-clarifications
branch
from
706c6e2 to
efba25c
Compare
awoie
approved these changes
Aug 14, 2025
charsleysa
approved these changes
Aug 14, 2025
jogu
commented
Aug 14, 2025
| # Token Endpoint {#token-endpoint} | ||
|
|
||
| The Token Endpoint issues an Access Token and, optionally, a Refresh Token in exchange for the Authorization Code that Client obtained in a successful Authorization Response. It is used in the same manner as defined in [@!RFC6749]. Implementers SHOULD follow the best current practices for OAuth 2.0 Security given in [@!BCP240]. | ||
| The Token Endpoint issues an Access Token and, optionally, a Refresh Token in exchange for the Authorization Code that Client obtained in a successful Authorization Response. It is used in the same manner as defined in [@!RFC6749]. Implementers SHOULD follow the best current practices for OAuth 2.0 Security given in [@!BCP240], see (#securitybcp). |
Contributor
Author
There was a problem hiding this comment.
Discussed on today's WG call; consensus around merging this sentence and the 710 sentence.
Contributor
Author
There was a problem hiding this comment.
Actually the sentence on line 710 is specific to IAE so that's not needed. Don't think it's worth raising a separate PR just to add a link to the securitybcp section here. We can just bundle this all in with the IAE changes.
Clarify that authorization code flow section now that we have a non-frontchannel method (IAE) to obtain authorization_code. Clarify that the recommendation to use PAR means PAR or IAE.
jogu
force-pushed
the
pkce-etc-clarifications
branch
from
efba25c to
05e5455
Compare
Contributor
Author
|
I've updated this PR to apply the changes to the 1.1 spec file. |
tplooker
approved these changes
Oct 23, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Clarify that authorization code flow section now that we have a non-frontchannel method (IAE) to obtain authorization_code.
Clarify that the recommendation to use PAR means PAR or IAE.
closes #613