Proof Key for Code Exchange by OAuth Public Clients
Draft of message to be sent after approval:
From: The IESG <email@example.com> To: IETF-Announce <firstname.lastname@example.org> Cc: RFC Editor <email@example.com>, oauth mailing list <firstname.lastname@example.org>, oauth chair <email@example.com> Subject: Protocol Action: 'Proof Key for Code Exchange by OAuth Public Clients' to Proposed Standard (draft-ietf-oauth-spop-15.txt) The IESG has approved the following document: - 'Proof Key for Code Exchange by OAuth Public Clients' (draft-ietf-oauth-spop-15.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Stephen Farrell and Kathleen Moriarty. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-spop/
Technical Summary OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat. Working Group Summary The working group last call for this document was started soon after the document was adopted as a WG item. A substantial number of comments were received and the subsequent document versions addressed those comments. No difficult decisions had to be made by the chairs or the group. Document Quality PingIdentity, Google, and Deutsche Telekom have implementations of the plain code challenge method. Additional information on implementations can be found in the shepherd report. Review from an ABNF expert is requested. Specific questions are included in the shepherd writeup. Personnel Hannes Tschofenig is the document shepherd and the responsible area director is Kathleen Moriarty. IANA Note This document allocates three new parameters to the existing OAuth parameter registry (see Section 6.1) and creates a new registry called 'PKCE Code Challenge Method' registry, with expert review required, RFC5226. This document adds two values to the PKCE Code Challenge Method registry, as defined in Section 6.2.2.