Proof Key for Code Exchange by OAuth Public Clients

Approval announcement
Draft of message to be sent after approval:

From: The IESG <>
To: IETF-Announce <>
Cc: RFC Editor <>,
    oauth mailing list <>,
    oauth chair <>
Subject: Protocol Action: 'Proof Key for Code Exchange by OAuth Public Clients' to Proposed Standard (draft-ietf-oauth-spop-15.txt)

The IESG has approved the following document:
- 'Proof Key for Code Exchange by OAuth Public Clients'
  (draft-ietf-oauth-spop-15.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working

The IESG contact persons are Stephen Farrell and Kathleen Moriarty.

A URL of this Internet Draft is:

Technical Summary

   OAuth 2.0 public clients utilizing the Authorization Code Grant 
   are susceptible to the authorization code interception attack.  
   This specification describes the attack as well as a technique 
   to mitigate against the threat.

Working Group Summary

  The working group last call for this document was started 
  soon after the document was adopted as a WG item. A substantial
  number of comments were received and the subsequent document 
  versions addressed those comments. No difficult decisions
  had to be made by the chairs or the group. 

Document Quality

PingIdentity, Google, and Deutsche Telekom have implementations 
of the plain code challenge method.  Additional information on 
implementations can be found in the shepherd report.

Review from an ABNF expert is requested.  Specific questions are 
included in the shepherd writeup.


Hannes Tschofenig is the document shepherd and the responsible area 
director is Kathleen Moriarty. 


This document allocates three new parameters to the existing OAuth 
parameter registry (see Section 6.1) and creates a new registry 
called 'PKCE Code Challenge Method' registry, with expert review required, RFC5226. 
This document adds two values to the PKCE Code Challenge Method registry, as defined 
in Section 6.2.2.