<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>+1 OAuth bearer tokens considered harmful.</div>
<div><br>
</div>
<div>BTW, I think you mean RFC 7636: <a href="https://tools.ietf.org/html/rfc7636">https://tools.ietf.org/html/rfc7636</a></div>
<div><br>
</div>
<div>There’s also this draft that the OAuth WG is continuing to push forward regarding Proof of Possession for authentication of JWT: <a href="https://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/">https://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/</a>
Not sure how they frame these two seemingly competing approaches.</div>
<div><br>
</div>
<div>Offhand I don’t see a JIRA about this?</div>
<div><br>
</div>
<div>-Jason</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE"></div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span><<a href="mailto:keycloak-user-bounces@lists.jboss.org">keycloak-user-bounces@lists.jboss.org</a>> on behalf of Stian Thorgersen <<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>><br>
<span style="font-weight:bold">Reply-To: </span>"<a href="mailto:stian@redhat.com">stian@redhat.com</a>" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Friday, March 4, 2016 at 3:06 AM<br>
<span style="font-weight:bold">To: </span>"Kalidindi, Sai Soma Kala" <<a href="mailto:sai-soma-kala.kalidindi@hpe.com">sai-soma-kala.kalidindi@hpe.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>" <<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] Proof Key For Code Exchange<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">Assuming you mean RFC 7637 Proof Key for Code Exchange by OAuth Public Clients we are considering adding it and it's on our road-map. It will be a while until we get around to implementing it though.
<div><br>
</div>
<div>If you'd like to contribute this feature to Keycloak it would be more than welcome assuming it came with tests and documentation. </div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 3 March 2016 at 17:06, Kalidindi, Sai Soma Kala <span dir="ltr">
<<a href="mailto:sai-soma-kala.kalidindi@hpe.com" target="_blank">sai-soma-kala.kalidindi@hpe.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div>
<p class="MsoNormal">Hi,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I am a beginner in keycloak. We are trying to implement Proof Key For Code Exchange in the keycloak, which is deployed as a container in our production right now. I would appreciate If I can get any helpful links or advice to implement
PKCE. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal">Sai. <u></u><u></u></p>
</div>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</span>
</body>
</html>