Re: [keycloak-user] Proof Key For Code Exchange

+1 OAuth bearer tokens considered harmful. BTW, I think you mean RFC 7636: https://tools.ietf.org/html/rfc7636 There’s also this draft that the OAuth WG is continuing to push forward regarding Proof of Possession for authentication of JWT: https://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/ Not sure how they frame these two seemingly competing approaches. Offhand I don’t see a JIRA about this? -Jason From: <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>> Reply-To: "stian@redhat.com<mailto:stian@redhat.com>" <stian@redhat.com<mailto:stian@redhat.com>> Date: Friday, March 4, 2016 at 3:06 AM To: "Kalidindi, Sai Soma Kala" <sai-soma-kala.kalidindi@hpe.com<mailto:sai-soma-kala.kalidindi@hpe.com>> Cc: "keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>" <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Proof Key For Code Exchange Assuming you mean RFC 7637 Proof Key for Code Exchange by OAuth Public Clients we are considering adding it and it's on our road-map. It will be a while until we get around to implementing it though. If you'd like to contribute this feature to Keycloak it would be more than welcome assuming it came with tests and documentation. On 3 March 2016 at 17:06, Kalidindi, Sai Soma Kala <sai-soma-kala.kalidindi@hpe.com<mailto:sai-soma-kala.kalidindi@hpe.com>> wrote: Hi, I am a beginner in keycloak. We are trying to implement Proof Key For Code Exchange in the keycloak, which is deployed as a container in our production right now. I would appreciate If I can get any helpful links or advice to implement PKCE. Thanks, Sai. _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user