+1  OAuth bearer tokens considered harmful.

BTW, I think you mean RFC 7636:  https://tools.ietf.org/html/rfc7636

There’s also this draft that the OAuth WG is continuing to push forward regarding Proof of Possession for authentication of JWT:  https://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/  Not sure how they frame these two seemingly competing approaches.

Offhand I don’t see a JIRA about this?

-Jason

From: <keycloak-user-bounces@lists.jboss.org> on behalf of Stian Thorgersen <sthorger@redhat.com>
Reply-To: "stian@redhat.com" <stian@redhat.com>
Date: Friday, March 4, 2016 at 3:06 AM
To: "Kalidindi, Sai Soma Kala" <sai-soma-kala.kalidindi@hpe.com>
Cc: "keycloak-user@lists.jboss.org" <keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Proof Key For Code Exchange

Assuming you mean RFC 7637 Proof Key for Code Exchange by OAuth Public Clients we are considering adding it and it's on our road-map. It will be a while until we get around to implementing it though.

If you'd like to contribute this feature to Keycloak it would be more than welcome assuming it came with tests and documentation. 

On 3 March 2016 at 17:06, Kalidindi, Sai Soma Kala <sai-soma-kala.kalidindi@hpe.com> wrote:

Hi,

 

I am a beginner in keycloak. We are trying to implement Proof Key For Code Exchange in the keycloak, which is deployed as a container in our production right now. I would appreciate If I can get any helpful links or advice to implement PKCE.

 

Thanks,

Sai.


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user