+1 OAuth bearer tokens considered harmful. BTW, I think you mean RFC 7636: https://tools.ietf.org/html/rfc7636 There’s also this draft that the OAuth WG is continuing to push forward regarding Proof of Possession for authentication of JWT: https://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/ Not sure how they frame these two seemingly competing approaches. Offhand I don’t see a JIRA about this? -Jason From: <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>> Reply-To: "stian@redhat.com<mailto:stian@redhat.com>" <stian@redhat.com<mailto:stian@redhat.com>> Date: Friday, March 4, 2016 at 3:06 AM To: "Kalidindi, Sai Soma Kala" <sai-soma-kala.kalidindi@hpe.com<mailto:sai-soma-kala.kalidindi@hpe.com>> Cc: "keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>" <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Proof Key For Code Exchange Assuming you mean RFC 7637 Proof Key for Code Exchange by OAuth Public Clients we are considering adding it and it's on our road-map. It will be a while until we get around to implementing it though. If you'd like to contribute this feature to Keycloak it would be more than welcome assuming it came with tests and documentation. On 3 March 2016 at 17:06, Kalidindi, Sai Soma Kala <sai-soma-kala.kalidindi@hpe.com<mailto:sai-soma-kala.kalidindi@hpe.com>> wrote: Hi, I am a beginner in keycloak. We are trying to implement Proof Key For Code Exchange in the keycloak, which is deployed as a container in our production right now. I would appreciate If I can get any helpful links or advice to implement PKCE. Thanks, Sai. _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Sai, Take a look at https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md. For implementation on the server side the flows are implemented in TokenEndpoint ( https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...). We'd also need this added to the JavaScript adapter https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai... . For testing we're in process of moving our tests to Arquillian so new tests should be added to https://github.com/keycloak/keycloak/tree/master/testsuite/integration-ar..., while currently most OpenID Connect/OAuth tests are in the old testsuite (embedded server). There's also a lack of documentation around OpenID Connect/OAuth, but we aim to add a chapter that includes details about what we implement, endpoints, etc.. A contribution around this would be great. One thing to clarify is that we will not accept any PRs without proper testing or documentation. If you have any further questions please ask, but you'll need to be a bit more specific than "provide some guidance" ;) On 4 March 2016 at 22:58, Kalidindi, Sai Soma Kala < sai-soma-kala.kalidindi(a)hpe.com&gt; wrote: