[keycloak-user] Proof Key For Code Exchange

Jason Axley jaxley at expedia.com
Fri Mar 4 11:21:27 EST 2016

+1  OAuth bearer tokens considered harmful.

BTW, I think you mean RFC 7636:  https://tools.ietf.org/html/rfc7636

There’s also this draft that the OAuth WG is continuing to push forward regarding Proof of Possession for authentication of JWT:  https://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/  Not sure how they frame these two seemingly competing approaches.

Offhand I don’t see a JIRA about this?


From: <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Reply-To: "stian at redhat.com<mailto:stian at redhat.com>" <stian at redhat.com<mailto:stian at redhat.com>>
Date: Friday, March 4, 2016 at 3:06 AM
To: "Kalidindi, Sai Soma Kala" <sai-soma-kala.kalidindi at hpe.com<mailto:sai-soma-kala.kalidindi at hpe.com>>
Cc: "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Proof Key For Code Exchange

Assuming you mean RFC 7637 Proof Key for Code Exchange by OAuth Public Clients we are considering adding it and it's on our road-map. It will be a while until we get around to implementing it though.

If you'd like to contribute this feature to Keycloak it would be more than welcome assuming it came with tests and documentation.

On 3 March 2016 at 17:06, Kalidindi, Sai Soma Kala <sai-soma-kala.kalidindi at hpe.com<mailto:sai-soma-kala.kalidindi at hpe.com>> wrote:

I am a beginner in keycloak. We are trying to implement Proof Key For Code Exchange in the keycloak, which is deployed as a container in our production right now. I would appreciate If I can get any helpful links or advice to implement PKCE.


keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/09d9ed94/attachment-0001.html 

More information about the keycloak-user mailing list