Authorization code binding to client instance #56
Comments
|
@cobward do you mean in the event we are using something like a signed PAR request? |
|
If I understand you correctly, you get a similar set of assurances like with PKCE, so I'm unsure if we want to duplicate this mechanism. |
I'm not sure that it only applies to signed PAR request. I mean just generally that if client authentication is required at the authorization endpoint then the same requirements of binding the client instance to the authorization code still apply.
If that is the case then would it make sense to add text to that effect? Something along the lines of: The Authorization Server is not required to bind the client instance to the authorization code, as PKCE provides sufficient mitigation of security risks. |
Currently, section 5.2 "Refresh token binding" gives requirements for how an authorization server must bind the client instance to the refresh token. Could we reuse this mechanism to bind the authorization code to the client instance in the case that client auth was performed in the authorization request?
The text was updated successfully, but these errors were encountered: