This is good news William! I hope more developers will become aware of PKCE through its adoption by Google. Right now there's virtually zero awareness about this option among devs.
Coincidentally we also put support for PKCE in the Nimbus OAuth/OIDC SDK this week. Regarding errors we practice what Nat suggested - i.e. we don't detail the exact cause of the error, but in the "error_description" field we list all possible causes that a client dev should check - invalid code, redirect_uri mismatch, bad pkce challenge, etc. Cheers, Vladimir On 19/01/16 07:46, William Denniss wrote: > This month we rolled out full PKCE (RFC7636) support on our OAuth endpoints. > > We'd previously implemented an earlier draft but were not conformant to the > final spec when it was published – now we are. Both "plain" and "S256" > transforms are supported. As always, get the latest endpoints from our > discovery document: > https://accounts.google.com/.well-known/openid-configuration > > If you give it a spin, let me know how you go! The team monitors the Stack > Overflow google-oauth > <http://stackoverflow.com/questions/tagged/google-oauth> tag too, for any > implementation questions. > > I'm keen to know what we should be putting in our discovery doc to declare > PKCE support (see the thread "Advertise PKCE support in OAuth 2.0 > Discovery"), hope we can agree on that soon. > > One implementation detail not covered in the spec: we error if you > send code_verifier to the token endpoint when exchanging a code that was > issued without a code_challenge being present. The assumption being that if > you are sending code_verifier on the token exchange, you are using PKCE and > should have sent code_challenge on the authorization request, so something > is amiss. > > William > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth -- Vladimir Dzhuvinov
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
