Stream: smart
Topic: PKCE plain requirements
ryan moehrke (Jul 23 2021 at 16:37):
reading the CI build's language around PKCE plain I'm wondering what the actual requirements around not supporting plain are (from: https://build.fhir.org/ig/HL7/smart-app-launch/index.html#considerations-for-pkce-support)
is a server expected to deny any auth requests using plain? with any particular code and which step? or can they accept plain PKCE requests out of band of SMART (assuming they even have any non-SMART auth)
Or is it purely a client-facing requirement, and any clients that use plain need to understand they are not using SMART and need to have no expectation that a server supporting SMART will support them?
Josh Mandel (Jul 23 2021 at 17:52):
We say that a server needs to advertise its support for pkce and advertise the code verification methods that it supports. Those methods must not include plain.
Josh Mandel (Jul 23 2021 at 17:53):
If a server wants to support plain but advertisement doesn't support plain... I guess that could be possible? I don't know that there would be negative tests on this point in a conformance suite.
Josh Mandel (Jul 23 2021 at 17:55):
Are you thinking about this because you have a use case for the plain verification method, and you are concerned that you will not be able to support it? Is there something you can't handle with S256 or another method?
ryan moehrke (Jul 23 2021 at 21:43):
Nope, I was thinking about how if/how I would negative test it and who I could hold accountable :p
Josh Mandel (Jul 23 2021 at 21:44):
I'd definitely reject an app for trying to use plain. Because it won't interoperate.
Yunwei Wang (Jul 26 2021 at 20:52):
I think the 2nd one. Client SHALL use code_challenge_method. Server SHOULD (or MAY) reject if client use plain (or other value)
Last updated: Apr 12 2022 at 19:14 UTC
