Question
For requests related to Authorisation Code flow, what should be the Data Holder (DH) behaviour if the metadata for code_challenge_supported_methods
is not published? Canl Accredited Data Recipients (ADRs) still invoke authorization code flow using PKCE claims? If so, can DHs modify the authorise URL to remove the optional claims in order to serve the request without PKCE?
Answer
The DH advertises that they do not support PKCE through the absence of the code_challenge_methods_supported
parameter in their OpenID discovery document.
The ADR should check for PKCE parameters, and not attempt to use PKCE if they are absent.
When an ADR sends, to a DH that does not support PKCE, a request with the code_challenge
and code_challenge_method
in the request object, the DSB expects that the the DH does not reject the request, but instead ignores the PKCE related parameters.
Change request 500, considered in Maintenance Iteration 11, discusses adding standard requirements for the ADR that mitigate the risk of the ADR attempting to use PKCE when the DH does not support it. If accepted, this change will be part of CDS V1.18.0.
Comments
0 comments
Please sign in to leave a comment.