Hi,

We’ve had some requests to add PKCE [1] to the interactive claims gathering flow [2], eg example for public clients. Technically, there is little challenge to directly apply the PKCE code challenge/verifier, with the assumption that the authorization code is equivalent to the uma ticket

Has anyone done this? Any additional considerations?

Thanks,
- Alec

Alec Laws
647 822 1529
alec@identos.ca




[1] PKCE: https://tools.ietf.org/html/rfc7636
[2]  https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html#claim-redirect