...
Eve described the OAuth 2.1 proposal from the IETF 106 OAuth 1 session and its enthusiasm for code+PKCE (and a further set of protections). George is concerned about this being insufficient for mobile wallet-binding protection. Adrian echoes this concern. How to ensure trust when talking to the correct client (instance, not just class)?
...