Originally submitted by josephheenan (Joseph Heenan) on 2026-03-16
As mentioned at IETF OAuth WG call today
https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF disallows the use of SHA256 in favour of SHA-384 or SHA-512 which I believe may means FAPI can't be used in environments that have policies that require CNSA 2.0 compliance (e.g. PKCE requires SHA256).
https://datatracker.ietf.org/doc/draft-skokan-oauth-additional-hashes/ is part of the potential fix for that.
This is probably something we consider as part of general support for post-quantum?
Bitbucket status: open
Bitbucket origin: issue 856
As mentioned at IETF OAuth WG call today
https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF disallows the use of SHA256 in favour of SHA-384 or SHA-512 which I believe may means FAPI can't be used in environments that have policies that require CNSA 2.0 compliance (e.g. PKCE requires SHA256).
https://datatracker.ietf.org/doc/draft-skokan-oauth-additional-hashes/ is part of the potential fix for that.
This is probably something we consider as part of general support for post-quantum?
Bitbucket status: open
Bitbucket origin: issue 856