[Editorial] PKCE is not device bound

[deshmukhrajvardhan]

https://github.com/openid/OpenID4VCI/blob/main/openid-4-verifiable-credential-issuance-1_0.md?plain=1#L1417

mentions that not bound to a certain device (as the Authorization Code Flow does with PKCE)
PKCE doesn't bound the auth code to the device if I understand it right

https://datatracker.ietf.org/doc/html/rfc7636#section-4.1

I think it prevents MITM and reuse of the auth code for an attack as the code challenge and verifier is required in addition.

Suggestion:
The Pre-Authorized Code Flow is vulnerable to the replay of the Pre-Authorized Code, because by design, it doesn't have additional challenge and verification (as the Authorization Code Flow does with PKCE)

please feel free to suggest other wording

[jogu]

PKCE binds the authorization code to the user's session at the oauth client / verifier - so technically not quite binding it to the device (we should probably replace "device" with "session"), but roughly equivalent.

[deshmukhrajvardhan]

Session sounds better, but it might lack clarity regarding what kind of session it is and how it is created/managed.