Re: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF
George Fletcher <gffletch@aol.com> Tue, 04 January 2022 13:53 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42DB53A1C84 for <oauth@ietfa.amsl.com>; Tue, 4 Jan 2022 05:53:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.812
X-Spam-Level:
X-Spam-Status: No, score=-2.812 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.714, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iUSthehYvM_K for <oauth@ietfa.amsl.com>; Tue, 4 Jan 2022 05:53:15 -0800 (PST)
Received: from sonic308-35.consmr.mail.ne1.yahoo.com (sonic308-35.consmr.mail.ne1.yahoo.com [66.163.187.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B15A3A0489 for <oauth@ietf.org>; Tue, 4 Jan 2022 05:53:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1641304392; bh=uNBnUpl/Gok/DwFvwb5HV6n1xDbMdi1JTy7xBI0dWgM=; h=Date:Subject:To:References:From:In-Reply-To:From:Subject:Reply-To; b=WaXLPQwAnrNWA4T5FTD7ucEX08C8yE3KHDbe5LQAglD2dgg0kro1xz6AyCt823UU82cVyQMjiG9gBF1AhdDVZ2Q3zShC2yBCSjB6JqyGorPWdJUmYwdPwO2vwixtx4WvRkiGfFmggEqFY2nloxVzsMqFoERQquo+iZ4adzCrW2Yero60YFdPzhMJR0nylP88Zr/srQcRxKF3aZW2RB8bdt9yaGmYrYEDzjlAUb4zxXSbJMoCuNkkhoVprDhj9rrRRd4KJErJVooqzJnQGdUf+r7quX+UGJGPj9L8uc/1nABDf2KT6BkTepQrUbLOxyH3Uhuhwr5W9jfhXhXnS1tCSA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1641304392; bh=zeMyr2aeoGgTbFsxrAEKXfuKQ4gWNz4bLmeJM5VJHuW=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=TmaI5CLoOqVktY47JPg+O9rqBLJXxO4hMluuNikaUG0+nrWxzxuburoZwZkF5wBZKZsfUANqY6uSREnkl+EOgKg8YixneWFu3i926coj9lOYQmPmXo9ATzi/lQ8SwoYNooeSwffkQizTeRfKBr+Hh2W0oVgSrk1eoZw053EQezPQBrKaEhafdyTkUyjQt33hVW+xm1N7HDnbFbpcJfYoa6XhC+YvOag82bC6fEF4zYYXZptIacw06dFPlvuFTadw+ByA/oprMtSp9oSRwS5peio8Y0z+Sh8B5AB1gb1tHx3soSJinXVsael0x0xSx9fijmYa/5tMbNq65t8eui49xQ==
X-YMail-OSG: QrVqkBcVM1lxCd_RpkCXK16TwNeQaLrN6UlRSchXs95o.WF0dTr9RIw7FweZZjd Qw6h6_C55Yrvc.RrwQdNBtxt_pJki_z9g.nGFCChRtqMocgFPIUwcrv.YEIGQi1Jhk8Lwb6gInKM uaZr2RTzmeErjCMpirItFZhRpIXuTv_NgPGijKbkZBQ8wUhbF6Yx3pCrMLs4IeY4sV61Hw.jXUeq PVvWdESUwwXfVS0YNAmn.J.JhzhwI3dAs5GWQDhQ8f0VvgpXBgWpF2zzvnvu2x5rgJEBxhuXlSLb oIrajxhbeN7CNNuzuH8CWuMRryL58GpbgHkAacsukyB2762RhlrED9lWF7sq5rZz03bx0UxNjcjy eM9Hxe1FKqfOH9xv5TmOYrBUscPzwSFviYVbW4UTCfMKkdx_3pG5a2fQCtZ6UqL0qQ4n0lWkgqUr TpanklUivA6wv2kWsynMTPvu3OvBKHl8YwDzfsH9exzvY8SiQtTdjPmmpi4ptnb_4B1TkwlusGV5 LiHs7vrsdJ2Fyb31I_ixkf5BR2WeuIHuK5aPsIqRqVvf8g2EFwzHaLQiWBGgvOKEQ72lbpLpAqJs w4BDIY2_ECR8cIxvcx7cOmydHMuOeonGlGK7ZDfgasGZSb6ANTV_B2xmduujCwxH7m2k_ebE3ahf .g0dbhDquhv4CnlciXlOWNmZ4hW7wSVIqdZD4k_b4G4DDYmTGiw7ph6sIr6k1oyk0T9GxcGffw7L GQsCd.HrF3Th_PV0ic.RUtDm3nV1Me8y8mhONtZCpQntX8r8FTiyLE66HZrbsrjqR4IqPzoTW1KZ vOvE5.VaPP1LfGDLdagwyb_LgOpTstUnXfGTlnPefpddWvkkKn1xFrJ.QIJuV2IcWuMPnqQwhxgh hiIxbPknBAkVEfp3Tv7xs0eF_VPK87cf2ELShKL8riU.i5TffA4PS.MQI8JXWb8CmdG59FV66GQ5 lwtH6iErQGZn3F2x2bmmo0I05ZF7III4Zxdo_F65CIuAxR2oS.dUfDbyXUk1KigFZNs1vqKSUY.V 7h_6GUHHPxP1fZb1YXWF8VU6bwGWih61KyKtqJ.HkygVV_lk3JvOtwxG.X2j1ZPep0Lq_o20tz9E eWNKxuHLx6.zv6KJT45pWUyZVn4iE46_Dg6AhGL_g.8ZC1BSnnA2ZPzq9_nAmKOGLuypknqVYLGY EAj7jgdAAH.wXrxWJbChwYvfNj.5EIzYH_P9ThFllQ2nA9uVw0BnV8YP7nNtfg00qLGq9Bp.MR6M Hb3QbEnasUY09D0RgUEYicUA2XhmiV2z1xZgYgG9cJ8419AG_iWSBT6rAU_t5I24iEX4R9ERa_SD LKLRok.Z0EJcGk8Fp.4htahaJ0tFJ.y_0Fy2ZdhKjqwKLKnagUsy8RgjDzeQ_XyA.FHfpJ.JP4uP ClmUYy8H3.T5Z_1O6QX8QvGf8NpRpak7ny83e10sMrWjDu97aFHFtI7VdNqh9OH_D3Hp3jeGj4AQ 3l7lNa9xucp8C4AXJ8y8h5FCoY3W3Ey9Cu.cSGE1mAaHmth2U5J9m2DKiNzq3XD_ZAFMKezdUIdH zH79oZX4zrooWsI4vYhCBd7NF2_JSCuJQnJizxNkjyxHJIpxiRjQ_XR6zWxx1uKCiUa7jis0VeXx P2ySrMKmkyArCoGoHo92MuYpSFXZkDkSM6NFrYIviPrEBHtOfe6iLi3_ZN4vitmB8oFo.J_yaP4Z dXbIktCMAvECTuFIacK5VE7Qo4hg3PlEjsscVo18ihFPnX6wFR.g54xlDXhxj.46xl_14Qg9lyyZ fIKbP47QM0vE.R5gixq1ynBGnrpOrGYexjamsVvuAWFDKFqTmrObHpVaTN6A1LYo9Pec.SY4bxwI zGbd1a.20cQa8D6n.eJsTJAX1zR2dsHifsKZeO7IARy8EGqY5Lt4dOU2Qz0ltqRDgzHm_we3TXGj f0wVR4UPHPZBBZ5sNOkiG2y37V71gHqwlyDHcLalUYqLT5R83bkI0huLXMMX8v4itHw4fZ4TW5AA w6_rPPZM6_PIFMvrmkemcABwpuakw2BE4.rGK4VD1H..MsXjEDob9yZEH_bokRpdsISD0qgoOAd8 mSMgrtXJFjrzf6vm9kQbzAcm9Q.CTtGRe5pDPWHxxayK6QnpyAl0R5n0Oz73HZjT1nvJm4_U1_mf 4GnqJ8kM8RBXSXCOaZR2RFUCgwwtXDUT99d9l30pXBgm_mLiSTxb3djqgQT2.PVtoxSQ-
X-Sonic-MF: <gffletch@aol.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Tue, 4 Jan 2022 13:53:12 +0000
Received: by kubenode513.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 8c8e453806486251eb0cb1f4ac40248b; Tue, 04 Jan 2022 13:51:10 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------O78FUvBnKyztiGvEbm5BhwYD"
Message-ID: <b711bc01-9674-6072-d941-7e1ba8f8c9ec@aol.com>
Date: Tue, 04 Jan 2022 08:51:09 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.4.1
Content-Language: en-US
To: Benjamin Häublein <Benjamin.Haeublein@cirosec.de>, "oauth@ietf.org" <oauth@ietf.org>
References: <AM7P192MB0819568B6CF315C3BC3A9B15E44A9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
In-Reply-To: <AM7P192MB0819568B6CF315C3BC3A9B15E44A9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM>
X-Mailer: WebService/1.1.19306 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-b6Xw23HhJEP2w0YPLeckWqHKsQ>
Subject: Re: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2022 13:53:19 -0000
My guess is that for an Authorization Server that doesn't receive a 'code_challenge' and 'code_challenge_method' as part of the authorization request, they treat the request as a non-PKCE authorization request. Therefore when the 'code_verifier' is presented at the /token endpoint, the AS ignores the parameter because it doesn't consider the request to be a PKCE request. I can also see the AS returning an error regarding an "unexpected parameter" or "invalid request" error in this case. I agree with your recommendation for the AS to require specific clients to use PKCE and consider an authorization request without PKCE to be an error. Finally, I'm not sure a client that doesn't send the 'code_challenge' and 'code_challenge_method' on the authorization request but does send the 'code_verifier' on the token request should consider that the client has implemented PKCE correctly and hence can rely on it for CSRF. Thanks, George On 1/4/22 5:45 AM, Benjamin Häublein wrote: > > Hello everyone, > > I think RFC 7636 “Proof Key for Code Exchange by OAuth Public > Clients”, section 4.6. “Server Verifies code_verifier before Returning > the Tokens” leaves a tiny gap regarding the handling of verification > when no code challenge was present in the authorization request: > > Upon receipt of the request at the token endpoint, the server > > verifies it by calculating the code challenge from the received > > "code_verifier" and comparing it with the previously associated > > "code_challenge", after first transforming it according to the > > "code_challenge_method" method specified by the client. > > It is unspecified how the server should behave when “code_verifier” is > present, but “code_challenge” and “code_challenge_method” were not set > in the initial authorization request. > > The following example worked for three well-known authorization > servers where the client was configured in a way that PKCE could be > used, but was not enforced: > > Authorization Request: > > https://XXXX/auth?client_id=YYYY&response_type=code&scope=openid+profile&redirect_uri=https://localhost > <https://XXXX/auth?client_id=YYYY&response_type=code&scope=openid+profile&redirect_uri=https://localhost> > > Subsequent Token Request: > > POST /token HTTP/1.1 > Host: XXXX > Content-Length: 256 > > code=ZZZZ&grant_type=authorization_code&client_id=YYYY&redirect_uri=https%3A%2F%2Flocalhost&code_verifier=IqiCQGM06JEyW73AB3f3oblCQKHOorapyqHUcYRujuSikDJx8cvBQ0kmFmzW75uIfaSBtXQrRmwuk71WWO6ryCzahTcxBPYX > > As a result, an access token was issued although the code_verifier > provided in the token request did not match the code_challenge and > code_challenge_method in the authorization request. > > Many applications consider the usage of PKCE as enough protection from > Login-CSRF and do not use state or nonce (for example this blog entry > by Daniel Fett > https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/ > suggests, that neither state nor nonce are necessary when PKCE is > used). However, when the authorization server is not configured to > require a specific code_challenge_method from the client and the > authorization behaves as described in the example, PKCE does not > protect from Login-CSRF. > > I think the following mitigations are possible: > > * Enforce usage of PKCE in the client configuration in the > Authorization Server > * Implementation of the authorization server returns an error in the > Access Token Response when code_verifier is present in the token > request, but no code_challenge and code_challenge_method is > present in the authorization request. > * Additionally, when the behavior of an AS is correct (verification > of code_verifier fails when no code_challenge was present), a > client that relies on PKCE for CSRF protection must always include > a code_verifier parameter in the token request (even if no > code_verifier is present on the client side). > > Best regards, > > Benjamin Häublein > Senior Consultant > > cirosec GmbH > Ferdinand-Braun-Strasse 4 > 74074 Heilbronn > Germany > Phone: +49 (7131) 59455-74 > Fax: +49 (7131) 59455-99 > Mobile: +49 (151) 122414-74 > www.cirosec.de > > HRB Stuttgart 107883 > CEO Stefan Strobel, CFO Peter Lips > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Edge case in RFC 7636, Server Verifies… Benjamin Häublein
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… George Fletcher
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Daniel Fett
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Benjamin Häublein
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Warren Parad
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Benjamin Häublein
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Christopher Burroughs
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Warren Parad
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… George Fletcher
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Thomas Broyer