IETF Logo Mail Archive

Re: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF

George Fletcher <gffletch@aol.com> Tue, 04 January 2022 13:53 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42DB53A1C84 for <oauth@ietfa.amsl.com>; Tue, 4 Jan 2022 05:53:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.812
X-Spam-Level:
X-Spam-Status: No, score=-2.812 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.714, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iUSthehYvM_K for <oauth@ietfa.amsl.com>; Tue, 4 Jan 2022 05:53:15 -0800 (PST)
Received: from sonic308-35.consmr.mail.ne1.yahoo.com (sonic308-35.consmr.mail.ne1.yahoo.com [66.163.187.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B15A3A0489 for <oauth@ietf.org>; Tue, 4 Jan 2022 05:53:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1641304392; bh=uNBnUpl/Gok/DwFvwb5HV6n1xDbMdi1JTy7xBI0dWgM=; h=Date:Subject:To:References:From:In-Reply-To:From:Subject:Reply-To; b=WaXLPQwAnrNWA4T5FTD7ucEX08C8yE3KHDbe5LQAglD2dgg0kro1xz6AyCt823UU82cVyQMjiG9gBF1AhdDVZ2Q3zShC2yBCSjB6JqyGorPWdJUmYwdPwO2vwixtx4WvRkiGfFmggEqFY2nloxVzsMqFoERQquo+iZ4adzCrW2Yero60YFdPzhMJR0nylP88Zr/srQcRxKF3aZW2RB8bdt9yaGmYrYEDzjlAUb4zxXSbJMoCuNkkhoVprDhj9rrRRd4KJErJVooqzJnQGdUf+r7quX+UGJGPj9L8uc/1nABDf2KT6BkTepQrUbLOxyH3Uhuhwr5W9jfhXhXnS1tCSA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1641304392; bh=zeMyr2aeoGgTbFsxrAEKXfuKQ4gWNz4bLmeJM5VJHuW=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=TmaI5CLoOqVktY47JPg+O9rqBLJXxO4hMluuNikaUG0+nrWxzxuburoZwZkF5wBZKZsfUANqY6uSREnkl+EOgKg8YixneWFu3i926coj9lOYQmPmXo9ATzi/lQ8SwoYNooeSwffkQizTeRfKBr+Hh2W0oVgSrk1eoZw053EQezPQBrKaEhafdyTkUyjQt33hVW+xm1N7HDnbFbpcJfYoa6XhC+YvOag82bC6fEF4zYYXZptIacw06dFPlvuFTadw+ByA/oprMtSp9oSRwS5peio8Y0z+Sh8B5AB1gb1tHx3soSJinXVsael0x0xSx9fijmYa/5tMbNq65t8eui49xQ==
X-YMail-OSG: QrVqkBcVM1lxCd_RpkCXK16TwNeQaLrN6UlRSchXs95o.WF0dTr9RIw7FweZZjd Qw6h6_C55Yrvc.RrwQdNBtxt_pJki_z9g.nGFCChRtqMocgFPIUwcrv.YEIGQi1Jhk8Lwb6gInKM uaZr2RTzmeErjCMpirItFZhRpIXuTv_NgPGijKbkZBQ8wUhbF6Yx3pCrMLs4IeY4sV61Hw.jXUeq PVvWdESUwwXfVS0YNAmn.J.JhzhwI3dAs5GWQDhQ8f0VvgpXBgWpF2zzvnvu2x5rgJEBxhuXlSLb oIrajxhbeN7CNNuzuH8CWuMRryL58GpbgHkAacsukyB2762RhlrED9lWF7sq5rZz03bx0UxNjcjy eM9Hxe1FKqfOH9xv5TmOYrBUscPzwSFviYVbW4UTCfMKkdx_3pG5a2fQCtZ6UqL0qQ4n0lWkgqUr TpanklUivA6wv2kWsynMTPvu3OvBKHl8YwDzfsH9exzvY8SiQtTdjPmmpi4ptnb_4B1TkwlusGV5 LiHs7vrsdJ2Fyb31I_ixkf5BR2WeuIHuK5aPsIqRqVvf8g2EFwzHaLQiWBGgvOKEQ72lbpLpAqJs w4BDIY2_ECR8cIxvcx7cOmydHMuOeonGlGK7ZDfgasGZSb6ANTV_B2xmduujCwxH7m2k_ebE3ahf .g0dbhDquhv4CnlciXlOWNmZ4hW7wSVIqdZD4k_b4G4DDYmTGiw7ph6sIr6k1oyk0T9GxcGffw7L GQsCd.HrF3Th_PV0ic.RUtDm3nV1Me8y8mhONtZCpQntX8r8FTiyLE66HZrbsrjqR4IqPzoTW1KZ vOvE5.VaPP1LfGDLdagwyb_LgOpTstUnXfGTlnPefpddWvkkKn1xFrJ.QIJuV2IcWuMPnqQwhxgh hiIxbPknBAkVEfp3Tv7xs0eF_VPK87cf2ELShKL8riU.i5TffA4PS.MQI8JXWb8CmdG59FV66GQ5 lwtH6iErQGZn3F2x2bmmo0I05ZF7III4Zxdo_F65CIuAxR2oS.dUfDbyXUk1KigFZNs1vqKSUY.V 7h_6GUHHPxP1fZb1YXWF8VU6bwGWih61KyKtqJ.HkygVV_lk3JvOtwxG.X2j1ZPep0Lq_o20tz9E eWNKxuHLx6.zv6KJT45pWUyZVn4iE46_Dg6AhGL_g.8ZC1BSnnA2ZPzq9_nAmKOGLuypknqVYLGY EAj7jgdAAH.wXrxWJbChwYvfNj.5EIzYH_P9ThFllQ2nA9uVw0BnV8YP7nNtfg00qLGq9Bp.MR6M Hb3QbEnasUY09D0RgUEYicUA2XhmiV2z1xZgYgG9cJ8419AG_iWSBT6rAU_t5I24iEX4R9ERa_SD LKLRok.Z0EJcGk8Fp.4htahaJ0tFJ.y_0Fy2ZdhKjqwKLKnagUsy8RgjDzeQ_XyA.FHfpJ.JP4uP ClmUYy8H3.T5Z_1O6QX8QvGf8NpRpak7ny83e10sMrWjDu97aFHFtI7VdNqh9OH_D3Hp3jeGj4AQ 3l7lNa9xucp8C4AXJ8y8h5FCoY3W3Ey9Cu.cSGE1mAaHmth2U5J9m2DKiNzq3XD_ZAFMKezdUIdH zH79oZX4zrooWsI4vYhCBd7NF2_JSCuJQnJizxNkjyxHJIpxiRjQ_XR6zWxx1uKCiUa7jis0VeXx P2ySrMKmkyArCoGoHo92MuYpSFXZkDkSM6NFrYIviPrEBHtOfe6iLi3_ZN4vitmB8oFo.J_yaP4Z dXbIktCMAvECTuFIacK5VE7Qo4hg3PlEjsscVo18ihFPnX6wFR.g54xlDXhxj.46xl_14Qg9lyyZ fIKbP47QM0vE.R5gixq1ynBGnrpOrGYexjamsVvuAWFDKFqTmrObHpVaTN6A1LYo9Pec.SY4bxwI zGbd1a.20cQa8D6n.eJsTJAX1zR2dsHifsKZeO7IARy8EGqY5Lt4dOU2Qz0ltqRDgzHm_we3TXGj f0wVR4UPHPZBBZ5sNOkiG2y37V71gHqwlyDHcLalUYqLT5R83bkI0huLXMMX8v4itHw4fZ4TW5AA w6_rPPZM6_PIFMvrmkemcABwpuakw2BE4.rGK4VD1H..MsXjEDob9yZEH_bokRpdsISD0qgoOAd8 mSMgrtXJFjrzf6vm9kQbzAcm9Q.CTtGRe5pDPWHxxayK6QnpyAl0R5n0Oz73HZjT1nvJm4_U1_mf 4GnqJ8kM8RBXSXCOaZR2RFUCgwwtXDUT99d9l30pXBgm_mLiSTxb3djqgQT2.PVtoxSQ-
X-Sonic-MF: <gffletch@aol.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Tue, 4 Jan 2022 13:53:12 +0000
Received: by kubenode513.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 8c8e453806486251eb0cb1f4ac40248b; Tue, 04 Jan 2022 13:51:10 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------O78FUvBnKyztiGvEbm5BhwYD"
Message-ID: <b711bc01-9674-6072-d941-7e1ba8f8c9ec@aol.com>
Date: Tue, 04 Jan 2022 08:51:09 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.4.1
Content-Language: en-US
To: Benjamin Häublein <Benjamin.Haeublein@cirosec.de>, "oauth@ietf.org" <oauth@ietf.org>
References: <AM7P192MB0819568B6CF315C3BC3A9B15E44A9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
In-Reply-To: <AM7P192MB0819568B6CF315C3BC3A9B15E44A9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM>
X-Mailer: WebService/1.1.19306 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-b6Xw23HhJEP2w0YPLeckWqHKsQ>
Subject: Re: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2022 13:53:19 -0000

My guess is that for an Authorization Server that doesn't receive a 
'code_challenge' and 'code_challenge_method' as part of the 
authorization request, they treat the request as a non-PKCE 
authorization request. Therefore when the 'code_verifier' is presented 
at the /token endpoint, the AS ignores the parameter because it doesn't 
consider the request to be a PKCE request. I can also see the AS 
returning an error regarding an "unexpected parameter" or "invalid 
request" error in this case.

I agree with your recommendation for the AS to require specific clients 
to use PKCE and consider an authorization request without PKCE to be an 
error.

Finally, I'm not sure a client that doesn't send the 'code_challenge' 
and 'code_challenge_method' on the authorization request but does send 
the 'code_verifier' on the token request should consider that the client 
has implemented PKCE correctly and hence can rely on it for CSRF.

Thanks,
George


On 1/4/22 5:45 AM, Benjamin Häublein wrote:
>
> Hello everyone,
>
> I think RFC 7636 “Proof Key for Code Exchange by OAuth Public 
> Clients”, section 4.6. “Server Verifies code_verifier before Returning 
> the Tokens” leaves a tiny gap regarding the handling of verification 
> when no code challenge was present in the authorization request:
>
> Upon receipt of the request at the token endpoint, the server
>
> verifies it by calculating the code challenge from the received
>
> "code_verifier" and comparing it with the previously associated
>
> "code_challenge", after first transforming it according to the
>
> "code_challenge_method" method specified by the client.
>
> It is unspecified how the server should behave when “code_verifier” is 
> present, but “code_challenge” and “code_challenge_method” were not set 
> in the initial authorization request.
>
> The following example worked for three well-known authorization 
> servers where the client was configured in a way that PKCE could be 
> used, but was not enforced:
>
> Authorization Request:
>
> https://XXXX/auth?client_id=YYYY&response_type=code&scope=openid+profile&redirect_uri=https://localhost 
> <https://XXXX/auth?client_id=YYYY&response_type=code&scope=openid+profile&redirect_uri=https://localhost>
>
> Subsequent Token Request:
>
> POST /token HTTP/1.1
> Host: XXXX
> Content-Length: 256
>
> code=ZZZZ&grant_type=authorization_code&client_id=YYYY&redirect_uri=https%3A%2F%2Flocalhost&code_verifier=IqiCQGM06JEyW73AB3f3oblCQKHOorapyqHUcYRujuSikDJx8cvBQ0kmFmzW75uIfaSBtXQrRmwuk71WWO6ryCzahTcxBPYX
>
> As a result, an access token was issued although the code_verifier 
> provided in the token request did not match the code_challenge and 
> code_challenge_method in the authorization request.
>
> Many applications consider the usage of PKCE as enough protection from 
> Login-CSRF and do not use state or nonce (for example this blog entry 
> by Daniel Fett 
> https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/ 
> suggests, that neither state nor nonce are necessary when PKCE is 
> used). However, when the authorization server is not configured to 
> require a specific code_challenge_method from the client and the 
> authorization behaves as described in the example, PKCE does not 
> protect from Login-CSRF.
>
> I think the following mitigations are possible:
>
>   * Enforce usage of PKCE in the client configuration in the
>     Authorization Server
>   * Implementation of the authorization server returns an error in the
>     Access Token Response when code_verifier is present in the token
>     request, but no code_challenge and code_challenge_method is
>     present in the authorization request.
>   * Additionally, when the behavior of an AS is correct (verification
>     of code_verifier fails when no code_challenge was present), a
>     client that relies on PKCE for CSRF protection must always include
>     a code_verifier parameter in the token request (even if no
>     code_verifier is present on the client side).
>
> Best regards,
>
> Benjamin Häublein
> Senior Consultant
>
> cirosec GmbH
> Ferdinand-Braun-Strasse 4
> 74074 Heilbronn
> Germany
> Phone: +49 (7131) 59455-74
> Fax: +49 (7131) 59455-99
> Mobile: +49 (151) 122414-74
> www.cirosec.de
>
> HRB Stuttgart 107883
> CEO Stefan Strobel, CFO Peter Lips
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email