[OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)
William Denniss <wdenniss@google.com> Tue, 19 January 2016 05:46 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB1DC1A9152 for <oauth@ietfa.amsl.com>; Mon, 18 Jan 2016 21:46:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id joHyc5wT2_YG for <oauth@ietfa.amsl.com>; Mon, 18 Jan 2016 21:46:25 -0800 (PST)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 611601A9127 for <oauth@ietf.org>; Mon, 18 Jan 2016 21:46:25 -0800 (PST)
Received: by mail-oi0-x22d.google.com with SMTP id w75so155727131oie.0 for <oauth@ietf.org>; Mon, 18 Jan 2016 21:46:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=J4bbEbBNUsaJgNEoVwCTCqowq2NtEpNOt1dSNdu7Or4=; b=llJYkuSjCyp4KalBwXys9Ux2EEux53Wmlm7OOgx00koCVrssXuWK2sifkeLP2/3lWA 6ZjsIuUtZcwZzKelOv1PfZUmtA5tW/DHCcLSzVpSFXOTh8UTmi6e3AvE57iudkB5RiKF H6UaHM9RLWAr9JzY9viZ+Nj/iZ3mtPudAgoOFkdCXURDiHu1Q8j7pvxTk34hKIyPjxww 2uRFazzGusZ3cbCGQ165GdeHLBru+3fNBubxLeLY6/m9wcCPQjKKbg6X70B8O/YGZ1DJ 242qnP5NGYI+kX7vS1lLYyRcciyte5jaGs+9Vc2/oFUZiDEywFTx2bfxWSUaf5HYihZT xLVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=J4bbEbBNUsaJgNEoVwCTCqowq2NtEpNOt1dSNdu7Or4=; b=kUkF5TEA3wzapgpH5jLe9db0LE5xVnFgEsjue4Wb3qDtv8Va/gtE732KWti02cCOdi 6kmH0PcEsEvUJD+EfYPsxrTwmBWQb+I05E9KFapDL5zTKxUM83zglKyo3TzfAvb7TtyY itPn/f98tYiV4nGPiMatVRYkSD9D9nDccMKyFp8u3NtuEuohhZ/TPLPM5nNzbI4JNf7w ft8LfH5coTuY30FcORoROrz5F1jgyxZ3YJjsgxMqAmDpTaQEb7avPI2WAigzptBG3/QZ yHDfqvs3Lgl0qFDCi4Bbbl5ZmWmwhaQwam9tdGZRjjVXP0MtQJIq7FWVeBNS8YFBy5ew n53A==
X-Gm-Message-State: AG10YOQtaNunwVzjXTI3bZRvzsN5Qe9g1D97bWq8BWuLLZIR/DvQ8LpQ0sTWjDPNm+nvuvoV5p2UMd9G6aPjjoIk
MIME-Version: 1.0
X-Received: by 10.202.189.138 with SMTP id n132mr2955075oif.12.1453182384617; Mon, 18 Jan 2016 21:46:24 -0800 (PST)
Received: by 10.182.227.39 with HTTP; Mon, 18 Jan 2016 21:46:24 -0800 (PST)
Date: Mon, 18 Jan 2016 21:46:24 -0800
Message-ID: <CAAP42hD3vpwnBYzu6YZVXtTimVuFHzgQ9Pksn1RQNEwogPZRJw@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a113d6d5ed47cea0529a9636c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/0VQxo2SG7iBEKezBEtybi9yu4uM>
Subject: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2016 05:46:27 -0000
This month we rolled out full PKCE (RFC7636) support on our OAuth endpoints. We'd previously implemented an earlier draft but were not conformant to the final spec when it was published – now we are. Both "plain" and "S256" transforms are supported. As always, get the latest endpoints from our discovery document: https://accounts.google.com/.well-known/openid-configuration If you give it a spin, let me know how you go! The team monitors the Stack Overflow google-oauth <http://stackoverflow.com/questions/tagged/google-oauth> tag too, for any implementation questions. I'm keen to know what we should be putting in our discovery doc to declare PKCE support (see the thread "Advertise PKCE support in OAuth 2.0 Discovery"), hope we can agree on that soon. One implementation detail not covered in the spec: we error if you send code_verifier to the token endpoint when exchanging a code that was issued without a code_challenge being present. The assumption being that if you are sending code_verifier on the token exchange, you are using PKCE and should have sent code_challenge on the authorization request, so something is amiss. William
- [OAUTH-WG] Google's OAuth endpoints now fully sup… William Denniss
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… Nat Sakimura
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… John Bradley
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… Nat Sakimura
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… William Denniss
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… William Denniss
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… Chuck Mortimore
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… John Bradley
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… Chuck Mortimore
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… Nat Sakimura