Re: [OAUTH-WG] First Draft of OAuth 2.1

Aaron Parecki <aaron@parecki.com> Thu, 12 March 2020 21:03 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6A4C3A095D for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 14:03:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GcnSSl_VXV6r for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 14:03:32 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D47F93A095C for <oauth@ietf.org>; Thu, 12 Mar 2020 14:03:31 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id c25so6566614ioi.5 for <oauth@ietf.org>; Thu, 12 Mar 2020 14:03:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=QoDC/LgmUtO+f/dCFBnWV40E9eGNvXSvlOqrS9jJ9d4=; b=AJl9zZ9zaB7TmHICNqgE2px1eQ4TsBiG9GDGGCP0fz0Zode9+y7366X5MvEYcMDef+ 1aVkVXXreHaG/TW8tnE3iXZyfHLU0aSsUG4NvMuY6rDkO/C5sxFQQdG+imZr5/nwGFB2 Y40/EIEbR6SEpEr1aQRQbOTos8nJFu7SkwgrEoxIAZCpcFBIWpd5e+FgSo5z41uR9D7F nB/TT5zxU5Jq/GMwjXZGwr1RACLW2bqe0IicKFr2hg1wcoogMnHgOHkiIeXt5zG2Ntjq BxuabkY+BUq/gUrX+QeX0YkOeGKutBl3PKyE997umCv26JPIQEvujbq6EN26r5EdkWH0 NVUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=QoDC/LgmUtO+f/dCFBnWV40E9eGNvXSvlOqrS9jJ9d4=; b=pSl0vyMZGxsc4xYqORT80GoUKuAbmBFbZX0ICpwY5IqvXVo3m5NUpGlOGdyRLNIWjv A1od04d5Fn2LRsI/IL9HyR491YSiVmsmaypXp2BlKAQ/gp1FPGJ9RLIUNXgKha8brR8W jcy91fPhuD0+StP17qnnsxKB6t0JQxnvuaelqgVkHVAk++FglV4cZ9gHbX/PpvAvHzLx aI7+LSz/0AXEU7Oby+B8gycIcUIvMJH+jzL6VapdzMSekL9TgCs+ijPOrTGimsB9GlIe UhR4dVtZZ2T9wX9C8o78564sHcLUCToGAcEVg+yVBfxUNusE9y1sx8OEtfx+jU2/gb9O bn0A==
X-Gm-Message-State: ANhLgQ03inztYWzGyjR5G4mTKfF9iUzMM2nLEU7yv2jleKraHClbBdTp HVeNJVR2V7HQCDbh2EclBzDn0oPRw6Y=
X-Google-Smtp-Source: =?utf-8?q?ADFU+vtBUYQ0OFrtPl1w1Xo8bn0DQ5h58XPnzF+ifaj4?= =?utf-8?q?yDxZOkXTfzmY4AFH1lfKmm6vwhHpfLpryQ=3D=3D?=
X-Received: by 2002:a6b:17c4:: with SMTP id 187mr9426316iox.143.1584047010644; Thu, 12 Mar 2020 14:03:30 -0700 (PDT)
Received: from mail-io1-f45.google.com (mail-io1-f45.google.com. [209.85.166.45]) by smtp.gmail.com with ESMTPSA id s2sm14986115iod.12.2020.03.12.14.03.29 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 12 Mar 2020 14:03:29 -0700 (PDT)
Received: by mail-io1-f45.google.com with SMTP id r15so7210711iog.0 for <oauth@ietf.org>; Thu, 12 Mar 2020 14:03:29 -0700 (PDT)
X-Received: by 2002:a05:6602:150c:: with SMTP id g12mr9418639iow.149.1584047009547; Thu, 12 Mar 2020 14:03:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBSGjr5L5sNoexzOgipkVVewNL+DypSo5S8bkai8PuJ61GB+Q@mail.gmail.com> <D292892C-D0EB-42A8-B5BD-372227EB3728@lodderstedt.net>
In-Reply-To: <D292892C-D0EB-42A8-B5BD-372227EB3728@lodderstedt.net>
From: Aaron Parecki <aaron@parecki.com>
Date: Thu, 12 Mar 2020 14:03:18 -0700
X-Gmail-Original-Message-ID: <CAGBSGjotot2h2GPx+QBgsn_u_O50gTV7isb0F1dnSGeC1TdaGA@mail.gmail.com>
Message-ID: <CAGBSGjotot2h2GPx+QBgsn_u_O50gTV7isb0F1dnSGeC1TdaGA@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Pedro Igor Craveiro e Silva <pigor.craveiro@gmail.com>, OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/42leNO6U_qwUWBN5YqyS_R1CSeU>
Subject: Re: [OAUTH-WG] First Draft of OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 21:03:34 -0000

> The Security BCP recommends S256.

Is a recommendation enough to change the default? That's definitely
normative changes from PKCE. I could be convinced either way, but it
would be the first place that 2.1 deviates from the combination of the
RFCs and BCPs.

----
Aaron Parecki
aaronparecki.com
@aaronpk

On Thu, Mar 12, 2020 at 2:01 PM Torsten Lodderstedt
<torsten@lodderstedt.net> wrote:
>
>
>
> > Am 12.03.2020 um 21:59 schrieb Aaron Parecki <aaron@parecki.com>om>:
> >
> > 
> >>
> >> In regards to `code_challenge_method` parameter in authorization requests. Wouldn't make more sense to have the default value as `S256` based on the statement in Section `4.1.1.2.  Client Creates the PKCE Code Challenge` that says that `S256` is MTI on the server?
> >> So you have `plain` as a special case for clients not able to support a more strong code challenge?
> >
> > One of the goals of this draft was to consolidate the information
> > available in the related extensions and BCPs, not actually define
> > anything new itself. This behavior described would be different from
> > what is described in PKCE. If this is a good idea to change the
> > default, then that should be included in the Security BCP and brought
> > into 2.1 from there.
>
> The Security BCP recommends S256.
>
> >
> > ----
> > Aaron Parecki
> > aaronparecki.com
> > @aaronpk
> >
> >> On Thu, Mar 12, 2020 at 12:22 PM Pedro Igor Craveiro e Silva
> >> <pigor.craveiro@gmail.com> wrote:
> >>
> >> Hi Aaron,
> >>
> >> In regards to `code_challenge_method` parameter in authorization requests. Wouldn't make more sense to have the default value as `S256` based on the statement in Section `4.1.1.2.  Client Creates the PKCE Code Challenge` that says that `S256` is MTI on the server?
> >>
> >> So you have `plain` as a special case for clients not able to support a more strong code challenge?
> >>
> >> Regards.
> >> Pedro Igor
> >>
> >>> On Wed, Mar 11, 2020 at 9:29 PM Aaron Parecki <aaron@parecki.com> wrote:
> >>>
> >>> I'm happy to share that Dick and Torsten and I have published a first
> >>> draft of OAuth 2.1. We've taken the feedback from the discussions on
> >>> the list and incorporated that into the draft.
> >>>
> >>> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01
> >>>
> >>> A summary of the differences between this draft and OAuth 2.0 can be
> >>> found in section 12, and I've copied them here below.
> >>>
> >>>> This draft consolidates the functionality in OAuth 2.0 (RFC6749),
> >>>> OAuth 2.0 for Native Apps (RFC8252), Proof Key for Code Exchange
> >>>> (RFC7636), OAuth 2.0 for Browser-Based Apps
> >>>> (I-D.ietf-oauth-browser-based-apps), OAuth Security Best Current
> >>>> Practice (I-D.ietf-oauth-security-topics), and Bearer Token Usage
> >>>> (RFC6750).
> >>>>
> >>>>  Where a later draft updates or obsoletes functionality found in the
> >>>>  original [RFC6749], that functionality in this draft is updated with
> >>>>  the normative changes described in a later draft, or removed
> >>>>  entirely.
> >>>>
> >>>>  A non-normative list of changes from OAuth 2.0 is listed below:
> >>>>
> >>>>  *  The authorization code grant is extended with the functionality
> >>>>     from PKCE ([RFC7636]) such that the only method of using the
> >>>>     authorization code grant according to this specification requires
> >>>>     the addition of the PKCE mechanism
> >>>>
> >>>>  *  Redirect URIs must be compared using exact string matching as per
> >>>>     Section 4.1.3 of [I-D.ietf-oauth-security-topics]
> >>>>
> >>>>  *  The Implicit grant ("response_type=token") is omitted from this
> >>>>     specification as per Section 2.1.2 of
> >>>>     [I-D.ietf-oauth-security-topics]
> >>>>
> >>>>  *  The Resource Owner Password Credentials grant is omitted from this
> >>>>     specification as per Section 2.4 of
> >>>>     [I-D.ietf-oauth-security-topics]
> >>>>
> >>>>  *  Bearer token usage omits the use of bearer tokens in the query
> >>>>     string of URIs as per Section 4.3.2 of
> >>>>     [I-D.ietf-oauth-security-topics]
> >>>>
> >>>>  *  Refresh tokens must either be sender-constrained or one-time use
> >>>>     as per Section 4.12.2 of [I-D.ietf-oauth-security-topics]
> >>>
> >>> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-12
> >>>
> >>> I'm excited for the direction this is taking, and it has been a
> >>> pleasure working with Dick and Torsten on this so far. My hope is that
> >>> this first draft can serve as a good starting point for our future
> >>> discussions!
> >>>
> >>> ----
> >>> Aaron Parecki
> >>> aaronparecki.com
> >>> @aaronpk
> >>>
> >>> P.S. This notice was also posted at
> >>> https://aaronparecki.com/2020/03/11/14/oauth-2-1
> >>>
> >>> _______________________________________________
> >>> OAuth mailing list
> >>> OAuth@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth