IETF Logo Mail Archive

Re: [OAUTH-WG] How to enforce PKCE in authorization servers with a mix OAuth 2.0 and 2.1 clients?

Vladimir Dzhuvinov <vladimir@connect2id.com> Mon, 10 October 2022 15:15 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62699C14F74C for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2022 08:15:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=connect2id.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pl8McW0CGrkX for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2022 08:14:58 -0700 (PDT)
Received: from mout-b-206.mailbox.org (mout-b-206.mailbox.org [IPv6:2001:67c:2050:102:465::206]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18F0DC14CF16 for <oauth@ietf.org>; Mon, 10 Oct 2022 08:14:57 -0700 (PDT)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-206.mailbox.org (Postfix) with ESMTPS id 4MmMsR45BPz9smT; Mon, 10 Oct 2022 17:14:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=connect2id.com; s=MBO0001; t=1665414891; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=5XJLrnXk6xWmXbpnh3q3Dw0V+64DgN7/77i8MM0TgYg=; b=UQ0MT1QTfl9WtDajVZChyWj4ljZSPtAlOKMLsklURWR0cmjneW2i7TYXCseEShwXN7DdZe VqFsoPmvXqndEeQ/tDz24UrOrhoXd3pxVzEQQcC/BrsRLHxBtMWZGVVQHcxrrYABm2z8mv 6mSO2SX6hTRg8wSe3ePYxhopUxh7jiL+zjCWvZrKK8OA8V1Ru4/DM3Yqtih8L+DF9qWkZb hQ+PuJqSMEbNsUgicROuSETe9nFpGuP3QT33/FpeYhtDGqpWcjZrhVNy6fUnbiyqletMGI 2BC6LNzHc+0ReiQR+rkZDqTsMKqICgc2GjGXv6e59iykTOZyBUYCX1Kb1zwTtw==
Message-ID: <a3669eaf-a29c-90a7-ce74-8e9e796653f1@connect2id.com>
Date: Mon, 10 Oct 2022 18:11:57 +0300
MIME-Version: 1.0
Content-Language: en-US
To: Dima Postnikov <dima@postnikov.net>
Cc: oauth@ietf.org
References: <ba1a5680-616c-bfe1-46b7-899acbb180bf@connect2id.com> <CAEMK1uZzsx6a-EHuBuPMomTLdDE798jcBaWNTABzERnLVuM6Qw@mail.gmail.com> <227a5b14-5017-2f55-737a-74b94165b1c0@connect2id.com> <CAEMK1uZXPHJueuiOK3m6wBFsTafoe5UQ2mr=FxK4kD2jMVdQnw@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
In-Reply-To: <CAEMK1uZXPHJueuiOK3m6wBFsTafoe5UQ2mr=FxK4kD2jMVdQnw@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms050700020501020605090509"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/53Pqymxw5oVQUDmhR5He1_o6Luw>
Subject: Re: [OAUTH-WG] How to enforce PKCE in authorization servers with a mix OAuth 2.0 and 2.1 clients?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 15:15:02 -0000

Hi Dima,

A published RFC cannot be extended to specify new things, only have 
errata added it. The OAuth 2.1 spec is still a draft in the works.

What do you think is a suitable default value for a 
code_challenge_method client reg parameter?

 From the perspective of an OAuth 2.0 deployment it could be none (i.e. 
no PKCE) or S256, in the latter case a client will need to explicitly 
opt out of it, but how exactly?

 From the perspective of an OAuth 2.1 deployment it would be S256.



Vladimir Dzhuvinov

On 09/10/2022 02:33, Dima Postnikov wrote:
> Hi Vladimir.
>
> Client registration parameter sounds like a good idea to me.
>
> In terms of which document this goes to.... I wonder if PKCE RFC7636 
> could be updated to add this. This way ecosystems using PKCE in OAuth 
> 2.0 could benefit from this too.
>
> Thanks
>
> Dima
>
>
> On Sat, Oct 8, 2022 at 9:27 PM Vladimir Dzhuvinov 
> <vladimir@connect2id.com> wrote:
>
>     Thanks for chiming in Dima.
>
>     Do you reckon it's a good idea to define a code_challenge_method
>     client reg parameter in the OAuth 2.1 spec?
>
>     To enable 2.0 -> 2.1 transitions and also give people a concrete
>     and standard compliant way to implement the "REQUIRED or
>     RECOMMENDED" in the OAuth 2.1 spec for code_challenge.
>
>     Another spec that deals with PKCE is the OAuth BCP, but to me
>     that's not a optimal place to define a new parameter.
>
>
>     Vladimir Dzhuvinov
>
>
>     On 08/10/2022 04:31, Dima Postnikov wrote:
>>     Hi Vladimir,
>>
>>     Similar issue exists in CDR (Australian Open Banking). PAR and
>>     PKCE was added as mandatory to FAPI 1 Advanced profile.
>>
>>     There was a transition period when AS had to support both
>>     (potentially).
>>
>>     Also if the same AS is used outside of CDR, this dual support
>>     would continue for some implementations.
>>
>>     I don't think this was solved, so your client registration
>>     parameter makes sense.
>>
>>
>>
>>     On Wed, Oct 5, 2022 at 5:43 PM Vladimir Dzhuvinov
>>     <vladimir@connect2id.com> wrote:
>>
>>         Has anyone faced the issue how an AS can handle a mix of
>>         OAuth 2.0 and
>>         2.1 clients regarding PKCE enforcement?
>>
>>         The new OAuth 2.1 spec makes PKCE required, which is a good
>>         security
>>         measure and fine for an AS where all clients are ready to
>>         comply with
>>         the upgrade. In practice however, it's common for AS
>>         deployments to have
>>         a mix of legacy 2.0 and 2.1 clients, and at present OAuth
>>         doesn't have a
>>         standard client registration parameter, e.g.
>>         code_challenge_method, to
>>         lock a client into using PKCE.
>>
>>         https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-02#section-4.1.1
>>
>>         RFC 8414 defined the code_challenge_methods_supported
>>         metadata for
>>         servers. It would be useful if deployments had a
>>         corresponding parameter
>>         for the clients.
>>
>>         https://www.rfc-editor.org/rfc/rfc8414
>>
>>         ~ Vladimir
>>
>>         -- 
>>         Vladimir Dzhuvinov
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org
>>         https://www.ietf.org/mailman/listinfo/oauth
>>

v2.23.0 | Report a Bug | By Email