[OAUTH-WG] Authorization code reuse and OAuth 2.1
Mike Jones <Michael.Jones@microsoft.com> Wed, 13 October 2021 17:16 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 920CB3A0484 for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 10:16:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.553
X-Spam-Level:
X-Spam-Status: No, score=-2.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qxcAn_Vr6cc9 for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 10:16:26 -0700 (PDT)
Received: from na01-obe.outbound.protection.outlook.com (mail-oln040093003015.outbound.protection.outlook.com [40.93.3.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE5D83A0418 for <oauth@ietf.org>; Wed, 13 Oct 2021 10:16:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nn0Aa8uiYV9m7EkzmHuNFtQ8QaaBexNRTcH6dRdu62ojSuo2MJjnFvcD6Ch+bQCibBFxjDL8S5QHxFhR1aTeiB4hNpZCjBJkPOiprwMmaFZjemXFOrFKUVuJMCJ0NN6kL+C+xvgaND0YOE1hq6SS2mTJQSc3n43sHnQkmFujWEnVboaEjXS150ChJbUMRcFUdVFaS87vCviNIWtcJVqfH3f8QaTKpXFXZCgXzCFLW3vjh6uLeZwVwVWi8bb9jnTvU39G/daYfzAoMDwrpHQSCZJVRwfN45Xp57BG5gt61kcJ1I73UKRNqJEmCQLcsIdQEUYmsCDTJZxAgm5eSeT7ow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Rw7GTYdw0zPvabx8Er/a2JKc1BZHcW2Gpgi2PyFsrDE=; b=XPC7rPahOePObOfzwEQiVNnPlVCvzCB1MdGK8sbxJ8OjNFcqoqnwaLhwvP8aD3YK9oRQ1fb6PnWnbbUa0jynVfIP/XJ80OaMyB8wuj+zvIZQRspciEzrb2qlzSbXMZ0OaJI9dbPfQrsfGgNHZQ+nNYEQCzlu/xdViZIIHOnqQpQXqBmPY2R4vBEo+IwMd+LgIx2hSUPHVuV6ZFOkUgD/AyI3krieG577JSDjT0aw9ryDpaCH0aJHvggizLNSez5fGOupO3skYbfxlV7cYDFAeCvnZA8y1D1RaMU3HJ1RiELiEh6QuQjsXLDHLanhpnI9lcFaIOUY4EwihTFWbhBlOg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Rw7GTYdw0zPvabx8Er/a2JKc1BZHcW2Gpgi2PyFsrDE=; b=apUqI/SYF63madp1uROLB7F0irzK6dfYokZeWbXpUzmybIi+omH1Okmlw8dO3p4CGtT7kCeKuEevilgx1IdHfotLJ5t8ijo3uEWvM7lv62Ktf3o1E90dTrT4aKYGyd9M6ztelRhLHwZZmbHLYpYvRxWZbQ52HqerRssI7wC997w=
Received: from SA2PR00MB1002.namprd00.prod.outlook.com (2603:10b6:806:11a::8) by SA1PR00MB1124.namprd00.prod.outlook.com (2603:10b6:806:1af::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4646.0; Wed, 13 Oct 2021 17:16:17 +0000
Received: from SA2PR00MB1002.namprd00.prod.outlook.com ([fe80::f898:356a:1a6f:d992]) by SA2PR00MB1002.namprd00.prod.outlook.com ([fe80::f898:356a:1a6f:d992%6]) with mapi id 15.20.4646.000; Wed, 13 Oct 2021 17:16:17 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Authorization code reuse and OAuth 2.1
Thread-Index: AdfAVNrlkmcvsI+rS0W4a9tVQDknww==
Date: Wed, 13 Oct 2021 17:16:17 +0000
Message-ID: <SA2PR00MB100244DAAD267EBD2FF51678F5B79@SA2PR00MB1002.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-10-13T17:07:30Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=108952ea-a8ab-4383-9fb4-bb3ab90c967a; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fd2d52e3-77ea-4dfd-a513-08d98e6d2b34
x-ms-traffictypediagnostic: SA1PR00MB1124:
x-microsoft-antispam-prvs: <SA1PR00MB11247503616DC9788D3B795CF5B79@SA1PR00MB1124.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ld02QC34bJRvGJlfZ5RMqDPFJd3uf3CYbvM1WRFXkn5IPxQix719S/WwoRTWhjsgpnnMdsg/VRual0xq/kEBp2Zv5a9QnjBQWbN2XdkwfPuqfINNpjCtJ7F6/4xXJM/rySGoihPN5G1baL4MNoEr+w9Yxy4x8ruDQT/br+KHjWXymSR1fdULKk3XApnVYeeNDu9n/3qtqXkFVUY4LQe0mbawmZWNK1qY6FeTNZ2hIc8QCJ4WvGt+2WiEBYKIjBxbZ9QAaG8H/YKYUf5vGZJoKGuFkeTBL8nJQ0Y0CktAwb7GH8ol4t6aEYX0OCf/1dEi6yOrnYPxII8gdVkCOkgjdRcGD/oYrmlQFLA7TQNMhCqPNEr2+iiigZ90/Q526oe4bZZutVdagBhjxjlS2AfvGItGFwNLRVJm1Qtbu6zqfbp/prG7RPD34jnmU9QJ7YBaihcwoSurJXb8yhPjCkaljQ+i2CKJDS4TzTprVgKt/eBDHNb5qqiKH+oy29hnu+W9nec0PUlvlPIxs8tPvCEYZnNbrI0VRYpYxScEXva6QoBFzoijjvzkrC9tjUpPQYqI8k3uSMmboX43jh9vgryDAJSBDK8LR6+3pTWYYOykbe6NXeG6D1fZSRD2WrV4/DkXhIQVTYefVT3R/ZsTyb3v6ikCxEMJ4SDNDuUcnZ+Hk4qXIUOfzoYYScDcERsqRXAnD04pTjOzAPhgowGskboCPA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA2PR00MB1002.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(186003)(316002)(66946007)(76116006)(83380400001)(66446008)(64756008)(66556008)(66476007)(6916009)(71200400001)(7696005)(508600001)(10290500003)(5660300002)(6506007)(86362001)(9686003)(52536014)(82960400001)(82950400001)(2906002)(122000001)(38100700002)(33656002)(8990500004)(38070700005)(8676002)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: PnVTPHIoap5YjRDpMWF6eePf4rSJru7chcIAyJ5kVhp7h0NJEEEBW/NryiI829h3bduZADQ8g5KtpH02qZGcVmetY0H3y0WlmN640CU6abfc//RHLif43NPPqdu0EjCrxITM66bTH37KdT4jgQNVo4QtQjqfgKHrH4ju2sB5uLitRA8TeEeG0XDL5iCVHSMtiWqDUVmqcq4Bwz1Scj2rVGFLZ7Bd34+/p3NpR0U2kiG437q9WG8Jc7oNqnRkg7G3u3qpamAeHfHbxW/A71ukrmDpQ0Lj9DQrcgbv1z8AqY4yioTrAibgEseqUjfPZDdqwbk96rQX9QbVURRI/rmdOYh7vMzVXVgwceVJCFFKg1ZiP/+lUt+XK1MgUDBAOadeFKkIGILC7dcSe4+Ia6mdsVJ6Sd30GaF8MUE8GC4tFmGv9Tiaz6YA9E1irZm+D8tSNGnX5AXUGLn0f3Jc42s85dEzanqzec7w2DsboQeacwF/kqecyl1ZnlaYdetpSpaUWDUs8TITAcxFPP89AAQEH1ZOjTZIo9pPV0Rgl1gsSy0ODLLXbzVTqiM+6a5quEz07xxRCV7PRTZ9GPqYLhrX/5zVgchiNdn3q2xy5P6kT4uTMQAO7/KzAPwNU94ehCIyM6t4XhikGYE4aSbdxB8D1GlPwF/pVmfQ98Ahgy6vOxI1M6q0IzjjaVcnAGacCbeV79h7tsqkAqkmgYoXhrfBpwhe5ChFlh6vFs110KI+rtV/BQjVrDOuVV4S7p2Md0r/TVZQ+KY4Yny8vqtyl/SnKlLQ0+kr0kEU/zCsedbsCdUz9TJhpedCOEaqYZCqznJJiDTvnPHcfEH3NsQkIEsmbX5Q8oitxm78TJbir3YeIDPrNqXCqgkSw9W5vTHRbN/neKO5cc4IcaOYZWKA8a7LCTxVCr+VB+/s1EruxZqi6pLhSA8qFjGvLVWpcTDDSbpwcksWdJ6gNeY6H8i12T5PVvOClnVcmUD33qL2PbhjjrWG3TuDSqSt7ly8YqR6ZA71w5n5nfkB/Lk32f1pL75vX0fWChE2QfjwTdWsmDLDmjBlXDwfHyGHAN6LNNRf1yN/gLoTCPE97d/zSGS7R8HvSCVZ6BjYJIR1xLucCcXu6UHK1W6xjoPFuspKiLwCQfg6CaxbrLXfX/w1oliMOJZ/t7tbbEjXUZT1pn504tVkzUzh9SSrdXgVIjddAZMNm8c1W00RBM6Zimt7Qp1Rs7wTK8Y9+SVNtKsqrdQ5cnvtHZ1b5Zi84+U3+pTZa0F69IK3vmVT1AxMEvxiS+pH/7dK2hCV7NBOhdBc9Rx3NFAb2bWLmpxm/sw3PNSnQsV5F/nIY1z4OvE1Sx0PQsfdZAef8LeuVVfAsWFy1CJzKfjLy1DjbPu6AuwVOIVzFAuqd2EoWsszL+tPnoqI7ySSUo4OSzrM37UgOx49JQDUxIMw+d/VjSS3ykpRqWihNWvwdY1VxGnjGi/X2vDc8vOrcmQc1PNc5sa5U+LcP89st46UrvLQk/tQKdk9yzC7/5OSC2aFY5biUpNLu6bQrtziHd3XbgF3fW59o6JBbk/8cSL8zeX29M2sbQx1PFau8gRsO0V+u99IfHGgCoN5I+Myn7dPeMWYZ7PbogEPQ8HXpkTfb4Z9tCWyv0kQdj/7E/2P8OeEeRJHzO0T5wiXUZqkTcELCR+o+Ty3cf2gpZtg0v0EDwM=
Content-Type: multipart/alternative; boundary="_000_SA2PR00MB100244DAAD267EBD2FF51678F5B79SA2PR00MB1002namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA2PR00MB1002.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fd2d52e3-77ea-4dfd-a513-08d98e6d2b34
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Oct 2021 17:16:17.6169 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DUogLKh9WciWMoTJn9deUcCGg64npnLzJy2Y+R8xXQEUPN4BnCdkJ2pne1GpM3ToAecaZXww22Ihw9KLC27CAQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR00MB1124
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/D9kiksQhTQ70hnbBUUBkA6weFeA>
Subject: [OAUTH-WG] Authorization code reuse and OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 17:16:29 -0000
During today's call, it was asked whether we should drop the OAuth 2.0 language that:
The client MUST NOT use the authorization code
more than once. If an authorization code is used more than
once, the authorization server MUST deny the request and SHOULD
revoke (when possible) all tokens previously issued based on
that authorization code."
The rationale given was that enforcing one-time use is impractical in distributed authorization server deployments.
Thinking about this some more, at most, we should relax this to:
The client MUST NOT use the authorization code
more than once. If an authorization code is used more than
once, the authorization server SHOULD deny the request and SHOULD
revoke (when possible) all tokens previously issued based on
that authorization code."
In short, it should remain illegal for the client to try to reuse the authorization code. We can relax the MUST to SHOULD in the server requirements in recognition of the difficulty of enforcing the MUST.
Code reuse is part of some attack scenarios. We must not sanction it.
-- Mike
- [OAUTH-WG] Authorization code reuse and OAuth 2.1 Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Aaron Parecki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Neil Madden
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Aaron Parecki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Jeff Craig
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… David Waite
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Sascha Preibisch
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Sascha Preibisch
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Ash Narayanan
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Daniel Fett
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Vittorio Bertocci
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Ash Narayanan
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Vittorio Bertocci
- Re: [OAUTH-WG] Authorization code reuse and OAuth… David Waite
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Neil Madden
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Filip Skokan
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Takahiko Kawasaki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Daniel Fett
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Daniel Fett
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- [OAUTH-WG] SUB and AUD configuration for web iden… Warren Parad
- Re: [OAUTH-WG] SUB and AUD configuration for web … Ash Narayanan