[OAUTH-WG] Ambiguity in draft-ietf-oauth-v2-1-08 when code_challenge is omitted
M Hickford <mirth.hickford@gmail.com> Wed, 05 April 2023 07:02 UTC
Return-Path: <matt.hickford@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3949C14CE5D for <oauth@ietfa.amsl.com>; Wed, 5 Apr 2023 00:02:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95n3siHQWZrs for <oauth@ietfa.amsl.com>; Wed, 5 Apr 2023 00:02:02 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5165AC14CE31 for <oauth@ietf.org>; Wed, 5 Apr 2023 00:02:02 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-4fa3c484814so200513a12.3 for <oauth@ietf.org>; Wed, 05 Apr 2023 00:02:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680678120; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Wg0cf16andEv819kQDmysbUTl9gfmk2PKEbCnKdR1ps=; b=XFgY/JUCAH/ThXvJzpODOJWn9D12bW5/ptQimYhO39ad1/FLUetaHrVGE0ICISy4ZA aeLLmYgLLLAOR+bRiqCc7O02uJ3Zx1tD21DMMtrv8pOck5MSLaEbCiucJ21gh5uverSz IqFFkzvwlFi9EDe+EGXGiGDMKpv4gJM0W8RR4QukaUnLc3GYFNOkwUdLP7cBkwh4rTY4 rMwn88/PWgtCRfFRQ0FkGf/j+RYxKGf39nfHmc88K22bML0CPfsM3oON+zzi8n4duYok RqCREgxFskE4lQlpDhBikCGJ4+VeyXy/W3AbcJ+baYKxAynUKCag2McWEPIhlZXgWNDo FmdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680678120; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Wg0cf16andEv819kQDmysbUTl9gfmk2PKEbCnKdR1ps=; b=WPHJ1+MG7Ons7qY89lwg1HBBQ4RX87biNtO9pG4wQm2b5hdMGPGGvKMzy8ln+Mt4hH OQJ/t9CtSjI8kFCrDS70rbe/rLi41QYOgQoVDmTroS66dXXgVhBGzz16iuMh6y5q8O9+ Axyf3e6efzTUacI0vkurEnjU48gSB2AevpXFpKej1u7L5fBlkoOEP0PU3br8JhCrWBWV IzwzNj26c3DIcLr6uf4jkfZiB5rt+eX8x/Y5HXH59dVeTPPwnEGTgPcjimHjFX5dJdH2 0FgVz6q9Qyq58qrKuwM0BPJJ2zzV5PPOXNQnPpL4Jp7MyTeWXLBtxpLw9S7Y9QJW3gIE rtjw==
X-Gm-Message-State: AAQBX9eW4NC3Ev2FJB1MboZYRyKe2yE1w0WEMzKTUoi1lgAO8NwHkQQ5 SQJS6a7rRH/CIZdZ32tqf/CG0lrgEn+TYCl0lXbVyGfch9DPqg==
X-Google-Smtp-Source: AKy350bDpjEZFjMECG5wOcFan1cFSgUdU+ioetSmDQAPvxNjo2Y4e2aDqprYTkSZQM1MiKTofQisvYr0aWUOV+phn58=
X-Received: by 2002:a50:950d:0:b0:502:227a:d0da with SMTP id u13-20020a50950d000000b00502227ad0damr613683eda.2.1680678120358; Wed, 05 Apr 2023 00:02:00 -0700 (PDT)
MIME-Version: 1.0
From: M Hickford <mirth.hickford@gmail.com>
Date: Wed, 05 Apr 2023 08:00:00 +0100
Message-ID: <CAGJzqskHFRUXo304+ySV6AG6SdZ8aitC=-cVThDm+t93rH2WGw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/H1GHfiqtQ0pJoYKmF4J3RZhmasw>
Subject: [OAUTH-WG] Ambiguity in draft-ietf-oauth-v2-1-08 when code_challenge is omitted
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2023 07:02:06 -0000
https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#name-countermeasures-2 says > To prevent injection of authorization codes into the client, using code_challenge and code_verifier is REQUIRED for clients, and authorization servers MUST enforce their use unless both of the following criteria are met... Suppose a client (that doesn't meet the exception criteria) omits code_challenge in an authorization request. Must the authorization server reject it? "Enforce their use" is unclear to me. It could mean "if populated, enforce that they are used correctly" (weaker) or "enforce that they are populated AND used correctly" (stronger).