Re: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF
Warren Parad <wparad@rhosys.ch> Wed, 05 January 2022 12:44 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 082A83A011B for <oauth@ietfa.amsl.com>; Wed, 5 Jan 2022 04:44:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LOn08D9HDcMx for <oauth@ietfa.amsl.com>; Wed, 5 Jan 2022 04:44:09 -0800 (PST)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A62593A0115 for <oauth@ietf.org>; Wed, 5 Jan 2022 04:44:09 -0800 (PST)
Received: by mail-yb1-xb31.google.com with SMTP id p15so67194710ybk.10 for <oauth@ietf.org>; Wed, 05 Jan 2022 04:44:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+pYGVOiFXRKLZqqMx3YBPW4TXXgdXe5QXz3vce1nHDk=; b=ip9WEAw52eYDXXi2fsHblivEpFhPrsQn5RmBIBF70YplulthwO1K61HrA5yrHyqm2a BYQ1bIheJGLEMGHPsASE/YeriumeS+oG77wQVU6hZi3a/i19q27/IOyN+kPrRNJ2kZru KLgGx/c0dKn0kl/E6h5zp5mEyhmajLBRINs++/WipAwbZYPSyPWDUmoubWEK75sCM4TE GkiGpY0Oj7VE16frG3pKbYAHzFdspnjupm2HiJEQmmqWmQmnK9Pyv0qE0AVohKfOiClJ 1ZUxWUfdsKVbfxgpQ7rILagn4i0K1GfOMvmdIErtDpnSzk6ToNVI6yPX1+TB6AQJrgHL oFmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+pYGVOiFXRKLZqqMx3YBPW4TXXgdXe5QXz3vce1nHDk=; b=R3G//H033hR+7w4ggIcm9vOqSdtoxS6EFxfVuOtHvPsiTpXDo8k9NcHs2A6WoAQVdQ 52ByoGP006Wfwky69uNl+B+KQCf0Wmz2yPOZXlqOd6E2B+IKgm3iiBaCJsCQ4gneqDf2 LuGfJCHKk4LVtu1B2ES+pKxlAUmgsfiMG3p67jYb/JJfUPbD23ybjs5kqUg96g1/Jkp1 x25Sb71nIniRMPQj23pK7pXyQ64BxpxDUdcwurTogLd7QDv7XfdYJYbNtWBO1eTv2pHP +7Ihcuib5tTh21VI4B15hhi71JPfHHQ9MyGL6Yq4n0JzC1rqZNMvzzD0XJtf0pV75DJB l2dQ==
X-Gm-Message-State: AOAM5325MK6+BNHIE1hgXfM3JHx+2nztykVvA2ED3wQJRjWEPq6YVMfj 7rsmh9S5M5yhSdWwLOHVPWho0tskPcQw7HY5O/Lj
X-Google-Smtp-Source: ABdhPJz8yksD/zR5RFaRlCpunfplggfY8Nw5iEi/ajJAjGIPNUdzMHM3Ko9J/n02AW3m8OjOACcDnsb7PShd7Fwvrww=
X-Received: by 2002:a5b:c43:: with SMTP id d3mr60488107ybr.385.1641386646254; Wed, 05 Jan 2022 04:44:06 -0800 (PST)
MIME-Version: 1.0
References: <AM7P192MB0819568B6CF315C3BC3A9B15E44A9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM> <b711bc01-9674-6072-d941-7e1ba8f8c9ec@aol.com> <AM7P192MB081909F590F651D656ACC892E44B9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM>
In-Reply-To: <AM7P192MB081909F590F651D656ACC892E44B9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 05 Jan 2022 13:43:55 +0100
Message-ID: <CAJot-L2o32DCswBAoq6DKZgZmEKgafEk=_AGnj5y3q3CBPsa3A@mail.gmail.com>
To: Benjamin Häublein <Benjamin.Haeublein@cirosec.de>
Cc: George Fletcher <gffletch@aol.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fd4daf05d4d51b2a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IAbLG-JHb2MMfK7685ncwgWPqIA>
Subject: Re: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2022 12:44:15 -0000
I'm not following to be honest. Could you detail concretely what the flow would be that would result in vulnerability? Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. On Wed, Jan 5, 2022 at 1:41 PM Benjamin Häublein < Benjamin.Haeublein@cirosec.de> wrote: > Finally, I'm not sure a client that doesn't send the 'code_challenge' and > 'code_challenge_method' on the authorization request but does send the > 'code_verifier' on the token request should consider that the client has > implemented PKCE correctly and hence can rely on it for CSRF. > > My point is not, that a client behaves that way. The problem is that an > attacker could get a user (through social engineering) to start the > authorization process and then click a link with an authorization response > that the attacker provides. > > Then the client has send the 'code_challenge' and 'code_challenge_method' > in the authorization request, but the authorization response belongs to an > authorization request that does not have these parameters. > > When the client sends the token request based on the malicious > authorization request but with the ‘code_verifier’ for the original > authorization request. > > When the AS behaves as described the client has no way to know that an > attacker has interfered. > > > > Best Regards, > > Benjamin Häublein > > *Von:* George Fletcher <gffletch@aol.com> > *Gesendet:* Dienstag, 4. Januar 2022 14:51 > *An:* Benjamin Häublein <Benjamin.Haeublein@cirosec.de>; oauth@ietf.org > *Betreff:* Re: [OAUTH-WG] Edge case in RFC 7636, Server Verifies > code_verifier facilitates Login-CSRF > > > > My guess is that for an Authorization Server that doesn't receive a > 'code_challenge' and 'code_challenge_method' as part of the authorization > request, they treat the request as a non-PKCE authorization request. Therefore > when the 'code_verifier' is presented at the /token endpoint, the AS > ignores the parameter because it doesn't consider the request to be a PKCE > request. I can also see the AS returning an error regarding an "unexpected > parameter" or "invalid request" error in this case. > > I agree with your recommendation for the AS to require specific clients to > use PKCE and consider an authorization request without PKCE to be an error. > > Finally, I'm not sure a client that doesn't send the 'code_challenge' and > 'code_challenge_method' on the authorization request but does send the > 'code_verifier' on the token request should consider that the client has > implemented PKCE correctly and hence can rely on it for CSRF. > > Thanks, > George > > On 1/4/22 5:45 AM, Benjamin Häublein wrote: > > Hello everyone, > > I think RFC 7636 “Proof Key for Code Exchange by OAuth Public Clients”, > section 4.6. “Server Verifies code_verifier before Returning the Tokens” > leaves a tiny gap regarding the handling of verification when no code > challenge was present in the authorization request: > > Upon receipt of the request at the token endpoint, the server > > verifies it by calculating the code challenge from the received > > "code_verifier" and comparing it with the previously associated > > "code_challenge", after first transforming it according to the > > "code_challenge_method" method specified by the client. > > It is unspecified how the server should behave when “code_verifier” is > present, but “code_challenge” and “code_challenge_method” were not set in > the initial authorization request. > > The following example worked for three well-known authorization servers > where the client was configured in a way that PKCE could be used, but was > not enforced: > > Authorization Request: > > > https://XXXX/auth?client_id=YYYY&response_type=code&scope=openid+profile&redirect_uri=https://localhost > > Subsequent Token Request: > > POST /token HTTP/1.1 > Host: XXXX > Content-Length: 256 > > > code=ZZZZ&grant_type=authorization_code&client_id=YYYY&redirect_uri=https%3A%2F%2Flocalhost&code_verifier=IqiCQGM06JEyW73AB3f3oblCQKHOorapyqHUcYRujuSikDJx8cvBQ0kmFmzW75uIfaSBtXQrRmwuk71WWO6ryCzahTcxBPYX > > As a result, an access token was issued although the code_verifier > provided in the token request did not match the code_challenge and > code_challenge_method in the authorization request. > > > > Many applications consider the usage of PKCE as enough protection from > Login-CSRF and do not use state or nonce (for example this blog entry by > Daniel Fett > https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/ > suggests, that neither state nor nonce are necessary when PKCE is used). > However, when the authorization server is not configured to require a > specific code_challenge_method from the client and the authorization > behaves as described in the example, PKCE does not protect from Login-CSRF. > > I think the following mitigations are possible: > > 1. Enforce usage of PKCE in the client configuration in the > Authorization Server > 2. Implementation of the authorization server returns an error in the > Access Token Response when code_verifier is present in the token request, > but no code_challenge and code_challenge_method is present in the > authorization request. > 3. Additionally, when the behavior of an AS is correct (verification > of code_verifier fails when no code_challenge was present), a client that > relies on PKCE for CSRF protection must always include a code_verifier > parameter in the token request (even if no code_verifier is present on the > client side). > > > > Best regards, > > > > Benjamin Häublein > Senior Consultant > > cirosec GmbH > Ferdinand-Braun-Strasse 4 > 74074 Heilbronn > Germany > Phone: +49 (7131) 59455-74 > Fax: +49 (7131) 59455-99 > Mobile: +49 (151) 122414-74 > www.cirosec.de > > HRB Stuttgart 107883 > CEO Stefan Strobel, CFO Peter Lips > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Edge case in RFC 7636, Server Verifies… Benjamin Häublein
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… George Fletcher
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Daniel Fett
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Benjamin Häublein
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Warren Parad
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Benjamin Häublein
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Christopher Burroughs
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Warren Parad
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… George Fletcher
- Re: [OAUTH-WG] Edge case in RFC 7636, Server Veri… Thomas Broyer