[OAUTH-WG] proposed resolution for PKCE in OAuth 2.1

Aaron Parecki <aaron@parecki.com> Mon, 11 May 2020 18:52 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E7223A0C26 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 11:52:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wYCsJhF6-_9C for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 11:52:15 -0700 (PDT)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 219283A0C3F for <oauth@ietf.org>; Mon, 11 May 2020 11:52:14 -0700 (PDT)
Received: by mail-il1-x12c.google.com with SMTP id s10so9628853iln.11 for <oauth@ietf.org>; Mon, 11 May 2020 11:52:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=GAAyYzziUP+/oM6jpnebvsX5yR7hKN49ed5srWqFl6o=; b=AFtTZUWFlA9x8RnuN5MmvXZyM8Pis2QO7rHMpdCvQtP4Hd+Me2gS420901VhHHbK8r hYJTQ+9l+9+6qBYLzHe0OYjdQJ3kmeGZ786Q3DFnl0sT3ts2I2SRz2aaKEyrAZiIrCz5 dfRWkNyVgN0R6pYEV+lk8nRE/u8Gsatbmj5kFpMbRc9/WNUuQlHu0+8MswwXVf2PaQjo 93kYsthO8IRVmgCSjs/wJNXO4Vzc+964gmWdxy1aq+wfLIWAfFHRda8vGjLJyIKj9g8d e+kTbJKNPHRigbmMOl4fCx7VA7xeyAHIkClg4jjJnAdfZMp7zNveIzE6FSbvmlHRHn6A 926Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=GAAyYzziUP+/oM6jpnebvsX5yR7hKN49ed5srWqFl6o=; b=bznmrblEu5bMNtCN5Kox28yldO6BIxH31SOLU+B/Gf9UfjD1bj8GAaYZx8WnPZxufR stUkMS6y7z7M0lVUgzPjii1DJpJ7Hy9skipNEA44n78+9dsCW+HsEz2GHLGkcH6zTbfk NvcLSU4zHepWgPS4c1PXjVQaMNuBbZq+fomn2P6UEXeR+WVvvfF2+nomHXKl2xiYChX5 JqJguG9/J5P5GjqPrMmv7zpk2c25QQMxJNnal+7e+KrcIkmpt3f1u9Zx8iFGfHyhtbe+ vMuLOeVXhvsjf6adtLeG+dLxaH7p/ZkVdFbdH8GGol9WjXynZtZaxK1kp6mnlbqRV00i i8yg==
X-Gm-Message-State: AGi0PuaL9rXXtOhUdFRJ4Zpvfbd7NBLBiztIhhoCIC/ADM9NEFWeM/LW t2phBrWc9w00htYQ6wtvYDdhI7qLmyo=
X-Google-Smtp-Source: APiQypJZ0mSadXRI7R9APhfEmdH+O80E3jRyiaEOhhaAMOajzLIJSwxdFEV5DnS7v0KMnpQ0yNHaxw==
X-Received: by 2002:a92:db46:: with SMTP id w6mr3636945ilq.237.1589223133493; Mon, 11 May 2020 11:52:13 -0700 (PDT)
Received: from mail-il1-f178.google.com (mail-il1-f178.google.com. [209.85.166.178]) by smtp.gmail.com with ESMTPSA id q78sm3915218ilb.25.2020.05.11.11.52.12 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 11 May 2020 11:52:12 -0700 (PDT)
Received: by mail-il1-f178.google.com with SMTP id s10so9628718iln.11 for <oauth@ietf.org>; Mon, 11 May 2020 11:52:12 -0700 (PDT)
X-Received: by 2002:a92:8c8a:: with SMTP id s10mr3422526ill.307.1589223131817; Mon, 11 May 2020 11:52:11 -0700 (PDT)
MIME-Version: 1.0
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 11 May 2020 11:52:00 -0700
X-Gmail-Original-Message-ID: <CAGBSGjpRr=pHcX=ppHJygCC25ZZ8xVQztrviDyYq4yvG6KJ7YA@mail.gmail.com>
Message-ID: <CAGBSGjpRr=pHcX=ppHJygCC25ZZ8xVQztrviDyYq4yvG6KJ7YA@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003db0fe05a563d8ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KPzSyJW3ticGg5GOAdnRVlYnGvA>
Subject: [OAUTH-WG] proposed resolution for PKCE in OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 18:52:17 -0000

Thanks for the lively discussion around PKCE in OAuth 2.1 everyone!

We would like to propose the following text, which is a slight variation
from the text Neil proposed. This would replace the paragraph in 4.1.2.1 (
https://tools.ietf.org/html/draft-parecki-oauth-v2-1-02#section-4.1.2.1)
that begins with "If the client does not send the "code_challenge" in the
request..."

"An AS MUST reject requests without a code_challenge from public clients,
and MUST reject such requests from other clients unless there is reasonable
assurance that the client mitigates authorization code injection in other
ways. See section 9.7 for details."

Section 9.7 is where the nuances of PKCE vs nonce are described.

As Neil described, we believe this will allow ASs to support both OAuth 2.0
and 2.1 clients simultaneously. The change from Neil's text is the
clarification of which threats, and changing to MUST instead of SHOULD. The
"MUST...unless" is more specific than "SHOULD", and since we are already
describing the explicit exception to the rule, it's more clear as a MUST
here.

Aaron Parecki