Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 09 November 2018 17:14 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 294AB12EB11 for <oauth@ietfa.amsl.com>; Fri, 9 Nov 2018 09:14:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Takbrt3HEKmH for <oauth@ietfa.amsl.com>; Fri, 9 Nov 2018 09:14:42 -0800 (PST)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.29.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D060F128766 for <oauth@ietf.org>; Fri, 9 Nov 2018 09:14:41 -0800 (PST)
Received: from [91.13.153.47] (helo=[192.168.71.123]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1gLAMg-0005VM-Cz; Fri, 09 Nov 2018 18:14:38 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <BA532387-0FB5-4415-8CC7-EB6F958C43C1@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_EF8C645F-B559-475C-BAEB-AFD3565E3F5F"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Fri, 09 Nov 2018 18:14:37 +0100
In-Reply-To: <9829E15A-416C-489E-A48D-58B771F6FFDA@alkaline-solutions.com>
Cc: Tomek Stojecki <tstojecki=40yahoo.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
To: David Waite <david@alkaline-solutions.com>
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <710899611.302780.1541675954453@mail.yahoo.com> <9829E15A-416C-489E-A48D-58B771F6FFDA@alkaline-solutions.com>
X-Mailer: Apple Mail (2.3445.101.1)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LZDWEDekeD7idHKKwec1QuB_25o>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Nov 2018 17:14:45 -0000

> Am 08.11.2018 um 22:59 schrieb David Waite <david@alkaline-solutions.com>:
> 
> PCKE does not resolve any known code injection attacks for SPA public clients.

It can be utilized to detect code injection at the redirect between AS and client. The PKCE verifier is bound to user agent that initiated the corresponding request. The AS binds the code to the respective PCKE challenge. If a code is stolen and injected at a different user agent, the PKCE verifier check will fail at the AS (because the client will use the wrong PKCE verifier).    

https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09#section-3.5