Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 11 May 2020 09:24 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B26C3A0968 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 02:24:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dbKFm-z4udjX for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 02:24:28 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 312E23A0967 for <oauth@ietf.org>; Mon, 11 May 2020 02:24:28 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id w7so9981509wre.13 for <oauth@ietf.org>; Mon, 11 May 2020 02:24:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=0C6aC4dyUSamJDncRQSwUar5+2uqNdt5qifdcULMZhU=; b=WsTJ9FrA/wUYzK2pgbMJXoIYObXhlZXuR2qHafp7Fbb6QEpYTSXbj5DqsTz/hxO47D 2F8B6ayUQQ8o3FyojKTOsR8YAyTGjMp3e7Q4XCRTLZD+CZRKjnTQ1cMEk7TDt3TyM6f9 QHd9klmuTgCmZdONcb5S0nMb/+6z4dPyB7SS97lV/NQqzHIsJWZrDl1qUKTOirM9Nq+W VklLOREHBV7HE2KkgiCEkaPTNjf4bn8D3/fgQmy+TZWii98Vp00KoMLd2w1xl80IVFIF sZOaEKe7zmHA21BqacIB2hse2t4TiTyEJdFmi+/yZio0wkzLXgBy25pgKDEu5X0EfGI3 WmYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=0C6aC4dyUSamJDncRQSwUar5+2uqNdt5qifdcULMZhU=; b=tfx+JWhOdQ5X5oBB7GOIgoqyqoEWgQ5dCXAp0CaG1WhJT26wFxkBvs/aSLHYF47aQJ rxKqN59SS4UHOYBrm3xcWklmDftksFyr4lsB4mnKqEjq5b3SWfVy8sm1NmKFBkChuv8Z Y3n3eQEnAwl9xi9CoVqyYspmTMnfo2wVsrEGtGFpGc2qKr1NhRVXFOm2RWnxaM/RV5GQ f3juhpELj3fpiXy4BZU0uRzFytHyXoIhPjuVoNI2qexFjtEzw5eN53QhoFiUy5VIKwnK WghoujyxcXuzrBFKNPbQKp0ptXQUbev5FbM452hdVUkC2FHHGFCLJlHypCFQllRRcSdy hmtg==
X-Gm-Message-State: AGi0PubspVkTwX5+NFYmYsiCiSkug7k19P/9A76yIsl1BE6fOQxO9MbE VqbElgzkSr+llVXHAIrZCfo+UcFTBwU=
X-Google-Smtp-Source: APiQypLESBFtXh7nKCH0aU4UbNjBa/3Rj55MlPLfOntJsD2P0Bgw5NUAwwCz3QjkTsmEAr6QmAeWYQ==
X-Received: by 2002:adf:8483:: with SMTP id 3mr17915531wrg.206.1589189066487; Mon, 11 May 2020 02:24:26 -0700 (PDT)
Received: from p200300eb8f301f67ddbc8b7d2a3ed8c7.dip0.t-ipconnect.de (p200300EB8F301F67DDBC8B7D2A3ED8C7.dip0.t-ipconnect.de. [2003:eb:8f30:1f67:ddbc:8b7d:2a3e:d8c7]) by smtp.gmail.com with ESMTPSA id p9sm10539676wrj.29.2020.05.11.02.24.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 May 2020 02:24:25 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <02581F0B-F4BC-4EBD-860C-3DAFA631BA40@forgerock.com>
Date: Mon, 11 May 2020 11:24:24 +0200
Cc: Dick Hardt <dick.hardt@gmail.com>, Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7F25A8BF-65BD-4066-BF98-AD5900D43BA0@lodderstedt.net>
References: <D2736980-D345-451C-89E9-2FFA5B5512F4@lodderstedt.net> <C67BAADA-5037-4AB2-998A-D86237DB83B1@forgerock.com> <8EAF68CC-0094-4BAA-BA47-2A69CD2D3D8A@lodderstedt.net> <02581F0B-F4BC-4EBD-860C-3DAFA631BA40@forgerock.com>
To: Neil Madden <neil.madden@forgerock.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MCurgxZgTKoAKs_YptaJbk2gd3w>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 09:24:31 -0000


> On 11. May 2020, at 10:59, Neil Madden <neil.madden@forgerock.com> wrote:
> 
> 
> 
>> On 11 May 2020, at 08:53, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>> 
>> 
>> 
>>> On 11. May 2020, at 09:34, Neil Madden <neil.madden@forgerock.com> wrote:
>>> 
>>> 
>>> 
>>>> On 11 May 2020, at 08:05, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>>>> 
>>>> 
>>>> 
>>>>>> On 11. May 2020, at 08:47, Neil Madden <neil.madden@forgerock.com> wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On 11 May 2020, at 07:41, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>>>>>> 
>>>>>>> On 11. May 2020, at 07:38, Neil Madden <neil.madden@forgerock.com> wrote:
>>>>>>> 
>>>>>>> There is no attack that this prevents so your claim of improving security is unsubstantiated. I can’t see how we can ship a 2.1-compliant-by-default AS while this requirement remains so I don’t support it. 
>>>>>> 
>>>>>> Are you saying PKCE does not prevent any attack?
>>>>> 
>>>>> No, but servers and clients are already free to support PKCE. I’m saying that rejecting requests from non-PKCE clients doesn’t prevent any attack. It just denies service to legitimate clients. 
>>>> 
>>>> There are two aspects to this topic:
>>>> 
>>>> 1) Do all ASs support PKCE? Requiring PKCE support fosters interoperability and security. Security since the client can be sure the AS supports PKCE. Today, if the AS does not support PKCE, the client will never learn since a compliant AS will just ignore additional request parameters.
>>> 
>>> But just saying that a 2.1 AS MUST support PKCE is enough for this. Rejecting requests just to support feature discovery is a sledgehammer to crack a nut. 
>>> 
>>>> 
>>>> 2) Do ASs enforce PKCE? This fosters security since it forces clients to implement a means against code replay and CSRF.
>>>> 
>>> 
>>> Again, just saying that 2.1 clients MUST support PKCE achieves this aim. Rejecting non-PKCE requests doesn’t add anything to security. 
>>> 
>>> And as has been pointed out elsewhere in this thread there are clients that don’t benefit from PKCE such as confidential OIDC clients. Indeed for most confidential clients the gains of PKCE are relatively minor - code injection attacks are already pretty hard to pull off in practice against such clients. 
>> 
>> I agree, but I wouldn’t say they don’t benefit at all. 
>> 
>> 1) The nonce check happens after the OP had issued the ID Token. This means even if the transaction is being evaluated to be fraudulent afterwards, the OP releases PII to the RP. Depending on the way the OP obtained this data, this might have already caused unneglectable cost (e.g. for an external commercial claims provider).
>> 
>> That’s not the case with PKCE.
> 
> We’re talking about confidential clients. If the ID Token is not meant for this client then client authentication will fail, or else the auth code was meant for this client (but not this session) in which case the user already consented to release of PII to that RP.
> 
> If you are talking about a hybrid flow then PKCE doesn’t protect that either.

Sure. The OP won’t issue an ID Token if the PKCE check fails.

> I’d like to see encrypted ID tokens become mandatory in hybrid flows, but that’s not for this WG.
> 
>> 
>> 2) The whole check relies on the client. I would rather rely on the OP/AS to enforce this security check since clients have a less promising track record of implementing security checks. 
>> 
>> 3) In mixed OAuth/OIDC scenarios, switching back and force between nonce and PKCE does not make developers live simpler. 
> 
> Maybe, but I don’t think either of these rise to the level of mandating that ASes reject non-PKCE requests.
> 
> In the interests of building consensus, maybe something along the lines of: “An AS MUST reject requests without a code_challenge from public clients, and SHOULD reject such requests from other clients unless there is reasonable assurance that the client mitigates these threats in other ways”?

Sounds reasonable. 

> 
> — Neil
>