IETF Logo Mail Archive

Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)

Nat Sakimura <sakimura@gmail.com> Sat, 23 January 2016 03:19 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E73CF1B303C for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 19:19:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9QMsOsZbSEhL for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 19:19:42 -0800 (PST)
Received: from mail-qg0-x22f.google.com (mail-qg0-x22f.google.com [IPv6:2607:f8b0:400d:c04::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7320C1B3023 for <oauth@ietf.org>; Fri, 22 Jan 2016 19:19:42 -0800 (PST)
Received: by mail-qg0-x22f.google.com with SMTP id 6so72050081qgy.1 for <oauth@ietf.org>; Fri, 22 Jan 2016 19:19:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=k/UGvKByJJVWcxoD/BSPvHusfgXHCJJ3SaaJ+Hg2CAs=; b=nR6IznrJUs+RUvJ2QkN3FxbJ/mxvqaps+WQZ9WFgQgvN3fnZmFqWFDibecJgT77zzc rEuthub4a2XvoNZdPddlAGfZQ2U+0gsfetQBuRUUpPFBHg7JlNBrTn6KL2GvyWD5MVUf 9ywqE86NQuDlD44zVCUO8M33WBfz+O5U4DR82CungQBieGGzXl9wSL/3c+98avYQzKVp 59gKThYcx4gDQdQA0RObuEjjJ4/4XH8r36Tg5UmxIl118+hnqT8a72vzu1tv+ZdzDpAu /C7G/b+qO/iU34Fk+TZTr7ARWzmKUMgMf+abhGrr998sHkUXbKW2L3tEcRyyj6euIZGc LhiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=k/UGvKByJJVWcxoD/BSPvHusfgXHCJJ3SaaJ+Hg2CAs=; b=DZXlxcnd/Ldm3O8qiyczfwAC+ndtpEbemb4428MDuotH1xjQMChXofhHsDon/bKmdX c9mfCqjD9yJdfaS8Rs2XleeiibrnTJjdbH99QOqna0/MCAujKpXQn8DbEORGWArT1Iv0 xq++F8SemgP8ghXJk50xmbvpcPEPyIUDxxeqZJgvcz8EChvqk4k1Wpdqs9J2bodzZjf6 oXreTyE8fpgArM6epWS1YoaWH5lv2/q5xfvtDrtzLSF+VecKjIawaFqDP1WR7peRG1zQ xNtK8AB9/a2H5YVZi9zBZCH7vwNCUgHFjoovLxiU4Q2ayiyLrq4bw7O9BEvlnfqBt2lG VTbA==
X-Gm-Message-State: AG10YORhGsxF3297GZlcWc1Q2QlFyfQzqI+NSXzTzBIzwgPVB7Jfig2RqZGuM8GvTKUqFS+waKadFAwwrYz9JQ==
X-Received: by 10.140.152.18 with SMTP id 18mr8154885qhy.16.1453519181661; Fri, 22 Jan 2016 19:19:41 -0800 (PST)
MIME-Version: 1.0
References: <CAAP42hD3vpwnBYzu6YZVXtTimVuFHzgQ9Pksn1RQNEwogPZRJw@mail.gmail.com> <CA+wnMn9gqpbKmvdrd_hjamWEEaAOuL=RntUWEtm_55OT-gAMgw@mail.gmail.com> <0E094321-8A8A-4D94-8BE9-27D49BC6572F@ve7jtb.com> <CA+wnMn_emE0Ofkorfo3Bocmq4m3QAzdDrg_Ex=zEVZpDp4BmUg@mail.gmail.com>
In-Reply-To: <CA+wnMn_emE0Ofkorfo3Bocmq4m3QAzdDrg_Ex=zEVZpDp4BmUg@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Sat, 23 Jan 2016 03:19:31 +0000
Message-ID: <CABzCy2BHDdBs7MOKT5jMyxCcarJ8F3kJa4zziufd4hR1sF3ucA@mail.gmail.com>
To: Chuck Mortimore <cmortimore@salesforce.com>, John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a1135a2a07f4d850529f7cef3"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/NBJWOuDP-tnyM1cpLN1XEf4OaN0>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jan 2016 03:19:45 -0000

That's a great news.
Thanks so much for sharing.

Nat
2016年1月23日(土) 9:43 Chuck Mortimore <cmortimore@salesforce.com>:

> Thanks - we'll fail if the client defaults to plain, as we didn't
> implement.    Will take a look in the future though.
>
> I am curious if an implementing client can move back and forth between
> Salesforce and Google implementations.    If someone tries, please let us
> know!
>
> On Fri, Jan 22, 2016 at 4:21 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>> In the final spec plain is not MTI.  S256 is MTI for the server in Sec
>> 4.2. so you are OK.
>>
>> The client will default to plain if it doesn’t set a
>> code_challenge_method.
>>
>> That was to be backwards compatible with the people who deployed when
>> plain was the only option.
>>
>> John B.
>>
>> On Jan 22, 2016, at 8:45 PM, Chuck Mortimore <cmortimore@salesforce.com>
>> wrote:
>>
>> We quietly rolled out PKCE support at Salesforce a year ago, as well.
>> We're on a slightly earlier draft, but look to be compliant with final RFC
>> with one exception - we default to S256, and do not have support for "plain"
>>
>> Would be interesting to interop test our deployments.
>>
>> -cmort
>>
>> On Mon, Jan 18, 2016 at 9:46 PM, William Denniss <wdenniss@google.com>
>> wrote:
>>
>>> This month we rolled out full PKCE (RFC7636) support on our OAuth
>>> endpoints.
>>>
>>> We'd previously implemented an earlier draft but were not conformant to
>>> the final spec when it was published – now we are. Both "plain" and "S256"
>>> transforms are supported. As always, get the latest endpoints from our
>>> discovery document:
>>> https://accounts.google.com/.well-known/openid-configuration
>>>
>>> If you give it a spin, let me know how you go! The team monitors the
>>> Stack Overflow google-oauth
>>> <http://stackoverflow.com/questions/tagged/google-oauth> tag too, for
>>> any implementation questions.
>>>
>>> I'm keen to know what we should be putting in our discovery doc to
>>> declare PKCE support (see the thread "Advertise PKCE support in OAuth 2.0
>>> Discovery"), hope we can agree on that soon.
>>>
>>> One implementation detail not covered in the spec: we error if you
>>> send code_verifier to the token endpoint when exchanging a code that was
>>> issued without a code_challenge being present. The assumption being that if
>>> you are sending code_verifier on the token exchange, you are using PKCE and
>>> should have sent code_challenge on the authorization request, so something
>>> is amiss.
>>>
>>> William
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email