[OAUTH-WG] Aligning PKCE requirements within the OAuth Security BCP

Mike Jones <Michael.Jones@microsoft.com> Wed, 06 May 2020 21:04 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ADC33A09E7 for <oauth@ietfa.amsl.com>; Wed, 6 May 2020 14:04:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.84
X-Spam-Level:
X-Spam-Status: No, score=-1.84 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QuIoHcLnj-1F for <oauth@ietfa.amsl.com>; Wed, 6 May 2020 14:04:03 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640132.outbound.protection.outlook.com [40.107.64.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC3493A09E8 for <oauth@ietf.org>; Wed, 6 May 2020 14:04:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cWoa3TKMUFT9S4Meff/lIOahFSkbLJlWWYSzE6fUP4m9J8rfEgnd1G4DUVqkwxtvmSZ4UeZGAbu16nv7i/0y2IYKI/nZI7ZZrxuKDvn7GfyT+9MR21p6gA05HK8y70lNoHWGUOxlbsiBHSdF77w+J2B2OvcAbgCy0KSw91+qJXoH4Xp2h9WnAs9bSJVN5TgaUB1HuK5Tn9KWXORkeMdeQyiEPWDsmHz9pYBikpO1gzhyCTIbmgZkemjjossNfw6TUDbRo6B8Ej2CdGHCAy1LoA7CAMwYP9yYCuX289b2jxL2QFPPj3jZw5HJ5B4P1eerpV+Bowa1Z8RBejKPo9wGWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eRnVJvsyM6ZWSysDKrEP7FSU6iBj30zwPHCBGhTkMSY=; b=isbm6ZmA2Bu0bbMSBrk80D9h0UbLMnU0RckZLwEgHNoxZYMw7nNMcDAPIMI5ICP08IPEvF/eDn5M5P/wZH30KcY81gr34AhThgyuQJAnacnfLOvkOxxtxnpegvwXXxYxR0I7OQMmwbGB4Ux7QHu9T7bsx3MMHj2rxbABUw6M0/1eqROm7BSZiLqwFhvY3inUoqqAhYH2SAo/sipie6ktL+vJdEPu8lXkiEH8j1SX7wu2gm5BrIu68qxctsuHPZEQaQKxSQxkUWORpISj+kVbgxU158FMTJ5gN/PvTUxJuv+8WrtqvBOHeI1TiuG1Tj66aKbS2UxG+/u6RzLBWjVeuQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eRnVJvsyM6ZWSysDKrEP7FSU6iBj30zwPHCBGhTkMSY=; b=Xqxk6UlEQ1jBTo2RLe3vgSn8qj3hie/wqe/nWN03fNzo9qd/mcxM7LtffdudsJi97rzTKJMLHb3s0E7NIqfhXlOCpWDxk6xjCnNMbqaIKNe9zYbb4aZ/AOEOkqlVspyS/ftqzhrwEBBVhu7SXs+ANfbf+fJe5sz5/ifatHZ0yVg=
Received: from CH2PR00MB0679.namprd00.prod.outlook.com (2603:10b6:610:af::7) by CH2PR00MB0680.namprd00.prod.outlook.com (2603:10b6:610:7b::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3017.0; Wed, 6 May 2020 21:04:01 +0000
Received: from CH2PR00MB0679.namprd00.prod.outlook.com ([fe80::c8f1:c1e0:dcd6:53b8]) by CH2PR00MB0679.namprd00.prod.outlook.com ([fe80::c8f1:c1e0:dcd6:53b8%9]) with mapi id 15.20.3015.000; Wed, 6 May 2020 21:04:01 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Aligning PKCE requirements within the OAuth Security BCP
Thread-Index: AdYj6LQIxySgSLU1QSGU5Eu1xd7HJQ==
Date: Wed, 6 May 2020 21:04:01 +0000
Message-ID: <CH2PR00MB06795B5A025D45DC02234C42F5A40@CH2PR00MB0679.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=60a9a76f-fa90-4614-961b-0000b48f653a; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-05-06T20:55:01Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: e059d67d-debb-42a0-9ce8-08d7f2010080
x-ms-traffictypediagnostic: CH2PR00MB0680:
x-microsoft-antispam-prvs: <CH2PR00MB068079EA33B8DAAEDB20794AF5A40@CH2PR00MB0680.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03950F25EC
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8XsbKbsb1yYCmgqyLj3uL0ObshEDggkcGiOaF//c0eNzpygnB+bkdifaFeyv6jvzgVZB5JwX7l9tlU/Txqha2ghSMAHt7blZARl3VaxJ/A32R2QnWb1OyyELyvKf12LebEtgyqwzBFSn+bx/LCmVGX2YSkHgWaHcCv+rtlY03l9pTTwcn6mxFTzlEwBEPu3rDuYQrNsE62Sza1JvmqE+6HOA4OD3LXFljHbVKHHfJdqorGrDO3NAtO+9qhJ8uQybKDNsK72ELGj3ZFK6d7AXxb0jOWsrUxLU8Tg4Rv5ITXuivExe6o7F+9BpXYUDxYEburY4pZgE3OiNjv1EMyVWfOUqzqNpBhOaBNiVKBiV++9ipQ1nO/GcE98SQtI4iXYX9dP5Rnj6e44nSXxUCiUD6JYrNgWAmpm6WoHUwBYNQXAEowFWC86LZqM/qLpcnW0TXp3++I8FaJEZ9Fsu0ltlRnR6oLw52IdCl5rtDFAE+I0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR00MB0679.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(346002)(39860400002)(376002)(366004)(396003)(33430700001)(478600001)(186003)(9686003)(55016002)(7696005)(26005)(71200400001)(2906002)(8936002)(15650500001)(86362001)(33656002)(52536014)(6506007)(166002)(8676002)(10290500003)(966005)(316002)(82950400001)(8990500004)(6916009)(33440700001)(76116006)(82960400001)(66556008)(66476007)(5660300002)(66946007)(66446008)(64756008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: nKpvjESmVMMxuEPeRWj01t34vAXO9BJowQPhQprJXerWBUO53c/PuBRgmse+VZ3PjdZTY4OimGBR2W1pmg3Xodpz6Wy7PBf4g9z0U9qn+M6F1EnTIEtCcSzrLupsv3S7Pz/aAYezGc+ZIseWURBep9n7HYKiKthKrfv8jtU/m2cfvcI/5y/S8Lr/1Skar0us8rwfwUS+gDhxNvexF+QYwS06AnT0pA8wge7OT26JS0ldq1TZRf4ZQt+PIij3rQbWHed6M2Q4HK4HVCdZZ8e4MahFXoaqhK3Om/o/Fuo28O1xxZakEWndbcGdIDrVkNoJbcjlhTm39LGWq84Z3HvUNXf5ZwY4da4L4bSscpeNiGsihjlUCNKsb6cYSeaskJmoIda9zuG0/EkI9ZYATSujC4UZZFGIBcc80CdHlOTnmV8aEjPoN8jF9r60Elk/2aOBUiNk4XDOHeqTi/spL8uPrWnaLYi0ej50B/EWT8POgXwGM4uhR74k9mInUR42PNPviF8V+Y0Bg8/QfwQgcdVue1UyIZNBdEyTr9kuDWMG0Qtddpy5BHah7FjTFifgzsorQkOBjJTXR0zRV9FPMMruFS79bCqaUjw0pwBMpmDXD7EJfc1ZP0VgPJzEapivwTg3Ok6GVn4z4DGAplnBiJVnTSk07unJc6LR3tdF7T+ar8IxPMM9+PM3Efk+v7EnX++k8+3Rswjah7dl7X8xMRR3c13QclSpkQ6y5LSKqY790nw+ph8MFmWtKGIYWwDkZ0NLF54vRfFIZE5uR2wwh3wmZffs7dVyu7CpbXmDhuPiT+s=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR00MB06795B5A025D45DC02234C42F5A40CH2PR00MB0679namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR00MB0679.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e059d67d-debb-42a0-9ce8-08d7f2010080
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2020 21:04:01.2576 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9Ta06i7wgQTFd+uU2eb4zY50IH7lZH91quHqt4/NwIo7V6i6ei8GmC7f+A6L2fEfU/2DBsOwXRByIMUX+yjECQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR00MB0680
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RJ1C2qSomuZK0Lch16bSBqTcP_Q>
Subject: [OAUTH-WG] Aligning PKCE requirements within the OAuth Security BCP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 21:04:06 -0000

As is being discussed in the thread "[OAUTH-WG] OAuth 2.1 - require PKCE?", https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 has inconsistent requirements for PKCE support between clients and servers.  Per the first paragraph, clients must either use PKCE or use the OpenID Connect nonce to prevent authorization code injection.  Whereas the fourth paragraph says "Authorization servers MUST support PKCE [RFC7636].".  This imposes a requirement on servers that isn't present for corresponding clients.  (I missed this internal discrepancy within the specification when I did my review.)

I therefore request that the fourth paragraph by change to read: "OAuth Servers MUST support PKCE [RFC7636] unless they are only used for OpenID Connect Authentication Requests", making the requirements on clients and servers parallel.  That way PKCE will still be there unless you don't need it.  (And it still could be there if the server implementer chooses to have it in all cases, but that should be their call.)

                                                       Thank you,
                                                       -- Mike