Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Phillip Hunt <phil.hunt@independentid.com> Wed, 06 May 2020 19:22 UTC

Return-Path: <phil.hunt@independentid.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98C1E3A0AAA for <oauth@ietfa.amsl.com>; Wed, 6 May 2020 12:22:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id chakhzyzTVgq for <oauth@ietfa.amsl.com>; Wed, 6 May 2020 12:22:40 -0700 (PDT)
Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 196133A0AB9 for <oauth@ietf.org>; Wed, 6 May 2020 12:22:39 -0700 (PDT)
Received: by mail-pj1-x102f.google.com with SMTP id t9so1417888pjw.0 for <oauth@ietf.org>; Wed, 06 May 2020 12:22:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=AZgu3+FJLwaiUGzGV6iO5YTEsrwsFy320tikSCbhEgk=; b=pgDffPQN8KtaY7qzdw8hY6maGr2krhHVjQPqtyoPMr1VqUW3SQq9W3bYooXBWxSv4X t5BH0vhkk74HDCJ5G2fdqnYGWNdWNJDQCcPm1/ynWjHTyy84K2s99DoGh1Ibp6g5PV/k SdmBtATGMpy2qzeEjsGf1Qnp8BdIAYHbsBR5y9Qptd1a82SMr4BQFb5+qlGkec/htUdr VeCzyaa7qsezO/AgSfXX6lZco/sr6AvJrsEAQU4CweNinAQgZKfICRgNh9UbhdKb3jmK ilZQ8somhQb+u99hulNWZ2ncYhQn0obENW1CSNmBGYn+FR2W8mB7ILdIgX2G9SVT2J/H KBqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=AZgu3+FJLwaiUGzGV6iO5YTEsrwsFy320tikSCbhEgk=; b=TA57fJXKTxale1HTfpwOjqah3LzWJ/D80AnmfBXlNQ7j5XDYlVqRjlSSOM6pfoPlpk F5vGh07N1VdHgUMYLhRsNTZ5G73csNIGRIkaaN8nYnMcm5c1qTz3kTyyZPNXWOUomTxW B9EFwqbomxy/fIMuuKu5T0or7NbQ3e76I/763LkOG6dFwiOdNqtLcjBF2k0lI+SEMkEF ZQmpJxSXJlbVyAF9W5irgPCmntgz3VWSWy31ug09swStcXlxsCbGT1IN52h3XsXfgRjX mYYFMobbMH65xBWxWdZrsUNQifzdyIlbw0gcUHS14g7wZOGgB/5kXafCuKN9itg8siK8 eZRg==
X-Gm-Message-State: AGi0PubEjAGbAstTOH7rdeIdcAGjHuO36A9bjkoZCnm7ryIJ2SYcBfsd 0rTvnNI7+RFmnLo0SSzyPjnpNJMYsto=
X-Google-Smtp-Source: APiQypKee0IBO7/5Cg3de1Zfu8yq3Qf9BJx5zTWHOYU23JTB6wQ1SqM3NGgboJrOfBp+ie1HaURRPw==
X-Received: by 2002:a17:90b:1044:: with SMTP id gq4mr10630939pjb.81.1588792959391; Wed, 06 May 2020 12:22:39 -0700 (PDT)
Received: from ?IPv6:2605:8d80:447:361e:9465:924b:46dc:1f70? ([2605:8d80:447:361e:9465:924b:46dc:1f70]) by smtp.gmail.com with ESMTPSA id x18sm2616913pfi.22.2020.05.06.12.22.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 06 May 2020 12:22:38 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-EE19F616-C5F0-4192-85C6-781279E88A2C
Content-Transfer-Encoding: 7bit
From: Phillip Hunt <phil.hunt@independentid.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 6 May 2020 12:22:37 -0700
Message-Id: <3C440EE8-134E-4703-A230-F2F61C025EF0@independentid.com>
References: <CAHsNOKda5M5TH2CzE_fc7hZJY2iBKmoNmF36QG9qbwR2pUGXsQ@mail.gmail.com>
Cc: Aaron Parecki <aaron@parecki.com>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <CAHsNOKda5M5TH2CzE_fc7hZJY2iBKmoNmF36QG9qbwR2pUGXsQ@mail.gmail.com>
To: Steinar Noem <steinar@udelt.no>
X-Mailer: iPhone Mail (17E262)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PpMNt14Am_-GkCO8AkDZdG_GxrA>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 19:22:43 -0000

Yes. Some would be 2.0 and some2.1. Not unlike TLS versioning.  

 Maybe i should not have said that. ;-)

Phil

> On May 6, 2020, at 12:18 PM, Steinar Noem <steinar@udelt.no> wrote:
> 
> 
> So, wouldn't a MUST just mean that we would have some OPs that are 2.1 compliant and some that aren't?
> 
>> ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt <phil.hunt@independentid.com>om>:
>> Mike,
>> 
>> The point of 2.1 is to raise the security bar. 
>> 
>> Yes it adds new MUST requirements. 
>> 
>> But what about OIDC would break other than required implementation of PKCE to support 2.1?
>> 
>> Eg Would additional signaling be required to facilitate interoperability and migration between versions? Would that be an oauth issue or an OIDC one?
>> 
>> Phil
>> 
>>>> On May 6, 2020, at 11:56 AM, Aaron Parecki <aaron@parecki.com> wrote:
>>>> 
>>> 
>>> > In particular, authorization servers shouldn’t be required to support PKCE when they already support the OpenID Connect nonce.
>>> 
>>> The Security BCP already requires that ASs support PKCE: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 Are you suggesting that the Security BCP change that requirement as well? If so, that's a discussion that needs to be had ASAP. If not, then that's an implicit statement that it's okay for OpenID Connect implementations to not be best-practice OAuth implementations. And if that's the case, then I also think it's acceptable that they are not complete OAuth 2.1 implementations either.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> On Wed, May 6, 2020 at 11:21 AM Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
>>>> The disadvantage of requiring PKCE for OpenID Connect implementations is that you’re trying to add a normative requirement that’s not required of OpenID Connect deployments today, which would bifurcate the ecosystem.  There are hundreds of implementations (including the 141 certified ones at https://openid.net/certification/), none of which have ever been required to support PKCE.  Therefore, most don’t.
>>>> 
>>>>  
>>>> 
>>>> Per feedback already provided, I believe that OAuth 2.1 should align with the guidance already in the draft Security BCP, requiring EITHER the use of PKCE or the OpenID Connect nonce.  Trying to retroactively impose unnecessary requirements on existing deployments is unlikely to succeed and will significantly reduce the relevance of the OAuth 2.1 effort.
>>>> 
>>>>  
>>>> 
>>>> In particular, authorization servers shouldn’t be required to support PKCE when they already support the OpenID Connect nonce.  And clients shouldn’t reject responses from servers that don’t support PKCE when they do contain the OpenID Connect nonce.  Doing so would unnecessarily break things and create confusion in the marketplace.
>>>> 
>>>>  
>>>> 
>>>>                                                           -- Mike
>>>> 
>>>>  
>>>> 
>>>> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Dick Hardt
>>>> Sent: Wednesday, May 6, 2020 10:48 AM
>>>> To: oauth@ietf.org
>>>> Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>>> 
>>>>  
>>>> 
>>>> Hello!
>>>> 
>>>>  
>>>> 
>>>> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce solves some of the issues that PKCE protects against. We think that most OpenID Connect implementations also support OAuth 2.0, and hence have support for PKCE if following best practices.
>>>> 
>>>>  
>>>> 
>>>> The advantages or requiring PKCE are:
>>>> 
>>>>  
>>>> 
>>>> - a simpler programming model across all OAuth applications and profiles as they all use PKCE
>>>> 
>>>>  
>>>> 
>>>> - reduced attack surface when using  S256 as a fingerprint of the verifier is sent through the browser instead of the clear text value
>>>> 
>>>>  
>>>> 
>>>> - enforcement by AS not client - makes it easier to handle for client developers and AS can ensure the check is conducted
>>>> 
>>>>  
>>>> 
>>>> What are disadvantages besides the potential impact to OpenID Connect deployments? How significant is that impact?
>>>> 
>>>>  
>>>> 
>>>> Dick, Aaron, and Torsten
>>>> 
>>>>  
>>>> 
>>>> ᐧ
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> -- 
> Vennlig hilsen
> 
> Steinar Noem
> Partner Udelt AS
> Systemutvikler
>  
> | steinar@udelt.no | hei@udelt.no  | +47 955 21 620 | www.udelt.no |