IETF Logo Mail Archive

Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1

Warren Parad <wparad@rhosys.ch> Wed, 13 October 2021 18:02 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94CA33A08CB for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 11:02:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jq03B1vK58Sw for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 11:02:49 -0700 (PDT)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89D163A08B6 for <oauth@ietf.org>; Wed, 13 Oct 2021 11:02:49 -0700 (PDT)
Received: by mail-yb1-xb2c.google.com with SMTP id h2so8352699ybi.13 for <oauth@ietf.org>; Wed, 13 Oct 2021 11:02:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Gfh4yResiozc8f4qXTt+JAoolIulvPDzE5HZsa7T8s8=; b=GE79evhqrOd+SoNXLAWj6xRqTurO9B9BuqbLh5wvWv32AMJUIzG6SDJq9h3hBSVY7k YSKkzgSa6414B+EnIopi96DTopKc8H5dBS7h7Wt7UdUo1c4PJjvDlunzSEL/hSouCW9j ku1OydEnvBDs0E4vP6PEkGhl7ejb/NFlGW9HA9Rb1QzBY5wcSnxWrrhRKg8Je7pAmPnQ ghKFhvdy/y8cuosiEZHCoiqpZA6liRYoMN28BopihrAneuhpTI3hvXnTk6q1HEvgu4IG Z9bxNN98faCfzcaGfbIhx+hHrDLEASqH1SBgB/SMh3P9DtnYZnhw4xnMHbu+fFLt6Isl IIGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Gfh4yResiozc8f4qXTt+JAoolIulvPDzE5HZsa7T8s8=; b=C9J8WePO973RmgtHpumQwh+pLm2nzGjs+VS/RQgS1JG5J1RyShMVDmjRQu47gTguUb M37/B3pJDqxN5M/yhjZEwFu/rZco+/lyOgrIqytOVF2nORyU++yMDasJspd6n5COc4N1 KXRv/oy9Ixc/7Zq8tQBlQjes355GhmDbXyvOrpIIiisv6uDVHFZSQGN3aUX/H5r0f5/l /8hmZaXQjcsS5tBBJE+NfbiOZMqzT6ovVdPRpJiEuYW7c/7qHQc9j5517CQyRxpaBKKO qjryEL6xSabVKzbrMtYJppDuujfZjF5aseOXU8jxicHjQX/6Ppm3WgsrPtQ+fRZq4VJy joUA==
X-Gm-Message-State: AOAM532fByYA9Lfcek5lylr/DoCWLVDrEadCf9geFyVwaRayT4+ZNCJP iKQfgFsdB59tVpGQCOgfX7oWFuqcHU64JgHfSNl2
X-Google-Smtp-Source: ABdhPJxT+4eCSsTWG0cneJzSbcxjgH8SYkWuQ9Jo4CI7TRrrxNEsmQyFRrxC4fJBWasrzC00Uf+VqhfLLxMMv5xyI8g=
X-Received: by 2002:a25:e053:: with SMTP id x80mr1015424ybg.261.1634148168258; Wed, 13 Oct 2021 11:02:48 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBSGjpJrM4uUTdVvsEzh5sT0H9ZpEJ0D3yfo-p_1S9w_tdF8g@mail.gmail.com> <4E04231B-51FA-429F-8D45-022B7D27E5B1@forgerock.com>
In-Reply-To: <4E04231B-51FA-429F-8D45-022B7D27E5B1@forgerock.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 13 Oct 2021 20:02:37 +0200
Message-ID: <CAJot-L2K3XCwUSgE7Jq9Ug3serBNgQS0=fxa0BoLi=uKZqCZLg@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Aaron Parecki <aaron@parecki.com>, Mike Jones <Michael.Jones@microsoft.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000146eaf05ce3fc5fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Q1Ynxh4T7PBCymiVUtgEVEGCgOc>
Subject: Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 18:02:55 -0000

Thanks Aaron, that's a great point. In light of that, I would ask about the
recommendation for non-SPA. I was under the impression that non-SPA's don't
require the use of PKCE, which would make them vulnerable to replay
attacks. Or am I missing something?

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <https://authress.io/>.


On Wed, Oct 13, 2021 at 7:59 PM Neil Madden <neil.madden@forgerock.com>
wrote:

> I wasn’t on the call either, so maybe I’m missing something. If you’re
> using PKCE with the “plain” challenge type then both the auth code and the
> verifier are exposed in redirect URI parameters in the user-agent aren’t
> they? That seems a bit risky to drop the one-time use requirement.
>
> I can’t see anything in the minutes of the meeting describing the
> difficulty of implementing the one-time use req. I seem to see
> announcements for new globally-consistent high-scale cloud database
> services every day - is this really that hard to implement?
>
> — Neil
>
> On 13 Oct 2021, at 18:41, Aaron Parecki <aaron@parecki.com> wrote:
>
> 
> Warren, I didn't see you on the interim call, so you might be missing some
> context.
>
> The issue that was discussed is that using PKCE already provides all the
> security benefit that is gained by enforcing single-use authorization
> codes. Therefore, requiring that they are single-use isn't necessary as it
> doesn't provide any additional benefit.
>
> If anyone can think of a possible attack by allowing authorization codes
> to be reused *even with a valid PKCE code verifier* then that would warrant
> keeping this requirement.
>
> ---
> Aaron Parecki
>
>
> On Wed, Oct 13, 2021 at 10:27 AM Warren Parad <wparad=
> 40rhosys.ch@dmarc.ietf.org> wrote:
>
>> Isn't it better for it to be worded as we want it to be, with the
>> implication being that of course it might be difficult to do that, but that
>> AS devs will think long and hard about sometimes not denying the request?
>> Even with MUST, some AS will still allow reuse of auth codes. Isn't that
>> better than flat out saying: *sure, there's a valid reason*
>>
>> In other words, how do we think about RFCs? Do they exist to be followed
>> to the letter or not at all? Or do they exist to stipulate this is the way,
>> but acknowledge that not everyone will build a solution that holds them as
>> law.
>>
>> Let's look at *SHOULD*
>>
>>> This word, or the adjective "RECOMMENDED", mean that there may exist
>>> valid reasons in particular circumstances to ignore a particular item, but
>>> the full implications must be understood and carefully weighed before
>>> choosing a different course.
>>
>>
>> I think *recommended* here is not sufficient nor are there valid
>> reasons. "It's too hard" isn't really a valid reason. Isn't it better in
>> this case for an AS to not be compliant with the RFC, than it is to relax
>> this to SHOULD and have lots of AS thinking reusing auth codes is a viable
>> solution, "because they are a special snowflake where SHOULD should apply".
>>
>> Are we setting the standard or instead attempting to sustain a number of
>> "AS that are in compliance with the RFC"?
>>
>>
>> Warren Parad
>>
>> Founder, CTO
>> Secure your user data with IAM authorization as a service. Implement
>> Authress <https://authress.io/>.
>>
>>
>> On Wed, Oct 13, 2021 at 7:17 PM Mike Jones <Michael.Jones=
>> 40microsoft.com@dmarc.ietf.org> wrote:
>>
>>> During today’s call, it was asked whether we should drop the OAuth 2.0
>>> language that:
>>>
>>>          The client MUST NOT use the authorization code
>>>
>>>          more than once.  If an authorization code is used more than
>>>
>>>          once, the authorization server MUST deny the request and SHOULD
>>>
>>>          revoke (when possible) all tokens previously issued based on
>>>
>>>          that authorization code.”
>>>
>>>
>>>
>>> The rationale given was that enforcing one-time use is impractical in
>>> distributed authorization server deployments.
>>>
>>>
>>>
>>> Thinking about this some more, at most, we should relax this to:
>>>
>>>          The client MUST NOT use the authorization code
>>>
>>>          more than once.  If an authorization code is used more than
>>>
>>>          once, the authorization server SHOULD deny the request and
>>> SHOULD
>>>
>>>          revoke (when possible) all tokens previously issued based on
>>>
>>>          that authorization code.”
>>>
>>>
>>>
>>> In short, it should remain illegal for the client to try to reuse the
>>> authorization code.  We can relax the MUST to SHOULD in the server
>>> requirements in recognition of the difficulty of enforcing the MUST.
>>>
>>>
>>>
>>> Code reuse is part of some attack scenarios.  We must not sanction it.
>>>
>>>
>>>
>>>                                                           -- Mike
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> Manage My Preferences <https://preferences.forgerock.com/>, Unsubscribe
> <https://preferences.forgerock.com/>
>
>

v2.23.0 | Report a Bug | By Email