Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1
Daniel Fett <fett@danielfett.de> Mon, 18 October 2021 06:42 UTC
Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C8393A1221 for <oauth@ietfa.amsl.com>; Sun, 17 Oct 2021 23:42:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hg2Iu8lbZUvn for <oauth@ietfa.amsl.com>; Sun, 17 Oct 2021 23:42:21 -0700 (PDT)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29FB23A11E4 for <oauth@ietf.org>; Sun, 17 Oct 2021 23:42:20 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id B157317D0A for <oauth@ietf.org>; Mon, 18 Oct 2021 06:42:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1634539335; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dm4QJ8g5WLvlBjLYjkh/3z5s3SJzjW+acXPAsc9R8dI=; b=G+GivUi0UrDqKwKvrNYAut1rIuf/JMHK10J/hcVZ5BTt0j0z+bwlYeQSxKd71lL4VAY6SS xqZPYMEhaAY9ewo6VwDqPOQ7pJH8J4/c6ZiYFsCeutWSRDwMReUZiG/9H2yc7769xSjGq/ yQOnIj18zH1cKv5hYvR3QxPrTKFBuEg=
To: oauth@ietf.org
References: <SJ0PR00MB1005DDD53BB9E1CB098632B1F5B99@SJ0PR00MB1005.namprd00.prod.outlook.com> <CAFvbn=Y3tmX_Lh4GJZOAn5sx2PW5D_XAT_dHwJQ-nSm6Hsn=vQ@mail.gmail.com>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <dc10fb17-d917-a8dd-f0d6-7bf5daf644b9@danielfett.de>
Date: Mon, 18 Oct 2021 08:42:15 +0200
MIME-Version: 1.0
In-Reply-To: <CAFvbn=Y3tmX_Lh4GJZOAn5sx2PW5D_XAT_dHwJQ-nSm6Hsn=vQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------5C17928DEA714C50BD8A4992"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1634539336; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dm4QJ8g5WLvlBjLYjkh/3z5s3SJzjW+acXPAsc9R8dI=; b=l3RVM7j7xTaKrSndHUmiRdRu20Rog6Bdh+aV+Q6Job8vf5kzMMLKZ918MwbMFFu+fxtuaj d+i10RZ6aUX/UKRvX1iUguVjMR1JKZx6WH1UYGYPiQSZ5pck2YFdlhErICLOiqC1XSgKqV pJZJF99yatxEUeCtOHINTH5ooBBU/dc=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1634539336; a=rsa-sha256; cv=none; b=b2WjuvYS6/ZsHEsNAasSLT9GTluRrtWIgdCN4mDz67t/ibwj7EFNh0OfPEAUPhsUQbK4kN fm2VhBrMrrj5KAE/DnUpDphm7vvbFIqxfZky1FYQ4jwma55sue5yU2KaV1hxdUHFKB3slx 6evlrhoVTtCyy9nwczJn8IJZs43fgbk=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: ---
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RXEb-AHBd8uBHY6FAEHazAFHlrQ>
Subject: Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2021 06:42:36 -0000
Am 16.10.21 um 03:22 schrieb Ash Narayanan: > Fully support Annabelle's idea of idempotent tokens. > 1. It makes sense (give me the same code/verifier, I'll give you back > the same tokens). > 2. It negates the possible attack vectors mentioned by Daniel. All I see is that it opens another channel for token exfiltration, for example if an attacker can read the token request but not the response. This would be quite a fundamental change. -Daniel > 3. It is easy to implement. > > Regarding Mike's comments... > > As I see it, the retry in case of network failures should happen > by performing a new authorization request – not by trying to reuse > an authorization code – which is indistinguishable from an attack. > > This offers no additional security and creates a poor user experience. > With idempotent tokens, there is no incentive for the attacker to > replay than to just use the already generated tokens, which I assume > the attacker would have access to given they have access to the > code/verifier. > > Let’s not use OAuth 2.1 as an opportunity to sanction behaviors > that we can’t distinguish from attacks. > > I would argue that we should also take the opportunity to make > Oauth2.1 more meaningful/easier to implement, by reducing unnecessary > requirements that offer no additional security. > > Daniel did also mention this bit, which I agree with: > > And ideally, the code SHOULD also be invalidated if the PKCE > verifier does not match, not sure if that is in the current text > or not. > > > > On Sat, Oct 16, 2021 at 10:42 AM Mike Jones > <Michael.Jones=40microsoft.com@dmarc.ietf.org > <mailto:40microsoft.com@dmarc.ietf.org>> wrote: > > As I see it, the retry in case of network failures should happen > by performing a new authorization request – not by trying to reuse > an authorization code – which is indistinguishable from an attack. > > > > Let’s not use OAuth 2.1 as an opportunity to sanction behaviors > that we can’t distinguish from attacks. > > > > The prohibition on clients reusing an authorization code needs to > remain. > > > > -- Mike > > > > *From:* Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org > <mailto:40auth0.com@dmarc.ietf.org>> > *Sent:* Friday, October 15, 2021 4:19 PM > *To:* Richard Backman, Annabelle <richanna@amazon.com > <mailto:richanna@amazon.com>> > *Cc:* Mike Jones <Michael.Jones@microsoft.com > <mailto:Michael.Jones@microsoft.com>>; oauth@ietf.org > <mailto:oauth@ietf.org> > *Subject:* [EXTERNAL] Re: [OAUTH-WG] Authorization code reuse and > OAuth 2.1 > > > > I am a fan of this approach. It feels pretty empty to cast people > out of compliance just because they are handling a realistic > circumstance, such as network failures, that we know about > beforehand. > > In addition, this gives us a chance to provide guidance on how to > handle the situation, instead of leaving AS implementers to their > own device. > > > > On Fri, Oct 15, 2021 at 11:32 AM Richard Backman, Annabelle > <richanna=40amazon.com@dmarc.ietf.org > <mailto:40amazon.com@dmarc.ietf.org>> wrote: > > The client MUST NOT use the authorization code more > than once. > > > > This language makes it impossible to build a fault tolerant, > spec compliant client, as it prohibits retries. We could > discuss whether a retry really constitutes a separate "use", > but ultimately it doesn't matter; multiple presentations of > the same code look the same to the AS, whether they are the > result of retries, the client attempting to get multiple sets > of tokens, or an unauthorized party trying to replay the code. > > > > I think we can have a fault tolerant, replay-proof > implementation, but it takes some effort: > > > > 1. The AS can prevent the authorized client from using one > code to get a bunch of independent refresh and access > token pairs by either re-issuing the same token > (effectively making the token request idempotent) or > invalidating previously issued tokens for that code. > (Almost but not quite idempotent…idempotent-adjacent?) > 2. The AS can prevent unauthorized parties from replaying > snooped codes+PKCE by requiring stronger client > authentication: implement dynamic client registration and > require a replay-resistant client authentication method > like `jwt-bearer`. The AS can enforce one-time use of the > client credential token without breaking fault tolerance, > as the client can easily mint a new one for each retry to > the token endpoint. > > > > Yes, I know, this is way more complex than just a > credential-less public client doing PKCE. Perhaps we can have > our cake and eat it too with language like: > > > > The client MUST NOT use the authorization code more than > once, unless retrying a token request that failed for > reasons beyond the scope of this protocol. (e.g., network > interruption, server outage) Refer to [Fault Tolerant > Replay Prevention] for guidance. > > > > …where Fault Tolerant Replay Prevention is a subsection under > Security Considerations. I don't think this wording is quite > right, as the guidance is really going to be for the AS, not > the client, but hopefully it's enough to get the idea across. > > > > — > > Annabelle Backman (she/her) > > richanna@amazon.com <mailto:richanna@amazon.com> > > > > > > > > On Oct 15, 2021, at 8:27 AM, Mike Jones > <Michael.Jones=40microsoft.com@dmarc.ietf.org > <mailto:Michael.Jones=40microsoft.com@dmarc.ietf.org>> wrote: > > > > *CAUTION*: This email originated from outside of the > organization. Do not click links or open attachments > unless you can confirm the sender and know the content is > safe. > > > > I agree with Daniel. > > > > Also, while we’ve talked about server requirements, I > think it’s equally important that we retain this client > requirement: > > > > The client MUST NOT use the authorization code more > than once. > > > > > -- Mike > > > > *From:* OAuth <oauth-bounces@ietf.org > <mailto:oauth-bounces@ietf.org>> *On Behalf Of *Daniel Fett > *Sent:* Friday, October 15, 2021 8:13 AM > *To:* oauth@ietf.org <mailto:oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] Re: Authorization code reuse and > OAuth 2.1 > > > > I don't think that a MAY is appropriate here. > > > > I wasn't in the call yesterday, so I hope I don't miss > anything here, but... > > > > Even with PKCE, the one-time use requirement of the code > is still important. First and foremost, if we allow > unlimited re-use of the same code, even just as an option, > we change the semantics of this artifact. I guess there > are many examples where this causes issues, but one would > be DPoP. It assumes that there is only one (successful) > token request and in that request, the token is bound to a > specific key. If there can be more than one successful > token request, all it takes is code_challenge and the code > sitting around somewhere in accessible memory and an XSS > attacker can exfiltrate them and use them on his own > device, binding the resulting token to an > attacker-controlled key. This is the attack outcome > against which we introduced the nonce in DPoP. (Probably > we should add this thought as a security consideration to > DPoP, but that is a different topic.) I guess we can come > up with many other mechanisms and mitigations that depend > on code being one-time use. > > > > The attack described also shows nicely that code replay > protection and PKCE serve similar purposes, but are not > the same thing. > > > > The Security BCP introduces a second layer of defense at > pretty much all the critical places in the protocol, > because practice shows that a single defense can break too > easily. For example, an attacker with read-only access to > the token request would be pretty bad without code replay > protections in place. Such attackers are considered in > FAPI. (Somebody capable of reading system logs at the > client or server, proxy logs at the client or server, > browser logs, etc.) > > > > Therefore, in my opinion, the code MUST be short-lived and > at least SHOULD, better MUST be one-time use. > > > > And ideally, the code SHOULD also be invalidated if the > PKCE verifier does not match, not sure if that is in the > current text or not. > > > > -Daniel > > > > > > > > Am 15.10.21 um 11:04 schrieb Pieter Kasselman: > > SHOULD is more likely to cause the right conversations > to take place for implementors as they weigh the > risks. Reducing it to MAY risks diluting it too much. > > > > *From:* OAuth <oauth-bounces@ietf.org> > <mailto:oauth-bounces@ietf.org> *On Behalf Of *Warren > Parad > *Sent:* Friday 15 October 2021 09:25 > *To:* Pieter > Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org> > <mailto:pieter.kasselman=40microsoft.com@dmarc.ietf.org> > *Cc:* IETF oauth WG <oauth@ietf.org> > <mailto:oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] [EXTERNAL] Re: Authorization > code reuse and OAuth 2.1 > > > > I wouldn't be against lowering it to MAY but only if > we stipulate a SHOULD on an expected lifetime of an > authorization code. I think sending the message that > these should be one time use except in exceptional > circumstances. > > > > > *Warren Parad* > > Founder, CTO > > Secure your user data with IAM authorization as a > service. Implement Authress > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthress.io%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C0d1e820fa1664a5bb1ab08d98fb54d4f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637698831154740432%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6rSI2UvnakrWNh3qtBEgIMbRO8L9oXu8zGj4Fd128B8%3D&reserved=0>. > > > > > > On Fri, Oct 15, 2021 at 10:17 AM Pieter Kasselman > <pieter.kasselman=40microsoft.com@dmarc.ietf.org > <mailto:40microsoft.com@dmarc.ietf.org>> wrote: > > Any weakening of the requirement should include a > clear outline of the risks to help implementors > make informed decisions. > > > > *From:* OAuth <oauth-bounces@ietf.org > <mailto:oauth-bounces@ietf.org>> *On Behalf > Of *Ash Narayanan > *Sent:* Friday 15 October 2021 01:51 > *To:* Aaron Parecki <aaron@parecki.com > <mailto:aaron@parecki.com>> > *Cc:* IETF oauth WG <oauth@ietf.org > <mailto:oauth@ietf.org>> > *Subject:* Re: [OAUTH-WG] [EXTERNAL] Re: > Authorization code reuse and OAuth 2.1 > > > > > > > You don't often get email > from ashvinnarayanan@gmail.com > <mailto:ashvinnarayanan@gmail.com>. Learn why this > is important > <http://aka.ms/LearnAboutSenderIdentification> > > > > Yes, as I said before, authorization servers > are free to enforce one-time use of the > authorization code even if there isn't a > requirement to. The proposal is just to remove > the *requirement* of authorization servers > enforcing it. > > > > I agree, and therefore I think what it really > ought to be is "MAY". > > > > Annabelle said: > > There are legitimate use cases for a client to > replay an authorization code. Connection > failures happen. Servers fall over before > completing requests. Users hit browser refresh > buttons. Permitting replay of authorization > codes (assuming valid PKCE, client creds, > etc.) allows clients to handle these failure > modes simply and gracefully via retries. > > > > Couldn't agree more. Having experienced these > exact use-cases, I can honestly say that denying > users a smooth experience just to be compliant > with the spec, which offers no additional security > if PKCE is also being used, makes no sense. > > It is also more effort (from a repository layer > perspective) to implement one-time use than do > PKCE verification. > > > > What is the practical reason for allowing > "plain" PKCE in OAuth 2.1? Are there really > use cases out there where SHA-256 is a deal > breaker? > > > > I'd be interested in these use-cases as well (I > can't think of any). > > > > On Thu, Oct 14, 2021 at 8:36 AM Aaron Parecki > <aaron@parecki.com <mailto:aaron@parecki.com>> wrote: > > Yes, as I said before, authorization servers > are free to enforce one-time use of the > authorization code even if there isn't a > requirement to. The proposal is just to remove > the *requirement* of authorization servers > enforcing it. > > > > I am okay with Mike's suggestion of changing > the language to "SHOULD" to continue to point > out the possibility of enforcing one-time > authorization codes if desired. > > > > > > > > On Wed, Oct 13, 2021 at 2:15 PM Pieter > Kasselman <pieter.kasselman@microsoft.com > <mailto:pieter.kasselman@microsoft.com>> wrote: > > Log files can exist in lots of place > (clients, servers, data lakes). The > question is whether it is a valid > assumption that an attacker cannot obtain > an Authorization Code and a Code Verifier > and present it a second time round. > Limiting the validity period is one layer > of defence, PKCE is another layer, one > time use enforcement is another. Assuming > breach and designing from a defence in > depth perspective is a good practice, so > why not give implementors options (and > guidance) to add additional layers of > defence to match their risk profiles? > > > > > > *From:* OAuth <oauth-bounces@ietf.org > <mailto:oauth-bounces@ietf.org>> *On > Behalf Of *Sascha Preibisch > *Sent:* Wednesday 13 October 2021 22:06 > *To:* Aaron Parecki <aaron@parecki.com > <mailto:aaron@parecki.com>> > *Cc:* IETF oauth WG <oauth@ietf.org > <mailto:oauth@ietf.org>> > *Subject:* Re: [OAUTH-WG] [EXTERNAL] Re: > Authorization code reuse and OAuth 2.1 > > > > Ok, if the goal is to avoid > unnecessary requirements I am suggesting > to point out why MUST was changed to > SHOULD. Otherwise developers will start to > mix and match OAuth 2.0 and OAuth 2.1 > requirements as they see them fit their needs. > > In regards to encrypted values in PKCE, > Aaron, I can also not confirm that as the > general implementation. > > > > On Wed, 13 Oct 2021 at 13:56, Aaron > Parecki <aaron@parecki.com > <mailto:aaron@parecki.com>> wrote: > > The PKCE spec actually says > "Typically, the "code_challenge" and > "code_challenge_method" values are > stored in encrypted form in the "code" > itself" which I feel like might be a > stretch to say that's typical, but > this scenario was clearly thought of > ahead of time. Doing that would enable > an AS to avoid storing server-side state. > > > > On Wed, Oct 13, 2021 at 1:50 PM Sascha > Preibisch <saschapreibisch@gmail.com > <mailto:saschapreibisch@gmail.com>> wrote: > > If the challenge is based on > distributed authorization server > configurations, how would they > handle PKCE? I imagine that > managing the state for PKCE is not > less challenging than managing > authorization codes on the server > side, preventing reuse of them. > > With that in mind I am not sure if > I follow the given argument. I > would prefer to keep MUST as it is > today. > > > > > > On Wed, 13 Oct 2021 at 13:37, > Aaron Parecki <aaron@parecki.com > <mailto:aaron@parecki.com>> wrote: > > HTTPS, because if that's > broken then the rest of OAuth > falls apart too. > > > > On Wed, Oct 13, 2021 at 1:36 > PM Warren Parad > <wparad@rhosys.ch > <mailto:wparad@rhosys.ch>> wrote: > > I feel like I'm missing > something, what stops just > plain old network sniffing > and replying the whole > encrypted payload to the > AS and getting back a > valid token? > > > <image001.jpg> > > > > *Warren Parad* > > Founder, CTO > > Secure your user data with > IAM authorization as a > service. > Implement Authress > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthress.io%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C0d1e820fa1664a5bb1ab08d98fb54d4f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637698831154750385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=y86Gy8RiRIbIAW3So8hr4PxYsta1VWX1X7l%2FHzVbcvI%3D&reserved=0>. > > > > > > On Wed, Oct 13, 2021 at > 10:33 PM Aaron Parecki > <aaron@parecki.com > <mailto:aaron@parecki.com>> > wrote: > > Aside from the "plain" > method, the PKCE code > verifier never leaves > the client until it's > sent along with the > authorization code in > the POST request to > the token endpoint. > The only place it can > leak at that point is > if the authorization > server itself leaks > it. If you have things > leaking from the > authorization server > log, you likely have > much bigger problems > than authorization > code replays. > > > > Keep in mind that even > with the proposed > change to drop the > requirement of > authorization codes > being one time use, > authorization servers > are free to enforce > this still if they > want. Authorization > code lifetimes are > still expected to be > short lived as well. > > > > Aaron > > > > > > On Wed, Oct 13, 2021 > at 1:25 PM Pieter > Kasselman > <pieter.kasselman@microsoft.com > <mailto:pieter.kasselman@microsoft.com>> > wrote: > > Aaron, I was > curious what > prevents an > attacker from > presenting an > Authorization Code > and a PKCE Code > Verifier for a > second time if the > one time use > requirement is > removed. Is there > another > countermeasure in > PKCE that would > prevent it? For > example, an > attacker may > obtain the > Authorization Code > and the Code > Verifier from a > log and replay it. > > > > Cheers > > > > Pieter > > > > *From:* OAuth > <oauth-bounces@ietf.org > <mailto:oauth-bounces@ietf.org>> *On > Behalf Of *Aaron > Parecki > *Sent:* Wednesday > 13 October 2021 18:40 > *To:* Warren Parad > <wparad=40rhosys.ch@dmarc.ietf.org > <mailto:40rhosys.ch@dmarc.ietf.org>> > *Cc:* Mike Jones > <Michael.Jones=40microsoft.com@dmarc.ietf.org > <mailto:40microsoft.com@dmarc.ietf.org>>; oauth@ietf.org > <mailto:oauth@ietf.org> > *Subject:* [EXTERNAL] > Re: [OAUTH-WG] > Authorization code > reuse and OAuth 2.1 > > > > Warren, I didn't > see you on the > interim call, so > you might be > missing some context. > > > > The issue that was > discussed is that > using PKCE already > provides all the > security benefit > that is gained by > enforcing > single-use > authorization > codes. Therefore, > requiring that > they are > single-use isn't > necessary as it > doesn't provide > any additional > benefit. > > > > If anyone can > think of a > possible attack by > allowing > authorization > codes to be reused > *even with a valid > PKCE code > verifier* then > that would warrant > keeping this > requirement. > > > > --- > > Aaron Parecki > > > > > > On Wed, Oct 13, > 2021 at 10:27 AM > Warren Parad > <wparad=40rhosys.ch@dmarc.ietf.org > <mailto:40rhosys.ch@dmarc.ietf.org>> > wrote: > > Isn't it > better for it > to be worded > as we want it > to be, with > the > implication > being that of > course it > might be > difficult to > do that, but > that AS devs > will think > long and hard > about > sometimes not > denying the > request? Even > with MUST, > some AS will > still allow > reuse of auth > codes. Isn't > that better > than flat out > saying: /sure, > there's a > valid reason/ > > > > In other > words, how do > we think about > RFCs? Do they > exist to be > followed to > the letter or > not at all? Or > do they exist > to stipulate > this is the > way, but > acknowledge > that not > everyone will > build a > solution that > holds them as law. > > > > Let's look > at *SHOULD* > > This word, > or the > adjective > "RECOMMENDED", > mean that > there may > exist > valid > reasons in > particular > circumstances > to ignore > a > particular > item, but > the full > implications > must be > understood > and > carefully > weighed > before > choosing a > different > course. > > > > I > think /recommended/ here > is not > sufficient nor > are there > valid reasons. > "It's too > hard" isn't > really a valid > reason. Isn't > it better in > this case for > an AS to not > be compliant > with the RFC, > than it is to > relax this to > SHOULD and > have lots of > AS thinking > reusing auth > codes is a > viable > solution, > "because they > are a special > snowflake > where SHOULD > should apply". > > > > Are we setting > the standard > or instead > attempting to > sustain a > number of "AS > that are in > compliance > with the RFC"? > > > > <image001.jpg> > > > > *Warren Parad* > > Founder, CTO > > Secure your > user data with > IAM > authorization > as a service. > Implement Authress > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthress.io%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C0d1e820fa1664a5bb1ab08d98fb54d4f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637698831154760332%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lbb9cJl0VUcfBD9IwzKF4BeB5nnggZxLB1TwlZYdNK4%3D&reserved=0>. > > > > > > On Wed, Oct > 13, 2021 at > 7:17 PM Mike > Jones > <Michael.Jones=40microsoft.com@dmarc.ietf.org > <mailto:40microsoft.com@dmarc.ietf.org>> > wrote: > > During > today’s > call, it > was asked > whether we > should > drop the > OAuth 2.0 > language that: > > > The client > MUST NOT > use the > authorization > code > > > more than > once. If > an > authorization > code is > used more than > > > once, the > authorization > server > MUST deny > the > request > and SHOULD > > > revoke > (when > possible) > all tokens > previously > issued > based on > > > that > authorization > code.” > > > > The > rationale > given was > that > enforcing > one-time > use is > impractical > in > distributed > authorization > server > deployments. > > > > Thinking > about this > some more, > at most, > we should > relax this to: > > > The client > MUST NOT > use the > authorization > code > > > more than > once. If > an > authorization > code is > used more than > > > once, the > authorization > server SHOULD deny > the > request > and SHOULD > > > revoke > (when > possible) > all tokens > previously > issued > based on > > > that > authorization > code.” > > > > In short, > it should > remain > illegal > for the > client to > try to > reuse the > authorization > code. We > can relax > the MUST > to SHOULD > in the > server > requirements > in > recognition > of the > difficulty > of > enforcing > the MUST. > > > > Code reuse > is part of > some > attack > scenarios. > We must > not > sanction it. > > > > > -- Mike > > > > _______________________________________________ > OAuth > mailing list > OAuth@ietf.org > <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C0d1e820fa1664a5bb1ab08d98fb54d4f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637698831154760332%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=u3yNDEeIsFvqGwu3x8%2F22D25o3bVO9PkrBEA2IEKSzY%3D&reserved=0> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C0d1e820fa1664a5bb1ab08d98fb54d4f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637698831154770299%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7JX5eYOgW7gjFIIySrFurb2%2B9dBhH4IAsXhIMkV%2FGps%3D&reserved=0> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C0d1e820fa1664a5bb1ab08d98fb54d4f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637698831154770299%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7JX5eYOgW7gjFIIySrFurb2%2B9dBhH4IAsXhIMkV%2FGps%3D&reserved=0> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C0d1e820fa1664a5bb1ab08d98fb54d4f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637698831154780256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lJqE32wIC4OoFoYfUMYr8zd3pgEz2abBr2aga42rFsA%3D&reserved=0> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C0d1e820fa1664a5bb1ab08d98fb54d4f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637698831154780256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lJqE32wIC4OoFoYfUMYr8zd3pgEz2abBr2aga42rFsA%3D&reserved=0> > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > > > -- > > https://danielfett.de <https://danielfett.de/> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- https://danielfett.de
- [OAUTH-WG] Authorization code reuse and OAuth 2.1 Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Aaron Parecki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Neil Madden
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Aaron Parecki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Jeff Craig
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… David Waite
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Sascha Preibisch
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Sascha Preibisch
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Ash Narayanan
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Daniel Fett
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Vittorio Bertocci
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Ash Narayanan
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Vittorio Bertocci
- Re: [OAUTH-WG] Authorization code reuse and OAuth… David Waite
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Neil Madden
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Filip Skokan
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Takahiko Kawasaki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Daniel Fett
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Daniel Fett
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- [OAUTH-WG] SUB and AUD configuration for web iden… Warren Parad
- Re: [OAUTH-WG] SUB and AUD configuration for web … Ash Narayanan