[OAUTH-WG] OAuth GREASE

Neil Madden <neil.madden@forgerock.com> Wed, 22 April 2020 07:29 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 674653A09AF for <oauth@ietfa.amsl.com>; Wed, 22 Apr 2020 00:29:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZgM13uqBzWF for <oauth@ietfa.amsl.com>; Wed, 22 Apr 2020 00:29:16 -0700 (PDT)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9D013A0868 for <oauth@ietf.org>; Wed, 22 Apr 2020 00:29:15 -0700 (PDT)
Received: by mail-wr1-x42a.google.com with SMTP id x17so370243wrt.5 for <oauth@ietf.org>; Wed, 22 Apr 2020 00:29:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:date:subject:message-id :to; bh=zV2Loll+GSRHJmS7uY7tz9X6jhnWeeoSRLWNMnMa3FE=; b=X/YmJaQgBjuJW7avD23o9zywz0lJbN0hEwJEH5kF62ivzWoX4idey8v/5+JKko+Ftw 6BNCpZqfmVnW9K9gVi4yP72mDiGLtiG7lMx5LCDECW6DgndtvmmXRtOu10DWHV/Gzf2j bfSFpuq6J9I8vnxeHthAwbDCSjunfp4UM/Qo4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version:date :subject:message-id:to; bh=zV2Loll+GSRHJmS7uY7tz9X6jhnWeeoSRLWNMnMa3FE=; b=FIkXD3UwvwhAUWjcDYf/RdQw0CAyscq8f+5zs0m3ZNU4MCUIxTPg2GSMiYQCvgRAlz QL+6B8zMNCd7TDR+s4vYaW9HK4w4+HndnhOjjr0JO0jA5CrCRxsmNn96ZyfMUp1YKO2I ZN+Hs/8/6dUL85PlCs0L/u5vHuGwezsLUb/CP2AP9qUYzwa2JL9mpPoQLl8OEEv3fIqh 6T/PBkv0yvPo8eyX4TON3CAn76JCcDBwfILlVto2vOTJtug1OSY0/u/WSopE8Bp8YbS/ IftQfkzRhHQQWpS2kqG27bMR5lbyel/vVB8R40k682qej8DHUjbhArrFmiB+o91UIaIp /acg==
X-Gm-Message-State: AGi0PuZoVlEFE66VrZ1KUBlOztbbHyqU+y4L39fkbwQcEmfBWKMMgbS5 oAncYjKis+binXWW0xBihuNK3LF9E5+OZ3cWoNjA2t5ZkzUddjbEXF8ZQgTvoqWsTZPEQyrP7w7 O07HaE3oOGmdbCeohsvT7vhCiISSMq/HanIInS3wtm+t2/QHC+NCsk6sWp0RuQe0=
X-Google-Smtp-Source: APiQypJMRwV5qqVxyNwmI4fqTtsB/n+L6tGGaCktSck4+Mb9gZtFOm847NAxUD2HWQkwGv5Ky9PE8w==
X-Received: by 2002:adf:d091:: with SMTP id y17mr27277292wrh.418.1587540553989; Wed, 22 Apr 2020 00:29:13 -0700 (PDT)
Received: from [10.0.0.3] (193.207.159.143.dyn.plus.net. [143.159.207.193]) by smtp.gmail.com with ESMTPSA id b66sm6733677wmh.12.2020.04.22.00.29.13 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 22 Apr 2020 00:29:13 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-2869CC7B-6E61-460E-A2CB-F74FB4F4B3C7
Content-Transfer-Encoding: 7bit
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 22 Apr 2020 08:29:12 +0100
Message-Id: <9F472A63-FC87-416E-A7FF-78B87B45EE18@forgerock.com>
To: OAuth WG <oauth@ietf.org>
X-Mailer: iPhone Mail (17D50)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Rqxs-QDqqdQkt36SO915gJJU0dI>
Subject: [OAUTH-WG] OAuth GREASE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 07:29:18 -0000

Section 3.1 of RFC 6749 says (of the authorization endpoint):

The authorization server MUST ignore
   unrecognized request parameters.

We hoped to be able to use this to opportunistically apply PKCE - always send a code_challenge in the hope that the AS supports it and there should be no harm if it doesn’t. 

Sadly I learned yesterday of yet another public AS that fails hard if the request contains unrecognised parameters. It appears this part of the spec is widely ignored. 

Given that this hampers the ability to add new request parameters in future, do we need our own GREASE to prevent these joints rusting tight?
https://www.rfc-editor.org/rfc/rfc8701.html

— Neil