IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and OAuth 2.1

Aaron Parecki <aaron@parecki.com> Wed, 13 October 2021 20:31 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D2D43A1489 for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 13:31:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DRSQFyYXWAjz for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 13:31:39 -0700 (PDT)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C3D23A1458 for <oauth@ietf.org>; Wed, 13 Oct 2021 13:30:50 -0700 (PDT)
Received: by mail-il1-x12f.google.com with SMTP id f15so1079371ilu.7 for <oauth@ietf.org>; Wed, 13 Oct 2021 13:30:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qkE1Z60jkm268EamRaVMuk9MLTG7YGehUXm9vUcfOX4=; b=aC5BJ8KYfKRofpTDbPha71cljYIJIaWW2uQ0h0Colw8To10//dpCBeedwxyKBDMn+O Li5MUcaXChLo8OezQYpEsOPFoEBpQgTrBeyGiuygpH3LJ4wJGLNDLK97U9dAxuedbgIB 7XrdDf1Dhs9ODJTUb2LhKEOOpvaSKHmXoFzqZjKIcN3P8jyUWWA7oy462EI/jIClHc67 SEQ5y9gbqJz4HhmU0RtcKYR7ogoJdng5JMsCnmJWhBCEF+rTnzyEMixmXU9vJLB2J53P N/3nOVCPrJY207+TCyEx5ZWcvFjLywe+af/aj1ovj3HjmKkFwiLVenBF0AvRHUrKYWt7 R+Mg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qkE1Z60jkm268EamRaVMuk9MLTG7YGehUXm9vUcfOX4=; b=4eocKZSKMvxn4ToNb7Dd/x7IGGgfAIDa9gg3pPK/8a6mzfT+omtV7YlVAYimRVzaxq UYNZQDgoYWHQ9Bt+yiiLuHO0IEjh8CMYECpIPbiZo2O1FYrOFeCOSKvVa7EK/FsNbTcf 4kU426U7xMYp3heaBMpeTc1ml4N9IdelPBxKCBhYO8/VdTJjsQzPWgRbroIm1Oz4iqZE /rLxuHa4a9WTxRynrvAGOog2sHdQrXdVdyJZxRLQqkENwNKviUpXA0iH9OVhpnN2B6hA V8Wz818aNsGUPsaAJy+5X7kwTT3tDM6lvyYLuWvtBQYspodXwkoykl6aRML8d4/iNhOC wtow==
X-Gm-Message-State: AOAM531/9zhoWte472vJEv/rX+ifpEURJARXq7pCA+r19HDSDzTyZ/LM zrWpbn8nlc3Lo8Ugss5NdaOp4hhP0tlBrA==
X-Google-Smtp-Source: ABdhPJybEXz/5+Tl/YHGF9d//2JXcJMGeqQZVDDE4eA7q1OwJrMoIjBH8yP5bQdij3cYzKQI7kMNrQ==
X-Received: by 2002:a05:6e02:1c2d:: with SMTP id m13mr970927ilh.170.1634157048749; Wed, 13 Oct 2021 13:30:48 -0700 (PDT)
Received: from mail-io1-f48.google.com (mail-io1-f48.google.com. [209.85.166.48]) by smtp.gmail.com with ESMTPSA id b4sm280441iot.45.2021.10.13.13.30.47 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Oct 2021 13:30:48 -0700 (PDT)
Received: by mail-io1-f48.google.com with SMTP id m20so1191381iol.4 for <oauth@ietf.org>; Wed, 13 Oct 2021 13:30:47 -0700 (PDT)
X-Received: by 2002:a6b:6a05:: with SMTP id x5mr1188464iog.6.1634157047585; Wed, 13 Oct 2021 13:30:47 -0700 (PDT)
MIME-Version: 1.0
References: <SA2PR00MB100244DAAD267EBD2FF51678F5B79@SA2PR00MB1002.namprd00.prod.outlook.com> <CAJot-L1HNvud7-ehODK7Bouv5-KotMy8EtEgLCyCzOXoSZCVCg@mail.gmail.com> <CAGBSGjpJrM4uUTdVvsEzh5sT0H9ZpEJ0D3yfo-p_1S9w_tdF8g@mail.gmail.com> <AM7PR83MB0452A256F01A7DE8BE65C98C91B79@AM7PR83MB0452.EURPRD83.prod.outlook.com>
In-Reply-To: <AM7PR83MB0452A256F01A7DE8BE65C98C91B79@AM7PR83MB0452.EURPRD83.prod.outlook.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Wed, 13 Oct 2021 13:30:36 -0700
X-Gmail-Original-Message-ID: <CAGBSGjoNoHybJNZaxdFs2Z9D+rUi+zORzt9v_f0cdhYZaj=KcA@mail.gmail.com>
Message-ID: <CAGBSGjoNoHybJNZaxdFs2Z9D+rUi+zORzt9v_f0cdhYZaj=KcA@mail.gmail.com>
To: Pieter Kasselman <pieter.kasselman@microsoft.com>
Cc: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000054242305ce41d69b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SsCKKtRlNQnAjmDytESRgNdvNrw>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 20:31:55 -0000

Aside from the "plain" method, the PKCE code verifier never leaves the
client until it's sent along with the authorization code in the POST
request to the token endpoint. The only place it can leak at that point is
if the authorization server itself leaks it. If you have things leaking
from the authorization server log, you likely have much bigger problems
than authorization code replays.

Keep in mind that even with the proposed change to drop the requirement of
authorization codes being one time use, authorization servers are free to
enforce this still if they want. Authorization code lifetimes are still
expected to be short lived as well.

Aaron


On Wed, Oct 13, 2021 at 1:25 PM Pieter Kasselman <
pieter.kasselman@microsoft.com> wrote:

> Aaron, I was curious what prevents an attacker from presenting an
> Authorization Code and a PKCE Code Verifier for a second time if the one
> time use requirement is removed. Is there another countermeasure in  PKCE
> that would prevent it? For example, an attacker may obtain the
> Authorization Code and the Code Verifier from a log and replay it.
>
>
>
> Cheers
>
>
>
> Pieter
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Aaron Parecki
> *Sent:* Wednesday 13 October 2021 18:40
> *To:* Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
> *Cc:* Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>;
> oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] Authorization code reuse and OAuth
> 2.1
>
>
>
> Warren, I didn't see you on the interim call, so you might be missing some
> context.
>
>
>
> The issue that was discussed is that using PKCE already provides all the
> security benefit that is gained by enforcing single-use authorization
> codes. Therefore, requiring that they are single-use isn't necessary as it
> doesn't provide any additional benefit.
>
>
>
> If anyone can think of a possible attack by allowing authorization codes
> to be reused *even with a valid PKCE code verifier* then that would warrant
> keeping this requirement.
>
>
>
> ---
>
> Aaron Parecki
>
>
>
>
>
> On Wed, Oct 13, 2021 at 10:27 AM Warren Parad <wparad=
> 40rhosys.ch@dmarc.ietf.org> wrote:
>
> Isn't it better for it to be worded as we want it to be, with the
> implication being that of course it might be difficult to do that, but that
> AS devs will think long and hard about sometimes not denying the request?
> Even with MUST, some AS will still allow reuse of auth codes. Isn't that
> better than flat out saying: *sure, there's a valid reason*
>
>
>
> In other words, how do we think about RFCs? Do they exist to be followed
> to the letter or not at all? Or do they exist to stipulate this is the way,
> but acknowledge that not everyone will build a solution that holds them as
> law.
>
>
>
> Let's look at *SHOULD*
>
> This word, or the adjective "RECOMMENDED", mean that there may exist valid
> reasons in particular circumstances to ignore a particular item, but the
> full implications must be understood and carefully weighed before choosing
> a different course.
>
>
>
> I think *recommended* here is not sufficient nor are there valid reasons.
> "It's too hard" isn't really a valid reason. Isn't it better in this case
> for an AS to not be compliant with the RFC, than it is to relax this to
> SHOULD and have lots of AS thinking reusing auth codes is a viable
> solution, "because they are a special snowflake where SHOULD should apply".
>
>
>
> Are we setting the standard or instead attempting to sustain a number of
> "AS that are in compliance with the RFC"?
>
>
>
> *Warren Parad*
>
> Founder, CTO
>
> Secure your user data with IAM authorization as a service. Implement
> Authress
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthress.io%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C64289cdc8a4743659b3108d98e70a5d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637697436788333255%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lw%2BH1z1Ut9kr6S%2F4aVsPmcErAcZx0eK2WV78OlEl2dU%3D&reserved=0>
> .
>
>
>
>
>
> On Wed, Oct 13, 2021 at 7:17 PM Mike Jones <Michael.Jones=
> 40microsoft.com@dmarc.ietf.org> wrote:
>
> During today’s call, it was asked whether we should drop the OAuth 2.0
> language that:
>
>          The client MUST NOT use the authorization code
>
>          more than once.  If an authorization code is used more than
>
>          once, the authorization server MUST deny the request and SHOULD
>
>          revoke (when possible) all tokens previously issued based on
>
>          that authorization code.”
>
>
>
> The rationale given was that enforcing one-time use is impractical in
> distributed authorization server deployments.
>
>
>
> Thinking about this some more, at most, we should relax this to:
>
>          The client MUST NOT use the authorization code
>
>          more than once.  If an authorization code is used more than
>
>          once, the authorization server SHOULD deny the request and SHOULD
>
>          revoke (when possible) all tokens previously issued based on
>
>          that authorization code.”
>
>
>
> In short, it should remain illegal for the client to try to reuse the
> authorization code.  We can relax the MUST to SHOULD in the server
> requirements in recognition of the difficulty of enforcing the MUST.
>
>
>
> Code reuse is part of some attack scenarios.  We must not sanction it.
>
>
>
>                                                           -- Mike
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C64289cdc8a4743659b3108d98e70a5d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637697436788343208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ySJjihVbfLJJ85RtjNzEIMSPwe7kLZB8RKT8Ky3fYiA%3D&reserved=0>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C64289cdc8a4743659b3108d98e70a5d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637697436788343208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ySJjihVbfLJJ85RtjNzEIMSPwe7kLZB8RKT8Ky3fYiA%3D&reserved=0>
>
>

v2.23.0 | Report a Bug | By Email