Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)

John Bradley <ve7jtb@ve7jtb.com> Sat, 23 January 2016 00:21 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DD1E1B2D97 for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 16:21:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qw0E7LfOIwHm for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 16:21:39 -0800 (PST)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC1561B2D8E for <oauth@ietf.org>; Fri, 22 Jan 2016 16:21:38 -0800 (PST)
Received: by mail-qg0-x229.google.com with SMTP id 6so70100241qgy.1 for <oauth@ietf.org>; Fri, 22 Jan 2016 16:21:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=UDrarGK7kVDH83CAaA1S0vK+i6zygTY+yjbYw5sQD4k=; b=z7RzyPY+8JrV6c6EL5j/BzYV3qZI39h/PY/9cMyOz2HJexYoyX9hPgDye3fEEa6UNN eWv0yV5XIa4/ArzMejbkS8ODQBI6q8Po4h6HZvhBfvGkperdfrcD0QzN9igZi0OHZF0V /5+fo1b8o1axrUb9LMZZBTrKp4/o+KGtOz9fSbgHc+QO2+6GEWF9zEmL8VdscadBMsxF G92AWdJhFRNBuXV2A1IdnjoY4i4VnlPPkjpqPHEt4gpVvx2zDvxaXCTt9UCC9tNeya3F vT6NWZ6MUGj2ExqdSsGhnZE9+GbVObI5e04GYVbYBqsan1OtyQc/8hwHSJQaK/XdvbjY Rvww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=UDrarGK7kVDH83CAaA1S0vK+i6zygTY+yjbYw5sQD4k=; b=iKI7K8M/fMhgZv/Sae7NXTF7H+fCKLa5NVRTJa+f1cO7nNsisL6HJaICH3KNKk4viX /MHM9Eng16N2ZdTiB7dJwZea7s80z0+gqjbz/B1tQOtbeDcQlaPgoQAniJJc7SjcTol6 xZvlLSB3PiOkUDVg1Eip5eY2NQT3JQVAICUYqVHxvzuvtE0BnSnZTRdgqIZu/9QZcBaG SXnrC6ruKGe4kdjjpzukqJBND4PyY1uyKYzhTTyCldmgAb+UqS+BbX86U/jgdITCm/vE NoyQleYx6C4HwwYyZPYUwJRl/Hyo2SKEPhs+4uccS4GpX2ByGbtRlCWsoBEwMSko4N2E ZGLw==
X-Gm-Message-State: AG10YOQ81oeN9m4HJVTBX3UNV6Z1mr6XayWPCD0dJlhlhXVbgzEYEZjiljSAN3pJv0zlPg==
X-Received: by 10.140.201.20 with SMTP id w20mr7819934qha.10.1453508497868; Fri, 22 Jan 2016 16:21:37 -0800 (PST)
Received: from [192.168.8.100] ([181.202.234.84]) by smtp.gmail.com with ESMTPSA id l18sm3847421qgd.36.2016.01.22.16.21.35 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 22 Jan 2016 16:21:36 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_2B64CC80-DF04-4541-AE2A-3E8780FEC300"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CA+wnMn9gqpbKmvdrd_hjamWEEaAOuL=RntUWEtm_55OT-gAMgw@mail.gmail.com>
Date: Fri, 22 Jan 2016 21:21:34 -0300
Message-Id: <0E094321-8A8A-4D94-8BE9-27D49BC6572F@ve7jtb.com>
References: <CAAP42hD3vpwnBYzu6YZVXtTimVuFHzgQ9Pksn1RQNEwogPZRJw@mail.gmail.com> <CA+wnMn9gqpbKmvdrd_hjamWEEaAOuL=RntUWEtm_55OT-gAMgw@mail.gmail.com>
To: Chuck Mortimore <cmortimore@salesforce.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/SvKcfhUGMj6fe10v5BFjxnqGeeE>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jan 2016 00:21:41 -0000

In the final spec plain is not MTI.  S256 is MTI for the server in Sec 4.2. so you are OK.

The client will default to plain if it doesn’t set a code_challenge_method.

That was to be backwards compatible with the people who deployed when plain was the only option.

John B.
> On Jan 22, 2016, at 8:45 PM, Chuck Mortimore <cmortimore@salesforce.com>; wrote:
> 
> We quietly rolled out PKCE support at Salesforce a year ago, as well.   We're on a slightly earlier draft, but look to be compliant with final RFC with one exception - we default to S256, and do not have support for "plain"
> 
> Would be interesting to interop test our deployments.
> 
> -cmort
> 
> On Mon, Jan 18, 2016 at 9:46 PM, William Denniss <wdenniss@google.com <mailto:wdenniss@google.com>> wrote:
> This month we rolled out full PKCE (RFC7636) support on our OAuth endpoints.
> 
> We'd previously implemented an earlier draft but were not conformant to the final spec when it was published – now we are. Both "plain" and "S256" transforms are supported. As always, get the latest endpoints from our discovery document: https://accounts.google.com/.well-known/openid-configuration <https://accounts.google.com/.well-known/openid-configuration>
> 
> If you give it a spin, let me know how you go! The team monitors the Stack Overflow google-oauth <http://stackoverflow.com/questions/tagged/google-oauth> tag too, for any implementation questions.
> 
> I'm keen to know what we should be putting in our discovery doc to declare PKCE support (see the thread "Advertise PKCE support in OAuth 2.0 Discovery"), hope we can agree on that soon.
> 
> One implementation detail not covered in the spec: we error if you send code_verifier to the token endpoint when exchanging a code that was issued without a code_challenge being present. The assumption being that if you are sending code_verifier on the token exchange, you are using PKCE and should have sent code_challenge on the authorization request, so something is amiss.
> 
> William
> 
> 
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth