IETF Logo Mail Archive

Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1

Neil Madden <neil.madden@forgerock.com> Wed, 13 October 2021 17:59 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF4343A08B6 for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 10:59:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SP903S_3GaOC for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 10:59:53 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49D563A08CB for <oauth@ietf.org>; Wed, 13 Oct 2021 10:59:53 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id y3so11210228wrl.1 for <oauth@ietf.org>; Wed, 13 Oct 2021 10:59:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:mime-version:subject:date:message-id:references:cc:in-reply-to :to:content-transfer-encoding; bh=VRE9m3sYlSz48v/MkJtSg4YlY5THiWloKZvPkFttKC4=; b=EFoJggo41o9HR2ESrROoUo/4HgYBvqGBmOB6Mk8mnyQVo76OwvI60ttuR1GgGkGmcg VCoGdOoLQQuRZq5epvjoqRFeWCwKLfNaDGjftNgGRdvU6oMKxMrMbQno6JS2eea0yo+P 19uDH/TCOFMHXlvw5/4+X4i5dVWBW2peLq31w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to:content-transfer-encoding; bh=VRE9m3sYlSz48v/MkJtSg4YlY5THiWloKZvPkFttKC4=; b=LPgDrEsO032IBeRAtcMAGtTK+LCtdyMmvwdhnVcZJNyHP6mCswqypVzeZFX8D0bjpy LUPFqyCiddJGL8o4tzQbxDwTU05id92PuT+jGh7pypmRI/7AJm9uMb/3gAxYixbPP8BL de2OvmGvAxmOTRnG/MOlGMC6Gsl6J/3Nu3+zHqDxeXeNEXJ1q2skStF1vKZnL0T8EMzF Kf3Kg/vSUDPNHOP5eS/Aqn7oA2YhmGtNPmFcUTYphqRo1JfmDLCCwmkswl4lrR8K5g3t ItvY4VUY8jpl5r9ktZba5qFlDFiyAUtRMVkK7oTJUWnYmAZV9noZWTAbsyxaflxgxWec 4+wQ==
X-Gm-Message-State: AOAM5318sPxsCTdbMZb37hu2TGTKpAXkMDX9z2evD/lPNsVwGsFFlLYn LFlL73e1hULnuDfqxknpO1u4bUdkzwl7qzDpfXA4ZWAY/jAobvMvuDkXGfDIagMd5BW2XBqnK3B sPlM=
X-Google-Smtp-Source: ABdhPJxtfVTZGK3Z70mIPkc2T/cU/ephJ1jhVrmo+Dpmoe38YFnI2EtoKxY9Rfe6Z7wul//N4wOudA==
X-Received: by 2002:a05:6000:1844:: with SMTP id c4mr631462wri.425.1634147988085; Wed, 13 Oct 2021 10:59:48 -0700 (PDT)
Received: from smtpclient.apple (152.249.143.150.dyn.plus.net. [150.143.249.152]) by smtp.gmail.com with ESMTPSA id q204sm6135618wme.10.2021.10.13.10.59.47 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Oct 2021 10:59:47 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 13 Oct 2021 18:59:46 +0100
Message-Id: <4E04231B-51FA-429F-8D45-022B7D27E5B1@forgerock.com>
References: <CAGBSGjpJrM4uUTdVvsEzh5sT0H9ZpEJ0D3yfo-p_1S9w_tdF8g@mail.gmail.com>
Cc: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, oauth@ietf.org
In-Reply-To: <CAGBSGjpJrM4uUTdVvsEzh5sT0H9ZpEJ0D3yfo-p_1S9w_tdF8g@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
X-Mailer: iPhone Mail (18H17)
Content-Type: multipart/alternative; boundary="Apple-Mail-FDACF105-CC78-4F12-BC6D-393DF7A4CF0E"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TUNs787jjw-ZQzqTYxDxM3py3wc>
Subject: Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 17:59:58 -0000

I wasn’t on the call either, so maybe I’m missing something. If you’re using PKCE with the “plain” challenge type then both the auth code and the verifier are exposed in redirect URI parameters in the user-agent aren’t they? That seems a bit risky to drop the one-time use requirement. 

I can’t see anything in the minutes of the meeting describing the difficulty of implementing the one-time use req. I seem to see announcements for new globally-consistent high-scale cloud database services every day - is this really that hard to implement?

— Neil

> On 13 Oct 2021, at 18:41, Aaron Parecki <aaron@parecki.com> wrote:
> 
> 
> Warren, I didn't see you on the interim call, so you might be missing some context.
> 
> The issue that was discussed is that using PKCE already provides all the security benefit that is gained by enforcing single-use authorization codes. Therefore, requiring that they are single-use isn't necessary as it doesn't provide any additional benefit.
> 
> If anyone can think of a possible attack by allowing authorization codes to be reused *even with a valid PKCE code verifier* then that would warrant keeping this requirement.
> 
> ---
> Aaron Parecki
> 
> 
>> On Wed, Oct 13, 2021 at 10:27 AM Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org> wrote:
>> Isn't it better for it to be worded as we want it to be, with the implication being that of course it might be difficult to do that, but that AS devs will think long and hard about sometimes not denying the request? Even with MUST, some AS will still allow reuse of auth codes. Isn't that better than flat out saying: sure, there's a valid reason
>> 
>> In other words, how do we think about RFCs? Do they exist to be followed to the letter or not at all? Or do they exist to stipulate this is the way, but acknowledge that not everyone will build a solution that holds them as law.
>> 
>> Let's look at SHOULD
>>> This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.
>> 
>> I think recommended here is not sufficient nor are there valid reasons. "It's too hard" isn't really a valid reason. Isn't it better in this case for an AS to not be compliant with the RFC, than it is to relax this to SHOULD and have lots of AS thinking reusing auth codes is a viable solution, "because they are a special snowflake where SHOULD should apply".
>> 
>> Are we setting the standard or instead attempting to sustain a number of "AS that are in compliance with the RFC"?
>>  
>> 
>> Warren Parad
>> Founder, CTO
>> Secure your user data with IAM authorization as a service. Implement Authress.
>> 
>> 
>>> On Wed, Oct 13, 2021 at 7:17 PM Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
>>> During today’s call, it was asked whether we should drop the OAuth 2.0 language that:
>>> 
>>>          The client MUST NOT use the authorization code
>>> 
>>>          more than once.  If an authorization code is used more than
>>> 
>>>          once, the authorization server MUST deny the request and SHOULD
>>> 
>>>          revoke (when possible) all tokens previously issued based on
>>> 
>>>          that authorization code.”
>>> 
>>>  
>>> 
>>> The rationale given was that enforcing one-time use is impractical in distributed authorization server deployments.
>>> 
>>>  
>>> 
>>> Thinking about this some more, at most, we should relax this to:
>>> 
>>>          The client MUST NOT use the authorization code
>>> 
>>>          more than once.  If an authorization code is used more than
>>> 
>>>          once, the authorization server SHOULD deny the request and SHOULD
>>> 
>>>          revoke (when possible) all tokens previously issued based on
>>> 
>>>          that authorization code.”
>>> 
>>>  
>>> 
>>> In short, it should remain illegal for the client to try to reuse the authorization code.  We can relax the MUST to SHOULD in the server requirements in recognition of the difficulty of enforcing the MUST.
>>> 
>>>  
>>> 
>>> Code reuse is part of some attack scenarios.  We must not sanction it.
>>> 
>>>  
>>> 
>>>                                                           -- Mike
>>> 
>>>  
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Manage My Preferences <https://preferences.forgerock.com/>, Unsubscribe 
<https://preferences.forgerock.com/>

v2.23.0 | Report a Bug | By Email