Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
Aaron Parecki <aaron@parecki.com> Thu, 07 May 2020 23:38 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48FDE3A07B5 for <oauth@ietfa.amsl.com>; Thu, 7 May 2020 16:38:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TFr7TqMP2uAI for <oauth@ietfa.amsl.com>; Thu, 7 May 2020 16:38:49 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E2AF3A067A for <oauth@ietf.org>; Thu, 7 May 2020 16:38:47 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id j8so2474606iog.13 for <oauth@ietf.org>; Thu, 07 May 2020 16:38:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iw+sAhS8zLum5p3/K5fDO4fVajAI7nrEMjw1dGSYrts=; b=pLqnFFlqM9Pa9Mm43GpfoGkgffL+wryMtKd7lmZePKqRaUgutIjmNe99WZm5t9imO3 O+9YqwIExvbmc+krrllfn5MQKiZAQn8AR/JY+AoXcv/8RaQr7fAYMZagJ05Z41ZIINx/ UvxnTuwJycUCqfj1l3vKcD0GJt4nCGQMfbAOrJq/dgrwQ2bPE0g78uQybMZZpqykyvhx Zv+vVYqDAOavTcV+3UUbjlxNHyBRKV/nV3AJGUR3uVAsehJMGRl2RAKHa4vYNIFoQ6T6 ekstSn7zgBxmgunjG4D1FYvux8t3A35YjOLxNTIBF7MLEU0C+K2PUQ9PKTrwHFLm47Cg zjDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iw+sAhS8zLum5p3/K5fDO4fVajAI7nrEMjw1dGSYrts=; b=BsW14OJjoi1uDYSawKaB0enByeSRppO/53aY9Ma832jyWmzRxIwiQZKibiGm8zwtfK jpvLEiFixanlif28a7NkV8gE/yvcnAs5vOfIT+yn4wb+p2Wo0jH5ZR0iOe29nLtj5r5V pWwBUwdNpiIkopj2fbxBjPpfq4JxvmnoaxQGKsuiBqBhQlSHJUhiELPE6ZQ1X4Ybc6Up l0u0hwe8HPHF24WuKfsQjibUU9BbfeymZ+7SNVTyEu/DqKCiIjuBJOS6dGXc9RY8ccrc FCSYHyKvdOwoMvJl/glQgj36T3+jdsjY6lAoIgCnNincH65HMB2pHjmbaU9ROoEsQGVn KHwQ==
X-Gm-Message-State: AGi0PuaabBNE/67XqoJa49kuxWKrZWba2XiV7h8vXEiGUUvk858rKsdj PjyfU928cZ+6EZxVp306ciMF7WH/XBY=
X-Google-Smtp-Source: APiQypJxzcmVasW96rrGFq199hiYFJIKrc3LxkGj6Qd3zc8Aobv8giKLpzHs2qrQO6t5smFf1oug1g==
X-Received: by 2002:a5d:938a:: with SMTP id c10mr16435068iol.157.1588894726596; Thu, 07 May 2020 16:38:46 -0700 (PDT)
Received: from mail-il1-f179.google.com (mail-il1-f179.google.com. [209.85.166.179]) by smtp.gmail.com with ESMTPSA id a6sm3096819ioe.10.2020.05.07.16.38.45 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 07 May 2020 16:38:45 -0700 (PDT)
Received: by mail-il1-f179.google.com with SMTP id s10so4422105iln.11 for <oauth@ietf.org>; Thu, 07 May 2020 16:38:45 -0700 (PDT)
X-Received: by 2002:a92:2912:: with SMTP id l18mr17538012ilg.28.1588894725326; Thu, 07 May 2020 16:38:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-sRjnt67qjZ9Uw1E7KNR+YbKr6NiyA+uG1dDWqjDC082A@mail.gmail.com>
In-Reply-To: <CAD9ie-sRjnt67qjZ9Uw1E7KNR+YbKr6NiyA+uG1dDWqjDC082A@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Thu, 07 May 2020 16:38:34 -0700
X-Gmail-Original-Message-ID: <CAGBSGjr7zcZ=+eN1gA_A9Vb1fuYrfmAqHe71iDMgOkQsq+0wmA@mail.gmail.com>
Message-ID: <CAGBSGjr7zcZ=+eN1gA_A9Vb1fuYrfmAqHe71iDMgOkQsq+0wmA@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: OAuth WG <oauth@ietf.org>, Torsten Lodderstedt <torsten@lodderstedt.net>, Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="000000000000b0502c05a5176101"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TWLwDg8Jj55-I_naTCV0HI5qLNE>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2020 23:38:53 -0000
Backing up a step or two, there's another point here that I think has been missed in these discussions. PKCE solves two problems: stolen authorization codes for public clients, and authorization code injection for all clients. We've only been talking about authorization code injection on the list so far. The quoted section of the security BCP (4.5.3) which says clients can do PKCE or use the nonce, is only talking about preventing authorization code injection. The nonce parameter solves authorization code injection if the client requests an ID token. Public clients using the nonce parameter are still susceptible to stolen authorization codes so they still need to do PKCE as well. The only case where OpenID Connect clients don't benefit from PKCE is if they are also confidential clients. Public client OIDC clients still need to do PKCE even if they check the nonce. OpenID Connect servers working with confidential clients still benefit from PKCE because they can then enforce the authorization code injection protection server-side rather than cross their fingers that clients implemented the nonce check properly. I really don't think it's worth the amount of explanation this will take in the future to write an exception into OAuth 2.1 or the Security BCP for only some types of OpenID Connect clients when all clients would benefit from PKCE anyway. Aaron On Wed, May 6, 2020 at 10:48 AM Dick Hardt <dick.hardt@gmail.com> wrote: > Hello! > > We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best > practice for OAuth 2.0. It is not common in OpenID Connect servers as the > nonce solves some of the issues that PKCE protects against. We think that > most OpenID Connect implementations also support OAuth 2.0, and hence have > support for PKCE if following best practices. > > The advantages or requiring PKCE are: > > - a simpler programming model across all OAuth applications and profiles > as they all use PKCE > > - reduced attack surface when using S256 as a fingerprint of the verifier > is sent through the browser instead of the clear text value > > - enforcement by AS not client - makes it easier to handle for client > developers and AS can ensure the check is conducted > > What are disadvantages besides the potential impact to OpenID Connect > deployments? How significant is that impact? > > Dick, Aaron, and Torsten > > ᐧ >
- [OAUTH-WG] OAuth 2.1 - require PKCE? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Steinar Noem
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Phillip Hunt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Brian Campbell
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Philippe De Ryck
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Daniel Fett
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Phillip Hunt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Torsten Lodderstedt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Mike Jones
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Dick Hardt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Benjamin Kaduk
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Torsten Lodderstedt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Torsten Lodderstedt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1 - require PKCE? Dominick Baier
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Torsten Lodderstedt
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require… Torsten Lodderstedt