Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 11 May 2020 07:05 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E49783A088C for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 00:05:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJeRawQ9pjA1 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 00:05:16 -0700 (PDT)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D72033A07DC for <oauth@ietf.org>; Mon, 11 May 2020 00:05:15 -0700 (PDT)
Received: by mail-wr1-x434.google.com with SMTP id j5so9472383wrq.2 for <oauth@ietf.org>; Mon, 11 May 2020 00:05:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=n+aeFESCa5MTKAncdkjEWR+m5iulNaPDddmY4tnmTAE=; b=I0YkgqkoYdFDtRcr/JjJJmifZ2qjfowtr+3USmTwLM5DARE35fi621erhCoO0DiQmj XRO1IXgcLcYcSxPO0ExlMBqJgqUxpC9LRkWp7tWI+n34jmhk255k99w6y/XD14kHEXWp jFNWpjfsT/7BMTSYgmytuaDVfUzF0UGWV60v4RVC/U5lspKyzMdI8Yb7GMtC/ZqRUU+e Lox2EtMbswK6qvMYOb5LEwOqBK/tNwCKEnGg810hM8PQ1IFmLqwgnksP/wnvEminkJnb 0tw6O0PBJ9ecJSu3zOuhFFV/VFmRljvAYlh7wvr6MwvOEhoJ3XcEiw/Xvm7MxPPGdScD Q7Jw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=n+aeFESCa5MTKAncdkjEWR+m5iulNaPDddmY4tnmTAE=; b=oCbCxfd2FRbzEWtHCEVkWBE8TbsttdjTei/uNwIkAQWpzy1DtoDWzHxeFbsNC+7UbS OoVcvn8/44a2As/OTT9Q6WU1gyrOCFXOtNAWT5aZ+oH64V349HS3CE0HRqEBbN2H7zgS I6NbYQqIJdrvHEjOXUrL/ygksNOGT4omR8lhZXgYBVQy8QP5ccJ8W59zMeG2VRGfVWBC yLjPl/u2kauHFW0g+FGzby4nyz5gca2Dhj2UwUQJhxA15xAaR+Pwrh+ThoZhtCslaG36 RzSq6D3bARXliVxO89RbqZvq/qWUvIUIjU/+hvlrFzuraUDr1wnnQcC9VnTbZFc6iyln rQsQ==
X-Gm-Message-State: AGi0PuZDJMq3Rc4Zm/jconzbGT8/we3+TEyiNoGlmuTXr5Q17ctggtMm oZbTyaO0PzuKjAFJh3/8zFQcKg==
X-Google-Smtp-Source: APiQypIuCEK534ZV+1FGw+/HHIBz5Ziw6kaPXP0ycbO1zzk+AlGmAYBdNRZOZ2//PLDYngwVz4Kzww==
X-Received: by 2002:adf:bc41:: with SMTP id a1mr18400101wrh.302.1589180714109; Mon, 11 May 2020 00:05:14 -0700 (PDT)
Received: from p200300eb8f301f67ddbc8b7d2a3ed8c7.dip0.t-ipconnect.de (p200300EB8F301F67DDBC8B7D2A3ED8C7.dip0.t-ipconnect.de. [2003:eb:8f30:1f67:ddbc:8b7d:2a3e:d8c7]) by smtp.gmail.com with ESMTPSA id z11sm15838055wro.48.2020.05.11.00.05.12 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 May 2020 00:05:13 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <9A3468AB-95AE-4203-BE53-89A20D048291@forgerock.com>
Date: Mon, 11 May 2020 09:05:03 +0200
Cc: Dick Hardt <dick.hardt@gmail.com>, Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D2736980-D345-451C-89E9-2FFA5B5512F4@lodderstedt.net>
References: <FF72B66A-BB83-4372-A624-FC6D1719D6F7@lodderstedt.net> <9A3468AB-95AE-4203-BE53-89A20D048291@forgerock.com>
To: Neil Madden <neil.madden@forgerock.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/U209XNyN9Bn4M8onSku7JtXsJGk>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 07:05:18 -0000


> On 11. May 2020, at 08:47, Neil Madden <neil.madden@forgerock.com> wrote:
> 
> 
> 
>> On 11 May 2020, at 07:41, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>> 
>>> On 11. May 2020, at 07:38, Neil Madden <neil.madden@forgerock.com> wrote:
>>> 
>>> There is no attack that this prevents so your claim of improving security is unsubstantiated. I can’t see how we can ship a 2.1-compliant-by-default AS while this requirement remains so I don’t support it. 
>> 
>> Are you saying PKCE does not prevent any attack?
> 
> No, but servers and clients are already free to support PKCE. I’m saying that rejecting requests from non-PKCE clients doesn’t prevent any attack. It just denies service to legitimate clients. 

There are two aspects to this topic:

1) Do all ASs support PKCE? Requiring PKCE support fosters interoperability and security. Security since the client can be sure the AS supports PKCE. Today, if the AS does not support PKCE, the client will never learn since a compliant AS will just ignore additional request parameters.

2) Do ASs enforce PKCE? This fosters security since it forces clients to implement a means against code replay and CSRF.

> 
> — Neil