Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)
Chuck Mortimore <cmortimore@salesforce.com> Fri, 22 January 2016 23:45 UTC
Return-Path: <cmortimore@salesforce.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 559661B2BB7 for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 15:45:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0oIWd0JzDRv1 for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 15:45:48 -0800 (PST)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF1441B2BB5 for <oauth@ietf.org>; Fri, 22 Jan 2016 15:45:47 -0800 (PST)
Received: by mail-ig0-x22a.google.com with SMTP id h5so1902692igh.0 for <oauth@ietf.org>; Fri, 22 Jan 2016 15:45:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salesforce.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=qOyyXorrp1w6EyqYF2JdrzRm19wIwkqIaimq9yOVzT8=; b=I2BjA/EKhaPEToN5piKJx00N4EIvitWLZv32wT34dOuAECOVEsLwq5SSVtCipdng1t sgGF1USUcM4vB/AgAdjsNlc5L1GP9rPeDUAD54miqC2RmcWSfiX3pzEnRHhacPVzqmd/ M+TAhIpnHmMstIuCwoctcAF66YKViiOUBlKXU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=qOyyXorrp1w6EyqYF2JdrzRm19wIwkqIaimq9yOVzT8=; b=FgynqZXSpRoItG0I3oHgrH8fUm4l1DTckBvtJFuQFKBS4qjR5aIyBPGwvirCQget7f 0S/s3+iKF+APSo/7/lj95iWbTUBfGrbrgigQcpAk1yHR72PKGSjaSb8DWwOb0PfA6P/o OFVHLm8E+/+cjXj7dhqISSZhSqW1pWaDdAHgy8fygXa7coLop/LNDKHeb5krAkT+yPYd AKYtrASzacLxEyhxap8PYuTaxrNvRXkxQlqRvKV/DTxHeNDjcg3Btxj5p92HYC9Jr/CR f1csS2nkIQtIR8Vtp9iufo+3RTRln00GIlFgCDm/ElOsS3slfe2q6kozt0/XFfaJxwDl j/LQ==
X-Gm-Message-State: AG10YOQblQ+Nv+Y90fmg0jDPVgsOeG0ZIOVvyJmp5+ZvEiquUlUD4X7T1CM72BsN2a3wNYn6bxFkwKLeXOnYHY12
MIME-Version: 1.0
X-Received: by 10.50.160.43 with SMTP id xh11mr5768345igb.73.1453506347142; Fri, 22 Jan 2016 15:45:47 -0800 (PST)
Received: by 10.64.162.131 with HTTP; Fri, 22 Jan 2016 15:45:47 -0800 (PST)
In-Reply-To: <CAAP42hD3vpwnBYzu6YZVXtTimVuFHzgQ9Pksn1RQNEwogPZRJw@mail.gmail.com>
References: <CAAP42hD3vpwnBYzu6YZVXtTimVuFHzgQ9Pksn1RQNEwogPZRJw@mail.gmail.com>
Date: Fri, 22 Jan 2016 15:45:47 -0800
Message-ID: <CA+wnMn9gqpbKmvdrd_hjamWEEaAOuL=RntUWEtm_55OT-gAMgw@mail.gmail.com>
From: Chuck Mortimore <cmortimore@salesforce.com>
To: William Denniss <wdenniss@google.com>
Content-Type: multipart/alternative; boundary="001a11c30c8a8057ef0529f4d1f5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/UjPH7P-5hRB9lCS73qJ-KTMBS0g>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2016 23:45:49 -0000
We quietly rolled out PKCE support at Salesforce a year ago, as well. We're on a slightly earlier draft, but look to be compliant with final RFC with one exception - we default to S256, and do not have support for "plain" Would be interesting to interop test our deployments. -cmort On Mon, Jan 18, 2016 at 9:46 PM, William Denniss <wdenniss@google.com> wrote: > This month we rolled out full PKCE (RFC7636) support on our OAuth > endpoints. > > We'd previously implemented an earlier draft but were not conformant to > the final spec when it was published – now we are. Both "plain" and "S256" > transforms are supported. As always, get the latest endpoints from our > discovery document: > https://accounts.google.com/.well-known/openid-configuration > > If you give it a spin, let me know how you go! The team monitors the Stack > Overflow google-oauth > <http://stackoverflow.com/questions/tagged/google-oauth> tag too, for any > implementation questions. > > I'm keen to know what we should be putting in our discovery doc to declare > PKCE support (see the thread "Advertise PKCE support in OAuth 2.0 > Discovery"), hope we can agree on that soon. > > One implementation detail not covered in the spec: we error if you > send code_verifier to the token endpoint when exchanging a code that was > issued without a code_challenge being present. The assumption being that if > you are sending code_verifier on the token exchange, you are using PKCE and > should have sent code_challenge on the authorization request, so something > is amiss. > > William > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Google's OAuth endpoints now fully sup… William Denniss
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… Nat Sakimura
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… John Bradley
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… Nat Sakimura
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… William Denniss
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… William Denniss
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… Chuck Mortimore
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… John Bradley
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… Chuck Mortimore
- Re: [OAUTH-WG] Google's OAuth endpoints now fully… Nat Sakimura