Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Dick Hardt <dick.hardt@gmail.com> Sun, 10 May 2020 19:58 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 068E13A0B54 for <oauth@ietfa.amsl.com>; Sun, 10 May 2020 12:58:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bFU0fFvx9CkM for <oauth@ietfa.amsl.com>; Sun, 10 May 2020 12:58:08 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A8013A0B6F for <oauth@ietf.org>; Sun, 10 May 2020 12:58:07 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id c21so1075894lfb.3 for <oauth@ietf.org>; Sun, 10 May 2020 12:58:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=T3UkLd+t960/fzlnfvvTjg82BlcqgedUolm+AF22Ft0=; b=RoOlCNyuJhOl5oGH21SLnHDnoMOnsSZyB9ClfNki2FlbsUKbqAIcWUxzfGSHe2ip6O jY0pSktDn/c7XjODsE0cPu9ukyBpSmz6w4RwudzWsJXxOxFVQ0PF03JFa9D/OuOkoCm0 FNQKIA8twNNHKQbzWlsbUXLYbTM5CRFTCF/mwYU1xp1xEyJs5sWt58JA4O+uJltUoDVm 88KUkkoIqqbF3YOEEY9d9/FCfPM+7IW8Wwc/IYCP5iorG9dlGVFvjRJY8zaE5S4LlUZl gw1bTlKJifIUTVTJZ52/l9upzRjtLlwhTpHh/QS2fyFyEHx7aa+d3vMHSUJwqVUZqMZE Kkzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=T3UkLd+t960/fzlnfvvTjg82BlcqgedUolm+AF22Ft0=; b=PUkpJ4o7ycbysXace54XmSaO2+Eulc1PC9QRWTEW0DcsjZ410XQlnjaSoE9yRFW0V8 9HTfSgGagRA5wR8DTQkFH6m5Ek9MbMPFFIPCSMsMy3lsadhuSfvsHb6Zy5bEHZt3/o98 9uQH05j5lwsteBxfShsASE/ELbQdK6HNwdaerQGU96nAdveIDryda/qN+s5qwswm7rWL rkfwo4ATHQQ0NJD8Ye7gagPXdQGPpRB5rbbq4ineMeLcV+UjOlVsYDq2EKYHp1mtgVH3 NKNSlTof1GSWlIASD2fBwo04Ad63MtVjhLco7i+8SRYAVFS4O9oTteulMQC8y84y+iqR Hyog==
X-Gm-Message-State: AOAM533SriWHRXrklTetgTV3GhffM3jPttIsntMB8nCZZaj6IEyQ1rYD Z5GrJDXjyAH/j1iqEtxj3SIj6s2w37UoXBOmLpk=
X-Google-Smtp-Source: ABdhPJzflDWMNrYQs7YK6K16mOQkLo4ndJBatnjWtolppS/nLxbm9SreGeJKjcHxyNf9gMMM4VUd/6hjFiHH4n6ZnTE=
X-Received: by 2002:a19:d:: with SMTP id 13mr8803221lfa.167.1589140685913; Sun, 10 May 2020 12:58:05 -0700 (PDT)
MIME-Version: 1.0
References: <MN2PR00MB068869E4725F8EB1078ED2FDF5A00@MN2PR00MB0688.namprd00.prod.outlook.com>
In-Reply-To: <MN2PR00MB068869E4725F8EB1078ED2FDF5A00@MN2PR00MB0688.namprd00.prod.outlook.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Sun, 10 May 2020 12:57:39 -0700
Message-ID: <CAD9ie-tLqggSNpQKdSewVQGgxzTbQyLbYLQSWMAUCZDXqJgByA@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001503b705a550a62b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VA6tUInPdGfz5DQIMpy_6VOE5_0>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 May 2020 19:58:12 -0000

Just as upgrading to OAuth 2.0 from OAuth 1.0 was voluntary, why is
upgrading to OAuth 2.1 not voluntary?

OAuth 2.0 obsoleted OAuth 1.0, just as OAuth 2.1 is obsoleting OAuth 2.1.
Our goal is for new deployments, that are reading the drafts, to use the
best practices.

If existing deployments don't want the advantages of a new version or
extension, there is nobody forcing them to upgrade -- hence my confusion on
your statement that it is "mandatory". Upgrading to OAuth 2.0 from OAuth
1.0 was not mandatory, and some deployments still use OAuth 1.0 today.



ᐧ

On Sun, May 10, 2020 at 12:51 PM Mike Jones <Michael.Jones@microsoft.com>
wrote:

> If I’m not mistaken, the OAuth 2.1 draft is intended to make OAuth 2.0
> (RFC 6749) obsolete, just like OAuth 2.0 (RFC 6749) made OAuth 1.0 (RFC
> 5849) obsolete.  That’s what makes me think developers would view updating
> as mandatory.  If you’re willing to remove the “replaces 6749” clause from
> the draft, then there would be no perception problem, as it would be clear
> that adoption of 2.1 would be voluntary, just like the other extension
> specs.
>
>
>
> *From:* Dick Hardt <dick.hardt@gmail.com>
> *Sent:* Sunday, May 10, 2020 12:38 PM
> *To:* Mike Jones <Michael.Jones@microsoft.com>
> *Cc:* Torsten Lodderstedt <torsten@lodderstedt.net>et>; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as
> the other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth
> 2.0 was voluntary.
>
>
>
> Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?
>
>
>
>
>
> On Sun, May 10, 2020 at 12:02 PM Mike Jones <Michael.Jones=
> 40microsoft.com@dmarc.ietf.org> wrote:
>
> I agree with actively maintaining and improving the OAuth 2.0 specs by
> adding enhancements that are voluntary to use.  I’ve worked on many such
> improvements, including Dynamic Client Registration, Authorization
> Metadata, the Device Flow, Token Exchange, DPoP, and support PAR and RAR,
> etc.  The issue that’s the subject is the current discussion is whether to
> make use of another enhancement, PKCE, mandatory in cases where it’s
> actually not needed, rather than making its use voluntary like the other
> enhancements, which I certainly support.
>
>
>
>                                                        -- Mike
>
>
>
> *From:* Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
> *Sent:* Sunday, May 10, 2020 3:15 AM
> *To:* Mike Jones <Michael.Jones@microsoft.com>
> *Cc:* Daniel Fett <fett@danielfett.de>de>; oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hi Mike,
>
>
>
> Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> schrieb am Fr.
> 8. Mai 2020 um 18:55:
>
> OAuth 2.1 was supposed to not introduce breaking changes.
>
> I cannot remember the WG met that decision. Can you please refer to the
> respective thread?
>
>
>
> Requiring exact redirect URI matching is already a breaking change. Do you
> oppose against this as well?
>
>
>
>
>
> If you want to do that, please do it in TxAuth instead.
>
>
>
> Interesting statement. Does it mean you want to conserve OAuth 2.0 and
> force any enhancements/improvements to go into TXAuth? This would cause
> huge migration efforts for existing deployments wanting to benefit from
> those enhancements.
>
>
>
> I think existing deployments are better served by actively maintaining and
> evolving the 2.x line. For example, PAR and RAR are attempts to improve
> OAuth 2.x and make it usable for new use cases. That’s better protection of
> existing investments than sending them of to TXAuth.
>
> Kind regards,
>
> Torsten.
>
>
>
>
>
>                                                        -- Mike
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Daniel Fett
> *Sent:* Thursday, May 7, 2020 11:50 PM
> *To:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> +1 to all what Aaron said. Thanks for pointing this out!
>
>
>
> We need to address this in the security BCP and this will be a normative
> change that affects OpenID Connect Core (just as our current recommendation
> on the usage of nonce).
>
>
>
> We would then have:
>
>
>
> - use PKCE, except if you use OIDC with a nonce, then you don't need PKCE,
> except if you are a public client, then you still need PKCE.
>
> - use state, except if you use PKCE, then you don't need state.
>
>
>
> I think there are very good reasons to simplify this down to
>
>
>
> - use PKCE
>
> - you may or may not use state
>
>
>
> First and foremost, not many people will understand why there are cases
> when the BCP/OAuth 2.1 mandate PKCE and some where they don't. However,
> understanding *why* you have to do something is key to compliance. The
> short version "PKCE protects the code; there is a specific case where it is
> not needed, but its better to use it all the time" is easy to understand.
> We will not see many implementations following the long version above
> correctly.
>
>
>
> Second, we dramatically reduce technical complexity by reducing cases that
> need to be handled. We reduce correctness and compliance testing complexity
> in the same way. We reduce the cost of security analysis, which scales
> really badly to more cases.
>
>
>
> And finally, using nonce to protect against code injection is less robust
> than PKCE. AS have a better track record than clients when it comes to
> correctly implementing security mechanisms.
>
>
>
> Yes, this will make a number of implementations non-spec-compliant, but I
> do not think that this is a huge problem. Software needs to adapt all the
> time and a software that has not been changed in a while is probably not
> one you would want to use anyway. We are setting a new goal for
> implementations to meet and eventually, maintained implementations will get
> there.
>
>
>
> -Daniel
>
>
>
>
>
> Am 08.05.20 um 01:38 schrieb Aaron Parecki:
>
> Backing up a step or two, there's another point here that I think has been
> missed in these discussions.
>
>
>
> PKCE solves two problems: stolen authorization codes for public clients,
> and authorization code injection for all clients. We've only been talking
> about authorization code injection on the list so far. The quoted section
> of the security BCP (4.5.3) which says clients can do PKCE or use the
> nonce, is only talking about preventing authorization code injection.
>
>
>
> The nonce parameter solves authorization code injection if the client
> requests an ID token. Public clients using the nonce parameter are still
> susceptible to stolen authorization codes so they still need to do PKCE as
> well.
>
>
>
> The only case where OpenID Connect clients don't benefit from PKCE is if
> they are also confidential clients. Public client OIDC clients still need
> to do PKCE even if they check the nonce.
>
>
>
> OpenID Connect servers working with confidential clients still benefit
> from PKCE because they can then enforce the authorization code injection
> protection server-side rather than cross their fingers that clients
> implemented the nonce check properly.
>
>
>
> I really don't think it's worth the amount of explanation this will take
> in the future to write an exception into OAuth 2.1 or the Security BCP for
> only some types of OpenID Connect clients when all clients would benefit
> from PKCE anyway.
>
>
>
> Aaron
>
>
>
>
>
>
>
> On Wed, May 6, 2020 at 10:48 AM Dick Hardt <dick.hardt@gmail.com> wrote:
>
> Hello!
>
>
>
> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
> practice for OAuth 2.0. It is not common in OpenID Connect servers as the
> nonce solves some of the issues that PKCE protects against. We think that
> most OpenID Connect implementations also support OAuth 2.0, and hence have
> support for PKCE if following best practices.
>
>
>
> The advantages or requiring PKCE are:
>
>
>
> - a simpler programming model across all OAuth applications and profiles
> as they all use PKCE
>
>
>
> - reduced attack surface when using  S256 as a fingerprint of the verifier
> is sent through the browser instead of the clear text value
>
>
>
> - enforcement by AS not client - makes it easier to handle for client
> developers and AS can ensure the check is conducted
>
>
>
> What are disadvantages besides the potential impact to OpenID Connect
> deployments? How significant is that impact?
>
>
>
> Dick, Aaron, and Torsten
>
>
>
> ᐧ
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> ᐧ
>