IETF Logo Mail Archive

[OAUTH-WG] PKCE RFC 7636 and registered URLs

Axel.Nennker@telekom.de Tue, 01 October 2024 09:45 UTC

Return-Path: <Axel.Nennker@telekom.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DEC7C14F70D for <oauth@ietfa.amsl.com>; Tue, 1 Oct 2024 02:45:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telekom.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMRu0bSUhr_F for <oauth@ietfa.amsl.com>; Tue, 1 Oct 2024 02:44:55 -0700 (PDT)
Received: from mailout11.telekom.de (mailout11.telekom.de [194.25.225.207]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12A1CC14F68F for <oauth@ietf.org>; Tue, 1 Oct 2024 02:44:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.de; i=@telekom.de; q=dns/txt; s=dtag1; t=1727775895; x=1759311895; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=FqBskQj4cFWyzjgZvD6+Gnwfj72oJ8mRk8wv65lgbyo=; b=ikUrfDJVTlAnD52PgKoLrv3a7zlUkudxA4zy+OyHLmpv/Q+5GiW5FDC2 CA1N38xAamScd5b37ogNZn4GKnCkYbv47V/TbM87itAW3EABIdLpT07+E FLT2mX61EMRH5PiasNSw5ktXp8xkpc4cHozR9wEdYVRjH/A6/8HyvawN+ V6TRbRR9nmcACpOR6IU1DXQAkU1Kml9yeW7NvHLUmfvoSjZOF2wgRo1rQ 53IbOaIgahsP7JJFpzEow86Zd9kL/aMnA330jk7pRpjtj/8qaSNsoopMV dzGmkiXz+OkMKXROorpJEzb1Xo/zymqB/UC6q7fezZXbZmndzY+kgs86P g==;
Received: from unknown (HELO mailbb02.mailbb2.aws.telekom.de) ([10.175.186.100]) by MAILOUT11.dmznet.de.t-internal.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 01 Oct 2024 11:44:48 +0200
IronPort-SDR: 66fbc48f_gL/Y5m5egqKa+6ZfQlhX5Hksjor4X++okxnMo2NeA05pmYu yOElqQE4r5+Hn10XdddCbZ6nLxGdDXFLBfVhGRQ==
X-IronPort-AV: E=Sophos;i="6.11,167,1725314400"; d="scan'208,217";a="35119451"
Received: from he104281.emea1.cds.t-internal.com ([10.169.119.195]) by mailbb02.mailbb2.aws.telekom.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Oct 2024 11:44:48 +0200
Received: from HE126308.emea1.cds.t-internal.com (10.169.119.205) by HE104281.emea1.cds.t-internal.com (10.169.119.195) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 1 Oct 2024 11:44:47 +0200
Received: from HE101393.emea1.cds.t-internal.com (10.169.119.197) by HE126308.emea1.cds.t-internal.com (10.169.119.205) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 1 Oct 2024 11:44:46 +0200
Received: from HE102779.emea1.cds.t-internal.com (10.171.40.45) by HE101393.emea1.cds.t-internal.com (10.169.119.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11 via Frontend Transport; Tue, 1 Oct 2024 11:44:46 +0200
Received: from FR5P281CU006.outbound.protection.outlook.com (40.93.78.52) by O365mail10.telekom.de (172.30.0.242) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 1 Oct 2024 11:44:46 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=a2hvYsOHV2lmPUsW/FXTct7KY3AFy89oaVac+zbjJB7C1RZB8MTc/b2YFMhXJzSQAKF8ohwSEwp2LETYJ59ixfFcKfEOsY/RZc6HKNFXJxfKhkC6sf4WmYdWqyVRrdE0qIlYUhfvKIR9C/TpqEkQSkQcidQN5BQ+hJdMAHJDOMywpY27mckSedwbll1rCsUIbOR82+qJiB1T3MKmbiFj5GSTL1eDCqe2UEnEKXgqD+zZm1qPMDWNgvI2e1WVgD6adCE/F6U3OB+eBsdPERi82u8mTqWr1yVpTlvLMRj17vN1s8a8TVwYDn8jP/bbdZAqjvDUHwFwynsU/vSNQcpcXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FqBskQj4cFWyzjgZvD6+Gnwfj72oJ8mRk8wv65lgbyo=; b=wt3oxYmkr7TrP6pH68eEgAgbFy5EY6C01x5SYpHas9tBSlda17JXdmoCwwj+u9j9ijKxzbie5eBSoK2XsiLd32UGYYDphjqG65IE9jFeZ7cVKHVJnntoLvVtJLtDGIrjXTWhclSkWEQW2HPB5HjSqcNjE+qyuSOln29PXBs5YvUaoBNhaIB0EmyOW2xfezJ0ZCZivIT+E18szLSUCE2bcyyImE9J7Dn21zcxjhpPnFm63UAzrRPC6AKsfh1ZmHUI0MW85scFwG1U3dXKkVL/F5Hu8shLFlWEPoUPcGWH9rDTr/e6b4ms5oeQHkvx0gKkucaf9bjYP2Xgw+nn4+//Lg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=telekom.de; dmarc=pass action=none header.from=telekom.de; dkim=pass header.d=telekom.de; arc=none
Received: from BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:3d::11) by FR2P281MB3134.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:65::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8026.15; Tue, 1 Oct 2024 09:44:44 +0000
Received: from BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM ([fe80::1d9f:9628:4ca7:ec8e]) by BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM ([fe80::1d9f:9628:4ca7:ec8e%5]) with mapi id 15.20.8005.026; Tue, 1 Oct 2024 09:44:44 +0000
From: Axel.Nennker@telekom.de
To: oauth@ietf.org
Thread-Topic: PKCE RFC 7636 and registered URLs
Thread-Index: AQHbE+aLnyXJpSqSj0OqJTt5NYXD1Q==
Date: Tue, 01 Oct 2024 09:44:44 +0000
Message-ID: <BE1P281MB20975E312A88C8E888F6C0ACED772@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM>
References: <CAMtUnc4dr68yohygY4eqEwEVNtgv5Fx2uj-=oFZ3gRRmyEvp=g@mail.gmail.com> <AB5BD5B8-1D82-451E-8F22-61DA8D02A3F3@gmail.com> <A10707A6-9E53-49AC-A33E-B90FEAD6E08A@authlete.com> <CAMtUnc4ajouz-a45Y+gLv8hffnABBb0TwgdDkUCO5HqRZOQK0g@mail.gmail.com>
In-Reply-To: <CAMtUnc4ajouz-a45Y+gLv8hffnABBb0TwgdDkUCO5HqRZOQK0g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=telekom.de;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BE1P281MB2097:EE_|FR2P281MB3134:EE_
x-ms-office365-filtering-correlation-id: fb1fc1f9-a14f-4560-7a38-08dce1fdae51
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|10070799003|38070700018;
x-microsoft-antispam-message-info: uqyX97G6iPsEzo+skfHmVWWBnhooofWC9ypRJrcjaCFwdCPYR/Ur00s0bVskKFBXbf1IgkVVT8DONIenRuDgWj2wxC9hpdsUZ+0hzsZM5TRDFklxC52v9qeG6Xg93pqSPA56yuuJRmzVtpc/5IV6jNOmN4h/72OQ8UPmIYEga1gXsqK0FRrJ+YDRnvs2eIn3+db4JDnp8de2+P1qizPg3CPLPTp8GAoBLo/CA3xfztrCxwTFOIFnSGO1ZdbHDLJbZl0GnLfDWw+znY0bLneXPsRPUaoTOr5VR+9C1d0Ox1ZnzHqCKr+QpZT+dnWaGLJ/n1Cr17ls/e4MshsYNFgt19AVKVbxjs/hQokexlYqOmefipITfpGqTYCLbm9+8KQMy2PO7qG+8MZZTqI/Xq715Y+3OmbusI1F9cJtXOLO7bGDiRrd7j0ngaatoc/oJh6BCY2vl8nhw92NEfNJpk8Mvj0NYyo4L39OvvU3VjWuEZfboWCJhV3AqNyEXpoXIj4r3DlaOcZT/RQHp6hVeW9977M5lG8hE8LG5mvAYtatq/7vZS5Z0mKubj4laVRD1dGPMuiVjRElBoci845M+bzUkfEIlZnVyNFSbsV6MKJTlCGOJAt3TRi7qampdSkBB/YgaWA3vQEvJoHvI1NHYJi+FR/a3ngXrEyrPV2sqYAV68TF2SIEiXDtjrS+q/JPDbt/PnzXGJtdGZzQQNrJD9pNL89BAIrrAFpgyYaJ6ZBe7ULjJR3a2Ebap88ST+OUK9QazAvApmgAjI21THnXoCZMRq3fknnr+xxezesfXULG9AxGn0uDp/9+h/X9Atn4hYpMkT0bLoZM3ei6PU3rnQX4XX2JAjL+JDvuGXT3lC7bkXzo2EOEtqGUhrnWPo5BRgE2mPRuJQy+gCDuaKrdXtHud4iKIFcLcCptPD1nzEdb3nXOWINVezyeNhYsq8rFQgbCqC4vR42SNS1ax2wC28BX3qVxc1uYLpcqeVH/Vfsvqgn03OCDHvZI4gCJ5iapFn9fvhzleIWBhEEoh8rn0xE6+2T8WHsZ7t8E/AEb559aV17fB8waT7juVTSS8GDOJk+tyk7U1Q0fxRQ8bE/FYSl1118s76Jr6Rg96/NT0khpwlEPI8BbZIiZxiamWihammqfZiCZRWtBuVm4XKKVweefLWjXin/ZP7poONX3Bl6e9A8fZ0dl9VKwDGKJo1WBGi5dCEbY3RpljY2K5YRoemNeA8jTio4a0bFat8uVRE7E1f+0EP0+REr9NHv1NZZT+oFh8vYoscW8e7fSXovTMtnh8KZPxbhf0dFAuJGcjbZbVUo=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(10070799003)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8kqjyl7Bpl4wzVXaUOAKukOXbEydv4gF58yDLKREz3OBOw/BHHjv8tmzslLPfw1tJzAzTx/cxUgXvLR9mjNwSQilyvPdj3VfgZA4jqbOQpQ0d1iEZfrIvNIdjDBixPixipf6TKufQCWOulp5iR7lSTqlmgMaNL0h6mShn3DE0UAnc+ARbnNWDXV3T6+pvpB9I7NzKYk0AJVS9TvIdbzQkuxJV+iW6oiH0k/T/V9mm0nrEDnNU6hsutfxzEHyf1fdpCywDsRtA6AHcHHh75CL3/sBSeUeiBJj1/abjVPyoPAiMc9vYFo20NSSEOtRGHlxLYCYbB0bfoS7nVqz7bZ5vgqhkcoekO+TCs5XEBri4YN//JtWHLojv4/oNrj4Q2huNB+HbB8Qk4YwUrwn0AtmskN1unw3y6E6SSna+cb6QfhYIRLJae2Pg7iLgfjCxkaRLDkuA15q3HZVyNOeBZCXQXg2u+H7XkXKMFzKwSh2WtHVUatbWDi0aj0e8onFqSQDs/pvhwXVY6YJvudeB07LpqUxqVv3Fm9mm0ss47Pkv4O7aZb6ItSgKZbx4zsMYHJqU9/3vviQct8N1ACif2pREH7rR2MmhaC8qjrY7sMZxEjvEpTSVzo5GNMdRPI85m83m0Namt2eVArDjt1eNoY/EycMHDCwJBP8E80aoflphCcIt4DI4ju6H5cjVhyGCGZIWAe8xR3qnCz1s74lMQHSMVOaIqYYR8MeOBS+YpL5hr2qhaSRMWmFPiKZbS9doRq6jIh035ol1B+K+pBdJ3X345SHcrUWReLvoegpVWDmX/CfLIDjTTq/nSJ/I4DdSQHLTanu1x+SdVjHoDivommjCRJDxc/j+klimngvpifWVmmoHKdkNr0WqFqrF1HZRkax8G3FqM41h/fSXcDrSPFdOGq/1X6lHcvl3Z7taufix4ZTE5XBtd5MQcBTTTDHugsKtYXWGMuC7tCHyRE8QR1n6OieTUsR1uSbpsxwNoLsv4+GX759Hc6hKlnQSh7BYqTjC0B1T20u9JrANAAT0cnHyojxkC2V/biT9X07Hw5xuh4K2w+rk3xaWAidAs++1rmOKjdG88wlPSCZ5+FxPz67HRfQjtNDBt0Cgs8EjIJsyo54mNgu/UyK5tCMxJqOtVPHats4jEu8PV1jWaIhYZqonfuARKBEDGonS5FRk96TX9pPVBVdNxgE7n2u1aF9Gvh/doP8TtNMe14Y+XOOa5QwveghSZCmW2DE5v8uMXZlBQ/XFSe3STTQjqtmoy2uX+oCM5mr9ElqnkXbTx7CgnNm53fD1haSFbfbZqke/zaTWiJJNAhzDRRh7pTdAMqDZg8BiNlSnV3YFolHFkC91d68VltAdaetjeRSVhedLKp9EkXY3j5Aa48gA4uhYWOzibUNToCZRMswCsn4ZE46l4289vtLQ3RL3b8cEtZY87lsCm0ylG2uTCIqEf+dQr5QoWyOto+kwOkESAL1tK8YDOtWB+hpMMZX9/iEq9XbMl2mlqFLmomv7Yf9yY+x5WCI98dJss33+qiCaNVGNJ/L03TfGux9FmRMQGUWpxcEZhJ51qLmg8MdR71UsXhjFimvowBGu517a30nP8o7nLj4OJoH0s4S2piIKm4oOZ0I6GSM31n9VZiDj2Ou842TZrJaoWjbLMuMTqedyubNUaqxtcsNIA==
Content-Type: multipart/alternative; boundary="_000_BE1P281MB20975E312A88C8E888F6C0ACED772BE1P281MB2097DEUP_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: fb1fc1f9-a14f-4560-7a38-08dce1fdae51
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Oct 2024 09:44:44.6909 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bde4dffc-4b60-4cf6-8b04-a5eeb25f5c4f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: J3hCTM8IpjRSPVRGyvKIKR+8oKlJ8AVkszEgmaNce/w3x5H/rvWhntpUNvT0DpHmaYOtrlddC0adjeDx+YGNtg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR2P281MB3134
X-OriginatorOrg: telekom.de
Message-ID-Hash: XLD6IYJZLSJBTGIIBJO57BZOYFUS36PK
X-Message-ID-Hash: XLD6IYJZLSJBTGIIBJO57BZOYFUS36PK
X-MailFrom: Axel.Nennker@telekom.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: nat@sakimura.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] PKCE RFC 7636 and registered URLs
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Vg9seREfXk0cC1Dq4wuwnRQ9K2Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi,

is this sentence in the introduction of RFC 7636<https://datatracker.ietf.org/doc/html/rfc7636> still true?
“The Redirection Endpoint URI in this case typically uses a custom URI
   scheme.”

I think mobile applications should be registered by the developer for their domain.
If the developer has control over their backend/webserver they can easily setup up .well-known files for Android and iOS to find that binds the mobile app to that domain.
Example by DT/TDG:
https://www.telekom.de/.well-known/apple-app-site-association
The appId is bound to the paths at that domain.
Android also allows an app to bind itself to an URL
https://developer.android.com/training/app-links/verify-android-applinks

Is the word “typically” still true nine years after rfc7636 was written?

I suggest removing the word “typically” in the introduction and adding a security section that recommends registering the mobile app for an URL.

7.6 Registering the mobile app for an URL
Major operating systems and app store management systems allow the registration of an URL to a mobile app.
With an URL registered to the mobile app an attacker cannot register their malicious app for the same URL as the mobile app.
It is RECOMMENDED that the developer of the mobile app binds the app to an URL.

Or are these url-binding-to-app mechanisms of Android and iOS too proprietary? I would not mention them by name in an RFC.
But the majority of (native) mobile apps can register their URL and I think the RFC should mention this security measure.

Also, I am wondering why this mechanism is not mentioned in https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/
I probably missed discussion on the mailing list.
I found some mention of universal link e.g. https://mailarchive.ietf.org/arch/msg/oauth/cN0uYaEd5uOLEprCwc-0wJjKJfs/ in 2020 but these discussion did not lead to anything in RFCs or drafts.
Why?
I think that if developers can register an URL to their native mobile app then they should do that.

Kind regards
Axel

v2.35.0 | Report a Bug | By Email | System Status