Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)

Dominick Baier <dbaier@leastprivilege.com> Tue, 02 February 2016 11:20 UTC

Return-Path: <dbaier@leastprivilege.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD9FF1B29A2 for <oauth@ietfa.amsl.com>; Tue, 2 Feb 2016 03:20:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lm_3WyTnGAqr for <oauth@ietfa.amsl.com>; Tue, 2 Feb 2016 03:20:18 -0800 (PST)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3634E1ADBFC for <oauth@ietf.org>; Tue, 2 Feb 2016 03:20:18 -0800 (PST)
Received: by mail-wm0-x234.google.com with SMTP id r129so112708590wmr.0 for <oauth@ietf.org>; Tue, 02 Feb 2016 03:20:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leastprivilege-com.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:message-id:in-reply-to:references:subject :mime-version:content-type; bh=fu9Zllhd8j+rMsaiRGQ/RRfusSnJ5ADRWJnc+qnw0ro=; b=fHX15Q9VAkucZjqFUehDexxeH+d2oyDDaFOjUcgi02KiDHoi+VIYKnMTj0h1+TVwee SfwnOKEy/XiuQwzsZ6CkgVD67iRTt4Ye0FIw0BNedHsExZtjAmqi8A7lBbDuA92pOcrZ tQNHfBpp/M3UmH2GpxddJajvx7PdIAtiv8sQqrzr/UjZEmetE8sl/UECapGu63g51R9D kS8K7IevOWCLnWkgbdWZmqmnftTldkx4ZptVd2r3ZRJHeBDfnA5q+Y9khZRvahrJItzb /kC+AetItNi5ZXaiecFRklRIY2e3XiBZoANbWzNKt+4wJvVjzMHK+gKqw6mTx9+9Vs3w 9OWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:message-id:in-reply-to :references:subject:mime-version:content-type; bh=fu9Zllhd8j+rMsaiRGQ/RRfusSnJ5ADRWJnc+qnw0ro=; b=C+ed35jNHERBF15FtFlzsSdb5W6xviy3rTqvDMSNGJ9aydJPxKuFDTol6wkQDRs7nm fYmk4WTtjxI13o0VxFNEnLrp+dNxZc/HinYzf2Jy/QWPb4ZWF9LnHXuLmKQ/J4lDXfU7 T2ImD3hPklj7/VN4h0UpbjAQGfPPQIV9iAREfFrkSaQ7/rZT1heU/xJGXb+GmHwXFfpd +RdBCvDTme0LbBMJulOv0I9F+ICOBbxEFjCwyJxtuNhhVLdznaPI9LdU2hZQSPCzV+g1 cUDjBb9cxWTmIuzcNwtI6y8lzNbaB0/PmpgTnbq/el2WunUUBAw02BE34gmA2J0Xua1c BgLA==
X-Gm-Message-State: AG10YOR0pBqrTmfg4vVxPFaUHZ1jrwzCTXMUfv8Sfdt+gX0XY9YH907YQJs29xKE/DptwA==
X-Received: by 10.194.103.2 with SMTP id fs2mr33179974wjb.36.1454412016647; Tue, 02 Feb 2016 03:20:16 -0800 (PST)
Received: from dombp.local (p508CF4F7.dip0.t-ipconnect.de. [80.140.244.247]) by smtp.gmail.com with ESMTPSA id e198sm2447743wmd.0.2016.02.02.03.20.14 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 02 Feb 2016 03:20:15 -0800 (PST)
Date: Tue, 2 Feb 2016 12:20:14 +0100
From: Dominick Baier <dbaier@leastprivilege.com>
To: William Denniss <wdenniss@google.com>, Mike Jones <michael.jones@microsoft.com>
Message-ID: <etPan.56b090ee.1ad113cd.e59c@dombp.local>
In-Reply-To: <etPan.56b06806.df43526.e59c@dombp.local>
References: <568D24DD.3050501@connect2id.com> <EA392E73-1C01-42DC-B21D-09F570239D5E@ve7jtb.com> <CAAP42hAA6SOvfxjfuQdjoPfSh3HmK=a7PCQ_sPXTmDg+AQ6sug@mail.gmail.com> <568D5610.6000506@lodderstedt.net> <CAAP42hA8SyOOkJ-D299VgvQUdQv6NXqxSt9R0TK7Zk7JaU56eQ@mail.gmail.com> <F9C0DF10-C067-4EEB-85C8-E1208798EA54@gmail.com> <CABzCy2A+Z86UCJXeK1mLPfyq9p1QQS=_dekbEz6ibP8Z8Pz87Q@mail.gmail.com> <CAAP42hCKRpEnS7zVL7C_jpaFXwXUjzkNUzxtDa9MUKAQw7gsAA@mail.gmail.com> <10631235-AF1B-4122-AEAE-D56BBF38F87E@ve7jtb.com> <CAAP42hB=1rudPCzrCgaUp3W8+K0jcfoAwq3gJG5=vNeK9pqjaA@mail.gmail.com> <6F32C1CF-EA2A-4A74-A694-F52FD19DBA5C@ve7jtb.com> <CAAP42hC1KbDF1oOLyY11ZBW-WyBQjaEQTzAyZLfKUvOS8fOQOQ@mail.gmail.com> <BY2PR03MB44214DF2BDECA8050E819F6F5C70@BY2PR03MB442.namprd03.prod.outlook.com> <CAAP42hDSWPq+wdjEk1D=rFeUuccpc3rQbxJmAR2TS0sjVahA-w@mail.gmail.com> <CAAP42hCC+nK2y-wjgAdpkzSzK03CoY09o8fKg-a4+_GwXtOO9g@mail.gmail.com> <BY2PR03MB4427FE01334DEAADD6F42D6F5DE0@BY2PR03MB442.namprd03.prod.outlook.com> <etPan.56b06806.df43526.e59c@dombp.local>
X-Mailer: Airmail (351)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="56b090ee_1efa5db9_e59c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/WKNuR_qoIzUjWT_S0trS3vHYTDs>
Cc: "=?utf-8?Q?oauth=40ietf.org?=" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2016 11:20:21 -0000

I also added a support for it to our .NET client library.

blog post here: http://leastprivilege.com/2016/02/02/pkce-support-in-identityserver-and-identitymodel/

-- 
Dominick Baier

On 2 February 2016 at 09:25:43, Dominick Baier (dbaier@leastprivilege.com) wrote:

IdentityServer 2.4 has PKCE support now as well

https://github.com/IdentityServer/IdentityServer3/releases/tag/2.4.0

-- 
Dominick Baier

On 1 February 2016 at 22:12:54, Mike Jones (michael.jones@microsoft.com) wrote:

Congratulations on your deployment!

 

From: William Denniss [mailto:wdenniss@google.com]
Sent: Monday, February 1, 2016 12:25 PM
To: Mike Jones <Michael.Jones@microsoft.com>;
Cc: John Bradley <ve7jtb@ve7jtb.com>;; Nat Sakimura <sakimura@gmail.com>;; oauth@ietf.org
Subject: Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)

 

We are now live with this change:

 

https://accounts.google.com/.well-known/openid-configuration

 

I'm glad we all reached a consensus on how this param should work, and what it should be called, and thank you Mike for revising the draft! My ask now is that we don't revisit this decision, unless for extremely good reasons, as we don't want to break clients who will start using this.

 

On Mon, Jan 25, 2016 at 4:08 PM, William Denniss <wdenniss@google.com>; wrote:

Thanks Mike, looking forward to the update. I reviewed the other thread.

 

On Mon, Jan 25, 2016 at 2:49 PM, Mike Jones <Michael.Jones@microsoft.com>; wrote:

I'll add it to the discovery draft in the next day or so.  Also, please see my questions in the message "[OAUTH-WG] Discovery document updates planned". I was waiting for that feedback before doing the update.

Thanks,
-- Mike

From: William Denniss
Sent: ‎1/‎25/‎2016 2:29 PM
To: John Bradley
Cc: Nat Sakimura; oauth@ietf.org; Mike Jones
Subject: Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)

OK great! It seems that we have consensus on this. So this is what we plan to add to our discovery doc, based on this discussion:

 

"code_challenge_methods_supported": ["plain","S256"]

 

What are the next steps? Can we we add it to https://tools.ietf.org/html/draft-jones-oauth-discovery directly? I see that the IANA registry created by that draft is "Specification Required", but PKCE is already an RFC without this param being registered.

 

 

On Mon, Jan 25, 2016 at 2:11 PM, John Bradley <ve7jtb@ve7jtb.com>; wrote:

Yes sorry.   code_challenge_method is the query parameter so code_challenge_methods_supported

 

 

On Jan 25, 2016, at 6:12 PM, William Denniss <wdenniss@google.com>; wrote:

 

 

 

On Thu, Jan 21, 2016 at 6:17 AM, John Bradley <ve7jtb@ve7jtb.com>; wrote:

The code_challenge and code_challenge_method parameter names predate calling the spec PKCE.  

 

Given that some of us deployed early versions of PKCE in products and opensource to mitigate the problem before the spec was completed we decided not to rename the parameter names from code_verifier_method to pkce_verifier_method.  

 

For consistency we should stick with code_verifier_methods_supported in discovery.

 

To clarify, did you mean "code_challenge_methods_supported"?  That is, building on the param name "code_challenge_method" from Section 4.3?

 

 

John B.

 

On Jan 21, 2016, at 3:12 AM, William Denniss <wdenniss@google.com>; wrote:

 

"code_challenge_methods_supported" definitely works for me.

 

Any objections to moving forward with that? I would like to update our discovery doc shortly.

 

On Thu, Jan 21, 2016 at 1:37 PM, Nat Sakimura <sakimura@gmail.com>; wrote:

Ah, OK. That's actually reasonable. 

 

2016年1月21日(木) 9:31 nov matake <matake@gmail.com>;:

I prefer “code_challenge_methods_supported”, since the registered parameter name is “code_challenge_method”, not “pkce_method".

 

On Jan 19, 2016, at 11:58, William Denniss <wdenniss@google.com>; wrote:

 

Seems like we agree this should be added. How should it look?

Two ideas:

"code_challenge_methods_supported": ["plain", "S256"]

 

or

 

"pkce_methods_supported": ["plain", "S256"]


 

On Wed, Jan 6, 2016 at 9:59 AM, Torsten Lodderstedt <torsten@lodderstedt.net>; wrote:

+1

 

Am 06.01.2016 um 18:25 schrieb William Denniss:

+1

 

On Wed, Jan 6, 2016 at 6:40 AM, John Bradley <ve7jtb@ve7jtb.com>; wrote:

Good point.  Now that PKCE is a RFC we should add it to discovery.

John B.

> On Jan 6, 2016, at 9:29 AM, Vladimir Dzhuvinov <vladimir@connect2id.com>; wrote:
>
> I just noticed PKCE support is missing from the discovery metadata.
>
> Is it a good idea to add it?
>
> Cheers,
>
> Vladimir
>
> --
> Vladimir Dzhuvinov
>
>

> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
 

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 

 

 

 

 

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth