Re: [OAUTH-WG] proposed resolution for PKCE in OAuth 2.1

Mike Jones <Michael.Jones@microsoft.com> Tue, 12 May 2020 00:21 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A41843A0DD8 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 17:21:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.272
X-Spam-Level:
X-Spam-Status: No, score=-2.272 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cPKbt2KxGNMn for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 17:21:42 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640138.outbound.protection.outlook.com [40.107.64.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 800E53A0DD6 for <oauth@ietf.org>; Mon, 11 May 2020 17:21:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kcFo83EHyhRFYUPckPsF2JiTv9tMiZz0SyFwlEmPbUTRRyJ9nhCQocNQAoRheAoQ3q3946HOO6zT/CCU23vMOeH9ogLW2DWK3olthrzoZoyU1QW3keoQZAgvN7OmzYFGdCQob0i39wxOlV82bLYYSmY14XFgpmxjX/ohFpsnVUJZwBzux5aTr1Yrik17YjCtcHl3qfUio+lGz+0Ns/SGeI8HqereD1c9PXxVumD/3YKnW2ZtwGCre48d38BoaQqgGwlIGDZ2KDQ4F+9hNOTOGjObvKZXonH6jrsa4o6J9Z6tfL5ey9shfkHPi/0TepAgSY2URHukiVSFzzGpsDF0zQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=amN789qLLX2QosVuJvvNYIRDR3IdbOmmZf3D+mwY0Ak=; b=c35d6H4nk6df8mhXKq8+cChb5wW0NdFbionOnsKP0yF/6KDM16TwTKUcwa/nkRgV09MOTb01IlyREsei7RCfQOA9BxP2md1py57kGWUbBfdk7jhf0t7mGUfjbQ9T9Se3LWiwS56gs3PaHD5r9i2g+3SuTPs4aqfUMxWDw8m2nq6x/4uaNbUxsqdtPoA9BebnyJQdsCK5ZfAAi3pZaosncYVNEXkfVZVnrlzXNyQ2bW7/IL/CbYJU1houZJ/KxWpzFyW3CcxoQ8Vqh76oSjTZvDZIb02dML0kNcLKnaQoIPEZ93kimi3Qweq7hmZne9cH7rirUXNmyns9GWEx77jyzg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=amN789qLLX2QosVuJvvNYIRDR3IdbOmmZf3D+mwY0Ak=; b=Nv3VXQ/TKGaEgEZvBbZ2BfFUTJuQkUI1SVlOdlykBRRPg8XNVYZs3mVlxT/91VzOv0RCjcHkznXuG/1+mZSeydr9BwKGztmkqTzGXuXWTUD29egjEjLmvCpqDGYWGUS7HhiN8eEpByYHobti6rcGN7YKb1fx9TZkLhx6weN4D3s=
Received: from MN2PR00MB0686.namprd00.prod.outlook.com (2603:10b6:208:15f::13) by MN2PR00MB0704.namprd00.prod.outlook.com (2603:10b6:208:1d0::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3032.0; Tue, 12 May 2020 00:21:40 +0000
Received: from MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::68f6:b54c:8d5e:d283]) by MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::68f6:b54c:8d5e:d283%7]) with mapi id 15.20.3035.000; Tue, 12 May 2020 00:21:40 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Aaron Parecki <aaron@parecki.com>, OAuth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] proposed resolution for PKCE in OAuth 2.1
Thread-Index: AdYn801szb1PE0FGSyKMnB6cjcxG1g==
Date: Tue, 12 May 2020 00:21:40 +0000
Message-ID: <MN2PR00MB068633B7B72E5416AA8984D1F5BE0@MN2PR00MB0686.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=13634fd6-f522-4704-a3fc-00006e0411d9; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-05-12T00:18:33Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: parecki.com; dkim=none (message not signed) header.d=none;parecki.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 70182f22-aada-4f51-8dd5-08d7f60a7153
x-ms-traffictypediagnostic: MN2PR00MB0704:
x-microsoft-antispam-prvs: <MN2PR00MB07048657324ACF5804EC5E60F5BE0@MN2PR00MB0704.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0401647B7F
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: VdviVHuS05lWP51Peqcnt5vlDckqPmpvQQ33XbCopnM9TEKEwBLciGF2DdhH7Z4Z0kov6d/x8MG1dPLyj+hdN7RScVIP+6qeHbAY/wsdsOr1g5Zv9jMCPndj9gt2CdlHUmEzBJsKa4ghFcTzxSgIIvSsfkCKuL7+SOVX0Vam0Z0flOh97aRWZi4EVttUh0LBQGMeEsu3hdCyTQw92UMw4Vb+IOXSHFv4CAvpqmhM0mGE1e6178fe5gF3N2V3/sEh/92jZ7qY+LfJkrpP8Ea93PI9kqMuc1nk2knCSJCDpainbc6VoyrZeuTuBGCzlR1/6OYyzT8HM5Po4FQySmr35lP7FV9SZhwWjK0kGn0k5Et/FSO5vNUvp/hcEadk7m7qnvfOJspKuxLyYaIiI7KURPqCib9WE+ErchrzReicDCYQSAkUfgIqmGERwN9efYkV50u3jy+hotc/kltub8wEXV9qxgP3k7lPGr/zf/Ssh08=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0686.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(396003)(366004)(39860400002)(376002)(136003)(33430700001)(4326008)(966005)(82950400001)(26005)(6506007)(71200400001)(55016002)(53546011)(478600001)(8676002)(82960400001)(33440700001)(166002)(9686003)(76116006)(86362001)(33656002)(66476007)(66446008)(64756008)(66946007)(2906002)(66556008)(8990500004)(186003)(10290500003)(8936002)(5660300002)(110136005)(7696005)(52536014)(316002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: cizAJNKbKGYBGfqri930pjFWw474jmqM9VtOt7IUZdIwxZtwH7T5av1uLG4U+bx8e00DGdoB45QwDbqXAMLgotrAfBQUozRjbBwycUkRSow5NGAQfpanRb2CrbYOsQ5Q/yzR1zCbPhVoRHAzW1+1Ib4S7wFKMeBwlV/OLwd6o8MwaVcfVUz3LGQu6NDawBhqBhuEGYtpEUvTyxcNgws7zNab6uBGJdwvTQg9roeKJJEyr3rYgiEE3UB6N67/aEQ4hVeBl2DgH6srsARNcTwQuxvTBXS0PD1QHP8nLaH7jybnZXKXEN/xAuhsxLhPygvRDqoGiNTANxvtiTs/k8nJAUothTjULrgh+2RpWmC2znAOFl28yNMBjlLG/c0/LKM4tG+yW6IdIumZX5/GF3Vasps5uQ4hUkVlPulwmriZDmKFMp1Qc0M7F4CfWUKd9HO3Xu+/gZ8sXPHruqQ6YRzaKL4dduXVE859qN1q4uRH6yM=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB068633B7B72E5416AA8984D1F5BE0MN2PR00MB0686namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR00MB0686.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 70182f22-aada-4f51-8dd5-08d7f60a7153
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 May 2020 00:21:40.5471 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Smq3d/0upD0HK33u69A+r/Z+QsBPJhvUFKHzFD2dWDz79MOrKtbJSHvC2aGxZPYvQXKdg4KMc9ovSei3T6QsHA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0704
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-rKNK53kT19DpYRQbgo-Ujp9-XI>
Subject: Re: [OAUTH-WG] proposed resolution for PKCE in OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 00:21:45 -0000

That works for me.  Thanks all for the useful back-and-forth that got us to this point of clarity.  I suspect many of us learned things along the way; I know that I did!

                                                       Cheers,
                                                       -- Mike

From: Aaron Parecki <aaron@parecki.com>
Sent: Monday, May 11, 2020 4:55 PM
To: OAuth WG <oauth@ietf.org>
Cc: Neil Madden <neil.madden@forgerock.com>om>; Mike Jones <Michael.Jones@microsoft.com>
Subject: Re: [OAUTH-WG] proposed resolution for PKCE in OAuth 2.1

Thank you Neil.

To address Mike's concerns in the previous threads, I would like to also update section 9.7 with the following text:

Clients MUST prevent injection (replay) of authorization codes into the
authorization response by attackers. The use of the `code_challenge`
parameter is RECOMMENDED to this end. For confidential clients, the
OpenID Connect `nonce` parameter and ID Token Claim {{OpenID}} MAY be used
instead of or in addition to the `code_challenge` parameter for this
purpose. The `code_challenge` or OpenID Connect `nonce` value MUST be
transaction-specific and securely bound to the client and the user agent
in which the transaction was started.

This change better clarifies the specific circumstances under which the "nonce" parameter is sufficient to protect against authorization code injection.

Aaron Parecki

On Mon, May 11, 2020 at 11:55 AM Neil Madden <neil.madden@forgerock.com<mailto:neil.madden@forgerock.com>> wrote:
I am happy with this proposed wording. Thanks for updating it.

— Neil


On 11 May 2020, at 19:52, Aaron Parecki <aaron@parecki.com<mailto:aaron@parecki.com>> wrote:

Thanks for the lively discussion around PKCE in OAuth 2.1 everyone!

We would like to propose the following text, which is a slight variation from the text Neil proposed. This would replace the paragraph in 4.1.2.1 (https://tools.ietf.org/html/draft-parecki-oauth-v2-1-02#section-4.1.2.1) that begins with "If the client does not send the "code_challenge" in the request..."

"An AS MUST reject requests without a code_challenge from public clients, and MUST reject such requests from other clients unless there is reasonable assurance that the client mitigates authorization code injection in other ways. See section 9.7 for details."

Section 9.7 is where the nuances of PKCE vs nonce are described.

As Neil described, we believe this will allow ASs to support both OAuth 2.0 and 2.1 clients simultaneously. The change from Neil's text is the clarification of which threats, and changing to MUST instead of SHOULD. The "MUST...unless" is more specific than "SHOULD", and since we are already describing the explicit exception to the rule, it's more clear as a MUST here.

Aaron Parecki




_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth