IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Mike Jones <Michael.Jones@microsoft.com> Fri, 08 May 2020 16:55 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CBA03A0B43 for <oauth@ietfa.amsl.com>; Fri, 8 May 2020 09:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j-_lJhlCRgwR for <oauth@ietfa.amsl.com>; Fri, 8 May 2020 09:55:34 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650103.outbound.protection.outlook.com [40.107.65.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5768D3A0AD1 for <oauth@ietf.org>; Fri, 8 May 2020 09:55:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gi1KiEmEYJUSIvM1NWwcDY2NWjm2fs3iFox4MuTVJHPBqlzjp7gSEq3fXOLtc1Xqr5Z88xIliA4GD/OAPwtlVuQHdtjmIa15GLvEzoxNuosf0Lf28hWZ8OY9LA6ck8FyFhkegH8OAUoEuM0AfrHl97AYh1Fe1zJKyHyLDXm9nWvHJhjd3itZ3qCAmsozVWjGeijLQrcoWIjemIWTnjpxhAYnHAIZ1q4yJfx0aVdG1Zd+UFRDh5tWs3Gmp172xJ/TlotwywyzzDMgEQ8dVLF4/+1V3wd7NPxw9GMKKk42pyD5NjC/1Dw8aceW6GHhMSBQBVJxH4zMHkCP80bZrWzb4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ydh3GRISUNblPROkdgcJN0As75BBSIZ0sXMJih45FQI=; b=Uneeh+i3fwnWi6UGRL8qpNp7qXW8q8FWorV/pntGyP3Sh9xB58p3BA1hSR05SKMErftUw0qMqMBRST1IVMj4uESwU3/2V9PenXDravpaH12cDnlY/FDXf01qsX7EBP1dLk8jPrxQFSyRIsW7gEMvqjZPQ4tUP+utgfVmtB87LFosWcwndR6YXSKRZO1djzT5/1/wVHlUYLSVoa95UF7JHA/zdKwrDxs2qzQfrmKLoS2l3Wwc5N/4/aZnyJcpTSKvoy6E7q9DOdfTyTIKOJTTmZjKdjFhC9FGLaZtUxiQnWh/tzz7j3PimBMqyZj/iQSsBwQ/sHABxmOwzId1UUfV4A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ydh3GRISUNblPROkdgcJN0As75BBSIZ0sXMJih45FQI=; b=Enh1XM2tCupbohcno8FkwUTPxLQtAnTm67/o1z4gCQe8F5KLxUIa1urJ72rN9LdBgWgLfVmgGvVaTyVcFKNQpXFD7eNKi0U1EhnIJySrZcHDy+DIFSlukBLozur0S72tu9pJTXQ7Bqj/NDsA5NuN4A3uGxnIF4Ho+rOev+/K+k0=
Received: from DM6PR00MB0684.namprd00.prod.outlook.com (2603:10b6:5:21c::8) by DM6PR00MB0553.namprd00.prod.outlook.com (2603:10b6:5:165::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.0; Fri, 8 May 2020 16:55:17 +0000
Received: from DM6PR00MB0684.namprd00.prod.outlook.com ([fe80::28ba:39bb:f9ca:658b]) by DM6PR00MB0684.namprd00.prod.outlook.com ([fe80::28ba:39bb:f9ca:658b%5]) with mapi id 15.20.3015.000; Fri, 8 May 2020 16:55:17 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Daniel Fett <fett@danielfett.de>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] OAuth 2.1 - require PKCE?
Thread-Index: AdYlWXAnmjsqG17TS+ukF4wvi0+THQ==
Date: Fri, 08 May 2020 16:55:17 +0000
Message-ID: <DM6PR00MB0684CD35E5A1E7F4309983B0F5A20@DM6PR00MB0684.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=b4c71a8d-cafc-4e3b-85b6-0000c0573b66; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-05-08T16:45:41Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: danielfett.de; dkim=none (message not signed) header.d=none;danielfett.de; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: b756775d-dfb6-4e84-e911-08d7f37095f3
x-ms-traffictypediagnostic: DM6PR00MB0553:
x-microsoft-antispam-prvs: <DM6PR00MB05536E1E8DE1FE78CE3E1737F5A20@DM6PR00MB0553.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 039735BC4E
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: buaYxgcytbO69AamAwkvlNUY7ODZ9QedzW/8yqYGFc/qgpGUeB/wmNnKSONjYwl6aajURNOm+Kh3PqaqN4KGVVVX3+8PUFfNbpbD7APPylBh6nZNxOS9WPVzERwIsf0FtNgZzaL3HpUvtodxuz1xgWFS9NV/QuWxWXEUP9pSMk3HtmX6MXGlParskF4XLOLrZ67W6ZKSorUkiy2/8MWAB/vLhm5GVT7opY/CY4NnHsXnTwxdDf7fd8eimH+FEuGR6OT6Sf6fKK0NZpAyZUok54rEwMr4oKqqx+SKxeWb3A1QlvOkLL+yuJACAyGV3U91oTjCVKPP2Uxkg8kekVBrY/3EKk3L81yIcTMesKTtWhiPW6nWbupTkEA4axUxvOZAewetCTdvdbFKCkudUxOb3E3j/pENxcUQ48H1jGi99tr2bV9Ge/0TWCZJ2BHzKNh8XpqKWITIkS9p56LGmONhGHK8ZCRmqIqbMG4I+Lp1HpD8qfnz7fGcKSE9QRNE8GJX4rn+Q88AkWoyKbxbq/T5cA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR00MB0684.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(366004)(376002)(346002)(136003)(39860400002)(33430700001)(8990500004)(33656002)(52536014)(110136005)(7696005)(966005)(66946007)(76116006)(316002)(82950400001)(82960400001)(33440700001)(76236002)(66446008)(66476007)(64756008)(2906002)(53546011)(9686003)(66556008)(5660300002)(6506007)(478600001)(83280400001)(8936002)(55016002)(83300400001)(83290400001)(66574014)(83310400001)(83320400001)(166002)(10290500003)(71200400001)(8676002)(26005)(186003)(86362001)(99710200001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: ouj9DjBu4UqQbh68yIILjc+a+PcRhX0YJ77UDptGhyqFfurzRH75HhJ9H+Kg3/bguyFt9AsfR4XucnlOnkyLSdMtoty9ERUInVPRpKR5H9ndJ+H+Jphbm7Jg49bXZZvlucEI1Aa/CWNWZJUn1x4AscdWSjp1McDqvf7MUANwet9V3mzf2eNpoAQrf2POy2w3k/xZtjsnHVHlen5U4i1lTanP0mD6AKLZw7kQi67hZJo5pQWwCFBtfqyzLd/289+ucDlg/TP86vIQe9Vcbl4mhGJyRZ1xSbSpJ7xhKwQL3xEQGabmvKN4cR1Z0cSArSwbNce5o67nGx0A2J4InS2F9cu62stIq1JtQEOfdMfmomyOUqbwN4px0JjDKMwZZgRXRrcq5Dn+zHMZ9m04WPcanoqsvboh2nD7YU1M6yo6fhsjhJLD2PFDks9y20jq9ZbCHzGUBCJH2BjpyLxksgKLtD99aLimH6Xx0BnbbWOrRcw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB0684CD35E5A1E7F4309983B0F5A20DM6PR00MB0684namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR00MB0684.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b756775d-dfb6-4e84-e911-08d7f37095f3
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 May 2020 16:55:17.3293 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xm6TEkhjckYB3/J5GGpVvTiCN385C5x7Ga2DhBFNiEhJ+4ButDAzmpAc/j82F0FkRIxmCaCtdSHu09AHZo2Bcw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0553
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OoUyP33WWzbrcp8Nnfn_Wz-pE30>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2020 16:55:39 -0000

Daniel, you wrote:
> We would then have:
> - use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, except if you are a public client, then you still need PKCE.
> - use state, except if you use PKCE, then you don't need state.

I believe that this is an accurate statement of the facts, balancing interoperability and simplicity.  That’s what we should therefore say in the spec (possibly rewording it to make it easier to parse and understand).

I would be OK going so far as also saying something along the lines of:
  - Alternatively, new implementations may choose to always use PKCE, provided that the client somehow can determine that the server it is communicating with also supports PKCE.
That seems like a viable compromise, giving developers accurate information that is actionable.

But mandating PKCE in all cases, even when unnecessary, would be an interop disaster and would cause many to simply ignore the new spec.

OAuth 2.1 was supposed to not introduce breaking changes.  If you want to do that, please do it in TxAuth instead.

                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Daniel Fett
Sent: Thursday, May 7, 2020 11:50 PM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

+1 to all what Aaron said. Thanks for pointing this out!

We need to address this in the security BCP and this will be a normative change that affects OpenID Connect Core (just as our current recommendation on the usage of nonce).

We would then have:

- use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, except if you are a public client, then you still need PKCE.
- use state, except if you use PKCE, then you don't need state.

I think there are very good reasons to simplify this down to

- use PKCE
- you may or may not use state

First and foremost, not many people will understand why there are cases when the BCP/OAuth 2.1 mandate PKCE and some where they don't. However, understanding why you have to do something is key to compliance. The short version "PKCE protects the code; there is a specific case where it is not needed, but its better to use it all the time" is easy to understand. We will not see many implementations following the long version above correctly.

Second, we dramatically reduce technical complexity by reducing cases that need to be handled. We reduce correctness and compliance testing complexity in the same way. We reduce the cost of security analysis, which scales really badly to more cases.

And finally, using nonce to protect against code injection is less robust than PKCE. AS have a better track record than clients when it comes to correctly implementing security mechanisms.

Yes, this will make a number of implementations non-spec-compliant, but I do not think that this is a huge problem. Software needs to adapt all the time and a software that has not been changed in a while is probably not one you would want to use anyway. We are setting a new goal for implementations to meet and eventually, maintained implementations will get there.

-Daniel


Am 08.05.20 um 01:38 schrieb Aaron Parecki:
Backing up a step or two, there's another point here that I think has been missed in these discussions.

PKCE solves two problems: stolen authorization codes for public clients, and authorization code injection for all clients. We've only been talking about authorization code injection on the list so far. The quoted section of the security BCP (4.5.3) which says clients can do PKCE or use the nonce, is only talking about preventing authorization code injection.

The nonce parameter solves authorization code injection if the client requests an ID token. Public clients using the nonce parameter are still susceptible to stolen authorization codes so they still need to do PKCE as well.

The only case where OpenID Connect clients don't benefit from PKCE is if they are also confidential clients. Public client OIDC clients still need to do PKCE even if they check the nonce.

OpenID Connect servers working with confidential clients still benefit from PKCE because they can then enforce the authorization code injection protection server-side rather than cross their fingers that clients implemented the nonce check properly.

I really don't think it's worth the amount of explanation this will take in the future to write an exception into OAuth 2.1 or the Security BCP for only some types of OpenID Connect clients when all clients would benefit from PKCE anyway.

Aaron



On Wed, May 6, 2020 at 10:48 AM Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce solves some of the issues that PKCE protects against. We think that most OpenID Connect implementations also support OAuth 2.0, and hence have support for PKCE if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier is sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client developers and AS can ensure the check is conducted

What are disadvantages besides the potential impact to OpenID Connect deployments? How significant is that impact?

Dick, Aaron, and Torsten

ᐧ



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email