IETF Logo Mail Archive

Re: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF

Benjamin Häublein <Benjamin.Haeublein@cirosec.de> Wed, 05 January 2022 13:30 UTC

Return-Path: <Benjamin.Haeublein@cirosec.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C09D83A084D for <oauth@ietfa.amsl.com>; Wed, 5 Jan 2022 05:30:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.857
X-Spam-Level:
X-Spam-Status: No, score=-0.857 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cirosec.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZFnBcMYAUDMi for <oauth@ietfa.amsl.com>; Wed, 5 Jan 2022 05:29:58 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70051.outbound.protection.outlook.com [40.107.7.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 646353A0848 for <oauth@ietf.org>; Wed, 5 Jan 2022 05:29:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cirosec.de; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E46zuy5cfjRxdE1ptMZqcVeE8lBh1xiFLsrJKGmp5qU=; b=kuk2jnQwp+tbGM9PyhKNFt8MTt8EMKynfbowJnFKbIBJxj2uNNvFVWWvQOJP3Ck9MZsjD9h4vP7VQcBqPWOZKqxf94139fcp+IE29UFUu9YXDq9e+Z2E2hBCRJ5fI1a2XptYBOa9sBDKYphs0BP4xXKC/eW5NVfQZulhelfWat0=
Received: from OL1P279CA0016.NORP279.PROD.OUTLOOK.COM (2603:10a6:e10:12::21) by AS4P192MB1621.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:4bf::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4867.7; Wed, 5 Jan 2022 13:29:52 +0000
Received: from HE1EUR04FT038.eop-eur04.prod.protection.outlook.com (2603:10a6:e10:12:cafe::40) by OL1P279CA0016.outlook.office365.com (2603:10a6:e10:12::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4867.7 via Frontend Transport; Wed, 5 Jan 2022 13:29:52 +0000
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning cirosec.de discourages use of 195.243.60.194 as permitted sender)
Received: from z1.cirosec.com (195.243.60.194) by HE1EUR04FT038.mail.protection.outlook.com (10.152.26.189) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4867.7 via Frontend Transport; Wed, 5 Jan 2022 13:29:51 +0000
Received: from z1.cirosec.com (localhost [127.0.0.1]) by z1.cirosec.com (Postfix) with ESMTP id 64C7A40068; Wed, 5 Jan 2022 14:29:51 +0100 (CET)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03lp2053.outbound.protection.outlook.com [104.47.10.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by z1.cirosec.com (Postfix) with ESMTPS id CC8CF40067; Wed, 5 Jan 2022 14:29:40 +0100 (CET)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lV7j/H086EZ2PCGKkRpi1k1XBJqTizP3oILVumh95mVvgKjBLQfG2k2KS6cK5aCXHSFqNNEDkPxDeNOa0V3Z5ULtCgjUXKWBYWy8RUcQJtVrRuPInadOL9/sbw4+hPtrZKGfibsZQ6Du5ejrAIzwA+fachK5gf7aux+HkFNoP/G3hEA7MNOaAnHQKUUhMeapbHwqZ0E6nnaEYhkgt/CA/5fIfUBkPYwwgiEVFcwD7H4mCqZ6wP7O8chM3ry07Gt/n5QnqO6K0gg5dpDfLHTd5iVqjqpWhmRtCX6KsUPhtJXD652WpbwNrT1I+mJKGzBXhBWV9KYHIBgNsPab2dkgxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=U5X9AwHX28KYHyRuVrgYnY2/A8GKQaRcnxv7UVPWUUo=; b=lmELjZfbJELfjumxmTkGlsMvwGfooUui9LGae7m3h66XwmOhJZKUoHiSPgMWvCLRV5+BZt/0RKkdKUMdmzNlvS1Q2ELnY2+6+Fu39P/qaEbMkJJoAeoEOHM1NYP4gGh8BgOuABS0cIWaV6QcLXFd5w66w5MIAXP+5qv/ku67DzcxFwvjBHdA9UA7RPUPi5bl/RkGPfp/ZgG+dbs/tY7ObfQRf5S7MvjTW4yfhQK96OvE9YpmQprVm3Oj7XY/bQqtIZh3aLy8wTyvMxpf7dO9b4uiakvxpgY/mD98sOGCBIoJzHXljHv56l2D6zPLhpisG70aG7Ax/6CBxpcB6PI/Xg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cirosec.de; dmarc=pass action=none header.from=cirosec.de; dkim=pass header.d=cirosec.de; arc=none
Received: from AM7P192MB0819.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:176::17) by AM5P192MB0035.EURP192.PROD.OUTLOOK.COM (2603:10a6:203:81::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4867.7; Wed, 5 Jan 2022 13:29:38 +0000
Received: from AM7P192MB0819.EURP192.PROD.OUTLOOK.COM ([fe80::5903:531c:f47:bc06]) by AM7P192MB0819.EURP192.PROD.OUTLOOK.COM ([fe80::5903:531c:f47:bc06%3]) with mapi id 15.20.4867.009; Wed, 5 Jan 2022 13:29:38 +0000
From: Benjamin Häublein <Benjamin.Haeublein@cirosec.de>
To: Warren Parad <wparad@rhosys.ch>
CC: George Fletcher <gffletch@aol.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF
Thread-Index: AdgBWCxwol5UzlIbQPqsjH/C3LbbiAAGfQGAAC+fA9AAAFJ7gAABZ4iw
Date: Wed, 05 Jan 2022 13:29:37 +0000
Message-ID: <AM7P192MB0819D3D6523981A8495D5CD7E44B9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM>
References: <AM7P192MB0819568B6CF315C3BC3A9B15E44A9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM> <b711bc01-9674-6072-d941-7e1ba8f8c9ec@aol.com> <AM7P192MB081909F590F651D656ACC892E44B9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM> <CAJot-L2o32DCswBAoq6DKZgZmEKgafEk=_AGnj5y3q3CBPsa3A@mail.gmail.com>
In-Reply-To: <CAJot-L2o32DCswBAoq6DKZgZmEKgafEk=_AGnj5y3q3CBPsa3A@mail.gmail.com>
Accept-Language: de-DE, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-bromium-msgid: 4fc353e4-6947-402c-b133-ab9d6e2dca67
X-MS-Office365-Filtering-Correlation-Id: 22acc023-8e27-4276-a58a-08d9d04f7440
x-ms-traffictypediagnostic: AM5P192MB0035:EE_|HE1EUR04FT038:EE_|AS4P192MB1621:EE_
X-Microsoft-Antispam-PRVS: <AS4P192MB16217C9C3A1442C0E491C15CE44B9@AS4P192MB1621.EURP192.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: z/JNlLZp/9j3/qjHl+v30pUiLmQtcVSXTQsg3YhgiTYoCjLtniq4rf7axms8guH0tqTz7ozzAJkDX991ZQSIwgrzlmm3wr8idoh61FU97ldLiPJ0jzKkBZ5DwdB2m0neeBs6HqPDEz9K8a5aHshdH/T0Wrd/e+hPfMv4khskP5Jkf9FZ2EOtsfDABttzCWsBBrCxh297+4yAqaiktOL2KnOepzIbAL75fn7UqL4YeuKl7LpKjLZrTtFy0OjiMtUkTV8KOJhL4lsVaOH8wywpd2zKzlb2ZbXtLqR9LeK5rWRzvJ9nIVgjUZV+euWSRItbV6UVv66vjTB3z2KLMxh2sBlt2kGxSZDqUFrDASJHzr/rhVuMT27xL6ynWPv5UhN3jskdU/he+zS3OJoiSgp13E0hUiaO16b1f/ysmOKJX+5MprdRrQXtS9DaqxtpP0bvNvZTBNFv8UERVYiJax2R25l++bvYsh7wCLoCkiVTHOGJUlImtHD4nDHZumyX5SbvdgIki4I6ou/yJtwTsjAVPjt3zDfUyILV7NOcJl8sECN5/wcrd+OfOktcH4mgcerT19NM+XjvLHEe7B6xZ4uQB3v72NhBQx7ssMW36hAqUnRTJMZun3UsI3Ll0gb7Pz90A5ZoAhQzAMz74Kc2KknGpSv+hj1krPU0bsLoKYDkAGcrpdlAcWMYjeV0LWK7/vqduTvBlvizAIy8kpTqFFxiUEAHkFOm1WKoySKfFoftm5D4fmNVkVVF6t/nVVklhYkCE2Y6sWFwg22X65kETneXTvjb0ssxNi7i0u8R7+c2JqKuH1doLy8zTJ/h8FXlfXysgclsAfW+MiPjiqSVAz0KKg==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7P192MB0819.EURP192.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(6019001)(4636009)(366004)(376002)(346002)(136003)(396003)(39840400004)(269900001)(508600001)(7696005)(53546011)(6506007)(966005)(186003)(26005)(33656002)(71200400001)(8936002)(85202003)(8676002)(85182001)(54906003)(2906002)(86362001)(5660300002)(4326008)(38070700005)(83380400001)(166002)(55016003)(66476007)(19627235002)(52536014)(66946007)(66574015)(76116006)(66446008)(64756008)(66556008)(9686003)(38100700002)(316002)(122000001)(6916009)(21314003)(10090945008); DIR:OUT; SFP:1101;
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P192MB0035
X-TBoneOriginalFrom: Benjamin Häublein <Benjamin.Haeublein@cirosec.de>
X-TBoneOriginalTo: Warren Parad <wparad@rhosys.ch>
X-TBoneOriginalCC: George Fletcher <gffletch@aol.com>, "oauth@ietf.org" <oauth@ietf.org>
X-TBoneDomainSigned: false
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7A3EA1EC3056F6715EC1431579ADB209"
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: HE1EUR04FT038.eop-eur04.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: ed3ceb9d-567e-4a58-9dab-08d9d04f6be3
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: uW4RvaUl7S1tq0RPq0F+ftC3uMgmHhtdJC3djKgaGaBAoYIoYIA8yCjeszZeUDP0VzH9jJtT2A7jinjpoJ4fJOnd1eBhsAzdBweqmZr+Pv17GOpkai45g1+PR0LCJzLDE/W6I+7TXX/RDadYtlaGjuD0Aa/PuTPiU9cnaCMaaNn+7I+XVXReG+2HdN/BBbihcFdlDla2s0mqK159DXzoABaJpqCwzGgiCPLh88RvasSEU5Pbqv+oVe04Tng9fAdbw8/USVDNX+A+0eZs0pqiAEzUmxXPdIf9z8lURddLUSSIo7h/QWdiU3OEiZsYbYUsfhFbJSbHHvleqrE+8zur++FaBRQP3iPqcc9AMcS6681GnxBLlSA//iqmqMJYI5WIHJejmz7AKp7QAi/y15kK2O4v8uG8/nayvwVDLPLA7k4QgGEPkLVuQ/OLq03hzhtlEqbiEGwRVRH3rlnfX8gZ6oaOEpQjNQR+bxhjMTV872zzy64A/jfo9iZvejcQ4vfayl6ofDQ0pZqGprAKh970/LD3xCuIsbR51TX2vbExSJ2bCHa5bKOIPzank8PjTeNyLcp0LvAJ6RqXlfpx1M7QRht/fFty8zV5cYn+mQNqnTzoO0DfzNgf4tLNGvek0Z6r8MTb13Zd7FAIboLL6uNjaHrJkCQ6wrH7dfhcpLu6QHOcaKKpTfcG53lexGZEtEL6qrJJu+Ms7UBNDNqFJTy/4Gumfsw1e+sO54u6txJjWggy7LaS7qIq6PUcdemCklei+Fwe4Dc1d9VCgWqoGkcG9P8oq9smkWLcPg/eTas/yQY9snoZfmJbTOp74mQaJpdgiGHC+BJjjrNPHw+zdOj901Z84THqwcMHDBVXGAaPkDwx/tB486A+Ao10Q8evpChP41uQHrz2U4no7gUvbsyRpQ==
X-Forefront-Antispam-Report: CIP:195.243.60.194; CTRY:DE; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:z1.cirosec.com; PTR:z1.cirosec.com; CAT:NONE; SFS:(6019001)(4636009)(136003)(39840400004)(396003)(346002)(376002)(269900001)(46966006)(36840700001)(8936002)(966005)(9686003)(33656002)(7596003)(83380400001)(508600001)(7696005)(33964004)(6506007)(66574015)(166002)(82310400004)(336012)(19627235002)(40480700001)(7636003)(356005)(36860700001)(47076005)(55016003)(235185007)(5660300002)(15974865002)(30864003)(4326008)(316002)(70206006)(70586007)(52536014)(86362001)(85202003)(85182001)(26005)(53546011)(186003)(8676002)(6916009)(2906002)(54906003)(21314003)(10090945008)(344275003); DIR:OUT; SFP:1101;
X-OriginatorOrg: cirosec.de
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2022 13:29:51.9617 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 22acc023-8e27-4276-a58a-08d9d04f7440
X-MS-Exchange-CrossTenant-Id: 21fbdf28-bed3-4a1a-b1ca-8bb38fcb05e0
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=21fbdf28-bed3-4a1a-b1ca-8bb38fcb05e0; Ip=[195.243.60.194]; Helo=[z1.cirosec.com]
X-MS-Exchange-CrossTenant-AuthSource: HE1EUR04FT038.eop-eur04.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4P192MB1621
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/aqScIJSqsI_QTqYuQ4stt2xFDZ8>
Subject: Re: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2022 13:30:04 -0000

The following example shows this behavior in keycloak:
Authorization Request:
http://identity-provider:8080/auth/realms/XXX/protocol/openid-connect/auth?client_id=client-spa-public-pkce&redirect_uri=http%3A%2F%2Flocalhost%2F&response_mode=fragment&response_type=code&scope=openid
Authorization Response:
http://127.0.0.1/#session_state=46556363-c53f-489f-871c-58d376a8f9c1&code=2b84ee14-68ff-48c9-b480-4349ff9805f7.46556363-c53f-489f-871c-58d376a8f9c1.6fab0727-6184-47ad-8607-55f19896e945
Token Request:
POST /auth/realms/XXX/protocol/openid-connect/token HTTP/1.1
Host: identity-provider:8080
Content-type: application/x-www-form-urlencoded

code=2b84ee14-68ff-48c9-b480-4349ff9805f7.46556363-c53f-489f-871c-58d376a8f9c1.6fab0727-6184-47ad-8607-55f19896e945&grant_type=authorization_code&client_id=client-spa-public-pkce&redirect_uri=http%3A%2F%2Flocalhost%2F&code_verifier=IqiCQGM06JEyW73AB3f3oblCQKHOorapyqHUcYRujuSikDJx8cvBQ0kmFmzW75uIfaSBtXQrRmwuk71WWO6ryCzahTcxBPYX

As a result, an access token was issued although the code_verifier provided in the token request did not match the code_challenge and code_challenge_method in the authorization request as they were absent.

An attacker can thus send the victim the authorization response, after the victim clicks the link, the client application sends a Token Request with the code_verifier present with the client to Keycloak.
As a result, a token is issued for the application, although the code_verifier does not match the inexistent code_challenge/code_challenge_method in the malicious authorization response.

For this to work, the client must either generate a code_verifier on the fly or have one already present. This obviously depends on the precise implementation of the respective client.
To reach such a state, an attacker could trick the user into starting the authorization grant but clicking the malicious link before the authorization response is sent.

Best Regards,
Benjamin Häublein
Senior Consultant

cirosec GmbH
Ferdinand-Braun-Strasse 4
74074 Heilbronn
Germany
Phone: +49 (7131) 59455-74
Fax: +49 (7131) 59455-99
Mobile: +49 (151) 122414-74
www.cirosec.de

HRB Stuttgart 107883
CEO Stefan Strobel, CFO Peter Lips

Von: Warren Parad <wparad@rhosys.ch>
Gesendet: Mittwoch, 5. Januar 2022 13:44
An: Benjamin Häublein <Benjamin.Haeublein@cirosec.de>
Cc: George Fletcher <gffletch@aol.com>; oauth@ietf.org
Betreff: Re: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF

Sie erhalten nicht oft E-Mail von "wparad@rhosys.ch<mailto:wparad@rhosys.ch>". Weitere Informationen, warum dies wichtig ist<http://aka.ms/LearnAboutSenderIdentification>
I'm not following to be honest. Could you detail concretely what the flow would be that would result in vulnerability?


[https://lh6.googleusercontent.com/DNiDx1QGIrSqMPKDN1oKevxYuyVRXsqhXdfZOsW56Rf2A74mUKbAPtrJSNw4qynkSjoltWkPYdBhaZJg1BO45YOc1xs6r9KJ1fYsNHogY-nh6hjuIm9GCeBRRzrSc8kWcUSNtuA]

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement Authress<https://authress.io/>.


On Wed, Jan 5, 2022 at 1:41 PM Benjamin Häublein <Benjamin.Haeublein@cirosec.de<mailto:Benjamin.Haeublein@cirosec.de>> wrote:
Finally, I'm not sure a client that doesn't send the 'code_challenge' and 'code_challenge_method' on the authorization request but does send the 'code_verifier' on the token request should consider that the client has implemented PKCE correctly and hence can rely on it for CSRF.
My point is not, that a client behaves that way. The problem is that an attacker could get a user (through social engineering) to start the authorization process and then click a link with an authorization response that the attacker provides.
Then the client has send the 'code_challenge' and 'code_challenge_method' in the authorization request, but the authorization response belongs to an authorization request that does not have these parameters.
When the client sends the token request based on the malicious authorization request but with the ‘code_verifier’ for the original authorization request.
When the AS behaves as described the client has no way to know that an attacker has interfered.

Best Regards,
Benjamin Häublein
Von: George Fletcher <gffletch@aol.com<mailto:gffletch@aol.com>>
Gesendet: Dienstag, 4. Januar 2022 14:51
An: Benjamin Häublein <Benjamin.Haeublein@cirosec.de<mailto:Benjamin.Haeublein@cirosec.de>>; oauth@ietf.org<mailto:oauth@ietf.org>
Betreff: Re: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF

My guess is that for an Authorization Server that doesn't receive a 'code_challenge' and 'code_challenge_method' as part of the authorization request, they treat the request as a non-PKCE authorization request. Therefore when the 'code_verifier' is presented at the /token endpoint, the AS ignores the parameter because it doesn't consider the request to be a PKCE request. I can also see the AS returning an error regarding an "unexpected parameter" or "invalid request" error in this case.

I agree with your recommendation for the AS to require specific clients to use PKCE and consider an authorization request without PKCE to be an error.

Finally, I'm not sure a client that doesn't send the 'code_challenge' and 'code_challenge_method' on the authorization request but does send the 'code_verifier' on the token request should consider that the client has implemented PKCE correctly and hence can rely on it for CSRF.

Thanks,
George
On 1/4/22 5:45 AM, Benjamin Häublein wrote:
Hello everyone,
I think RFC 7636 “Proof Key for Code Exchange by OAuth Public Clients”, section 4.6. “Server Verifies code_verifier before Returning the Tokens” leaves a tiny gap regarding the handling of verification when no code challenge was present in the authorization request:
   Upon receipt of the request at the token endpoint, the server
   verifies it by calculating the code challenge from the received
   "code_verifier" and comparing it with the previously associated
   "code_challenge", after first transforming it according to the
   "code_challenge_method" method specified by the client.
It is unspecified how the server should behave when “code_verifier” is present, but “code_challenge” and “code_challenge_method” were not set in the initial authorization request.
The following example worked for three well-known authorization servers where the client was configured in a way that PKCE could be used, but was not enforced:
Authorization Request:
https://XXXX/auth?client_id=YYYY&response_type=code&scope=openid+profile&redirect_uri=https://localhost
Subsequent Token Request:
POST /token HTTP/1.1
Host: XXXX
Content-Length: 256

code=ZZZZ&grant_type=authorization_code&client_id=YYYY&redirect_uri=https%3A%2F%2Flocalhost&code_verifier=IqiCQGM06JEyW73AB3f3oblCQKHOorapyqHUcYRujuSikDJx8cvBQ0kmFmzW75uIfaSBtXQrRmwuk71WWO6ryCzahTcxBPYX
As a result, an access token was issued although the code_verifier provided in the token request did not match the code_challenge and code_challenge_method in the authorization request.

Many applications consider the usage of PKCE as enough protection from Login-CSRF and do not use state or nonce (for example this blog entry by Daniel Fett https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/ suggests, that neither state nor nonce are necessary when PKCE is used). However, when the authorization server is not configured to require a specific code_challenge_method from the client and the authorization behaves as described in the example, PKCE does not protect from Login-CSRF.
I think the following mitigations are possible:

  1.  Enforce usage of PKCE in the client configuration in the Authorization Server
  2.  Implementation of the authorization server returns an error in the Access Token Response when code_verifier is present in the token request, but no code_challenge and code_challenge_method is present in the authorization request.
  3.  Additionally, when the behavior of an AS is correct (verification of code_verifier fails when no code_challenge was present), a client that relies on PKCE for CSRF protection must always include a code_verifier parameter in the token request (even if no code_verifier is present on the client side).

Best regards,

Benjamin Häublein
Senior Consultant

cirosec GmbH
Ferdinand-Braun-Strasse 4
74074 Heilbronn
Germany
Phone: +49 (7131) 59455-74
Fax: +49 (7131) 59455-99
Mobile: +49 (151) 122414-74
www.cirosec.de<http://www.cirosec.de>

HRB Stuttgart 107883
CEO Stefan Strobel, CFO Peter Lips



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email