IETF Logo Mail Archive

Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1

"Richard Backman, Annabelle" <richanna@amazon.com> Wed, 13 October 2021 18:40 UTC

Return-Path: <prvs=91300960f=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6DEE3A091F for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 11:40:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.048
X-Spam-Level:
X-Spam-Status: No, score=-10.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RgZxRGcvxjmC for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 11:40:31 -0700 (PDT)
Received: from smtp-fw-6002.amazon.com (smtp-fw-6002.amazon.com [52.95.49.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1610C3A090F for <oauth@ietf.org>; Wed, 13 Oct 2021 11:40:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1634150431; x=1665686431; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=1sect57vHFe4j5mx8MPRLnoIfvM/krp4U1UvGEApt0k=; b=kJ9jCX1NLTmlf7rWhDB40OimWg8MXFCtjPNEDl0frhC+Wh81PBP0rkGE 2uGvcLG011GRoYuzqdgbJiQUVrI1uhRGMB7gNTQxZ9IzKfE+nqWXtjRjc ul3a9BdYE96y0KPnBZCpJpOePWpg70An0JYOhRiFdZLeRrl+2umO446CZ A=;
X-IronPort-AV: E=Sophos;i="5.85,371,1624320000"; d="scan'208,217";a="147542482"
Thread-Topic: [OAUTH-WG] Authorization code reuse and OAuth 2.1
Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-iad-1d-1c3c2014.us-east-1.amazon.com) ([10.43.8.2]) by smtp-border-fw-6002.iad6.amazon.com with ESMTP; 13 Oct 2021 18:40:23 +0000
Received: from EX13MTAUWB001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan2.iad.amazon.com [10.40.163.34]) by email-inbound-relay-iad-1d-1c3c2014.us-east-1.amazon.com (Postfix) with ESMTPS id 9F32FC4200; Wed, 13 Oct 2021 18:40:21 +0000 (UTC)
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13MTAUWB001.ant.amazon.com (10.43.161.207) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Wed, 13 Oct 2021 18:40:20 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC004.ant.amazon.com (10.43.162.101) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Wed, 13 Oct 2021 18:40:20 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1497.023; Wed, 13 Oct 2021 18:40:20 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>
CC: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Index: AdfAVNrlkmcvsI+rS0W4a9tVQDknwwAC7aIAAABNMAA=
Date: Wed, 13 Oct 2021 18:40:20 +0000
Message-ID: <A8EDE96E-7977-4B3D-81E0-A5B5450C9FF8@amazon.com>
References: <SA2PR00MB100244DAAD267EBD2FF51678F5B79@SA2PR00MB1002.namprd00.prod.outlook.com> <5DED0061-0610-491E-9AD9-9FA88566AE7E@alkaline-solutions.com>
In-Reply-To: <5DED0061-0610-491E-9AD9-9FA88566AE7E@alkaline-solutions.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.7)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.160.215]
Content-Type: multipart/alternative; boundary="_000_A8EDE96E79774B3D81E0A5B5450C9FF8amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cv0cZnrLSdNwERAIqDw3vbHX5yg>
Subject: Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 18:40:36 -0000

There are legitimate use cases for a client to replay an authorization code. Connection failures happen. Servers fall over before completing requests. Users hit browser refresh buttons. Permitting replay of authorization codes (assuming valid PKCE, client creds, etc.) allows clients to handle these failure modes simply and gracefully via retries.


Would the prevalence for ASs which cannot enforce an atomic code grant warrant further language against plain PKCE?

What is the practical reason for allowing "plain" PKCE in OAuth 2.1? Are there really use cases out there where SHA-256 is a deal breaker?

—
Annabelle Backman (she/her)
richanna@amazon.com<mailto:richanna@amazon.com>




On Oct 13, 2021, at 11:31 AM, David Waite <david=40alkaline-solutions.com@dmarc.ietf.org<mailto:david=40alkaline-solutions.com@dmarc.ietf.org>> wrote:

I agree that PKCE (with a non-plain operational mode) protects the code from attacker use by the security BCP model (but not necessarily stronger models)

Would the prevalence for ASs which cannot enforce an atomic code grant warrant further language against plain PKCE?

-DW

On Oct 13, 2021, at 11:16 AM, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org<mailto:Michael.Jones=40microsoft.com@dmarc.ietf.org>> wrote:

During today’s call, it was asked whether we should drop the OAuth 2.0 language that:
         The client MUST NOT use the authorization code
         more than once.  If an authorization code is used more than
         once, the authorization server MUST deny the request and SHOULD
         revoke (when possible) all tokens previously issued based on
         that authorization code.”

The rationale given was that enforcing one-time use is impractical in distributed authorization server deployments.

Thinking about this some more, at most, we should relax this to:
         The client MUST NOT use the authorization code
         more than once.  If an authorization code is used more than
         once, the authorization server SHOULD deny the request and SHOULD
         revoke (when possible) all tokens previously issued based on
         that authorization code.”

In short, it should remain illegal for the client to try to reuse the authorization code.  We can relax the MUST to SHOULD in the server requirements in recognition of the difficulty of enforcing the MUST.

Code reuse is part of some attack scenarios.  We must not sanction it.

                                                          -- Mike

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email