IETF Logo Mail Archive

[OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF

Benjamin Häublein <Benjamin.Haeublein@cirosec.de> Tue, 04 January 2022 10:46 UTC

Return-Path: <Benjamin.Haeublein@cirosec.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 698803A1A97 for <oauth@ietfa.amsl.com>; Tue, 4 Jan 2022 02:46:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cirosec.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k9LegY1iW30o for <oauth@ietfa.amsl.com>; Tue, 4 Jan 2022 02:46:01 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70045.outbound.protection.outlook.com [40.107.7.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DD033A1A92 for <oauth@ietf.org>; Tue, 4 Jan 2022 02:46:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cirosec.de; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t3D7cTvgJwxQyogLZe0uyQZ3nDqZVLmxi04FnUxy+3k=; b=JDcgAC+NigY4gR8vMgxntiNGCH6+p9/G5MSY346+cPHe5HSxwj5kPJUZA777s60UYpGw1eVdjWPjMNXUysPHincU6OFTJXiyNgNu0/8Dlr7uJaiVMRzXccYZyRdp23pjWA/u9oZaaQ7qhBukJce6uZoFVygxAfyGAjODOplP3YM=
Received: from AS8PR04CA0204.eurprd04.prod.outlook.com (2603:10a6:20b:2f3::29) by DB8P192MB0581.EURP192.PROD.OUTLOOK.COM (2603:10a6:10:16a::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4844.13; Tue, 4 Jan 2022 10:45:53 +0000
Received: from VI1EUR04FT062.eop-eur04.prod.protection.outlook.com (2603:10a6:20b:2f3:cafe::ab) by AS8PR04CA0204.outlook.office365.com (2603:10a6:20b:2f3::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4844.14 via Frontend Transport; Tue, 4 Jan 2022 10:45:53 +0000
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning cirosec.de discourages use of 195.243.60.194 as permitted sender)
Received: from z1.cirosec.com (195.243.60.194) by VI1EUR04FT062.mail.protection.outlook.com (10.152.29.117) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4844.14 via Frontend Transport; Tue, 4 Jan 2022 10:45:52 +0000
Received: from z1.cirosec.com (localhost [127.0.0.1]) by z1.cirosec.com (Postfix) with ESMTP id 82E2A40068 for <oauth@ietf.org>; Tue, 4 Jan 2022 11:45:52 +0100 (CET)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-he1eur02lp2055.outbound.protection.outlook.com [104.47.5.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by z1.cirosec.com (Postfix) with ESMTPS id EC09E40067 for <oauth@ietf.org>; Tue, 4 Jan 2022 11:45:42 +0100 (CET)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lRWV52IsaP4v98sDhUZqNmB64kJfsQWEI9aubZXZAl21RNotgxPirbZZ6SwmlzMX3nD2yxHi7+kOkO3DfZdWt3X2atHrd2YavnrrybLEaTiWXFZFBlVCdM8VWb0NkT9cbC77YPkDWLNeFA8fTwwy7qeSSozPyS1CnUffh9MJ14r3Wy2qh8O1komqd8HR25MjLpO6UUCG1aXZPwMZ9o58m00A6ZlMznoQ3kh4a6eJD8yYDLTmSHv8iwm0yz6n/sBuUsWIS4+I7YjwR/lUQjc4pmPRrnXE+G4TzLHi2ufgQSjVhCNhzs13I3HJK2mb17py5htidagXLXSFbg5n2ldrmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6orgpmP4qVj6DZTWbLRSqDwC7AsLKQeMgybl8Os5f8w=; b=Io5dIbc832n9x6rtLP8grUah7LQU2n3N3UGxDJ4FAnko7wtDcr2j1bMx6v/eBXgiGx77kPvWItV6qTzYcg4ij18m9QPyhbAiI2jwGCWMj3p6xZYMdX8csTAuZIxZpjP5pP5EJIqnKgH+FDL8f/54TuX0uSJp7g9xCEx2g5La1nxcg9lMYI43hjHwygMwU6l18Sml/W5kM1QrQVNh19EZykUk0o+mNFYLt+lPmnvCVMrOAaHWQRvtPssaszk6PskUVP5tJ7ih2NYbHNdilLiFBSAOh96XgfCu8D7Igd7bSTi3UJ7AEYDhczkZbV/aHKjphPuknExcbQsUwZkOFL5Opg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cirosec.de; dmarc=pass action=none header.from=cirosec.de; dkim=pass header.d=cirosec.de; arc=none
Received: from AM7P192MB0819.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:176::17) by AM5P192MB0164.EURP192.PROD.OUTLOOK.COM (2603:10a6:203:85::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4844.14; Tue, 4 Jan 2022 10:45:41 +0000
Received: from AM7P192MB0819.EURP192.PROD.OUTLOOK.COM ([fe80::5903:531c:f47:bc06]) by AM7P192MB0819.EURP192.PROD.OUTLOOK.COM ([fe80::5903:531c:f47:bc06%3]) with mapi id 15.20.4844.016; Tue, 4 Jan 2022 10:45:41 +0000
From: Benjamin Häublein <Benjamin.Haeublein@cirosec.de>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF
Thread-Index: AdgBWCxwol5UzlIbQPqsjH/C3LbbiA==
Date: Tue, 04 Jan 2022 10:45:41 +0000
Message-ID: <AM7P192MB0819568B6CF315C3BC3A9B15E44A9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM>
Accept-Language: de-DE, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-bromium-msgid: 836d8690-5cde-4dce-b865-a22467e7e6ba
X-MS-Office365-Filtering-Correlation-Id: 139a0838-d29f-4475-c50a-08d9cf6f613e
x-ms-traffictypediagnostic: AM5P192MB0164:EE_|VI1EUR04FT062:EE_|DB8P192MB0581:EE_
X-Microsoft-Antispam-PRVS: <DB8P192MB0581CC058D4EBC7A608999D2E44A9@DB8P192MB0581.EURP192.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: J3ubX4Kyx7gGwDWukVszUqXyGwys4JvF0ZOsSZ2/DPgqXjWl6EVfnn85agx/6c2icqArPOmHvt6HcxgJ32hGIphMZHkdBN01KDR3QqYZPpoeuL9k+KXSu663nEffEPMD19mq5uA1StSjhqKTRY4p9iIl2dcvQ4VjxF0CSMW6LLL6N/4s28bxh+iq7umfj14i35gja2R3RrYqw9JUcPvjJsK2PYqbG1ca599Ui4W+5NugugchhSadJ+kbRZqH9a4FGsVoADT0UxgYp7FBBPywS8z5Ubr/vltZMeUkdwWiuHPiG2RJ5hZtzHC/51LBTek7G2xceIFbD61WzeXjAFGBayS/hX1rc+EjctADW4LJJKINrzLm+kW1kjYU/uTbnbSAQorlnfGhLtNioorrwkORHM5TwMRpRGlsKSuFM4Jcl373HjpwvilFXdigReTlNGBNd6cMtm7uQShyCtUqwT97LhOSVG9CTaAmKbQH7YATgu9vluhbnPG3lATOzNn/T00L6Rc2ehpBCZ067qN1txi596vrqfg7IZ6aICFNjBpdFGDZ6TkNR4wS3Ttk3ePzMC/3XQ3NDKa/VG6KQnhhVvZnLCujF0xGzqg/dZgN/Z4KxmSqUjVS4iXWdFGiW3FtmIr6mLm8+h6CxevT361VIZJ6wzYt7LG6+sE6dKmg9//hobtZlXG9P4LRJwY+oYjM7YQuAmKzNcxwPJe5zQ6AVaeyLAJHqGvf0bwU+sgJgPJQLV59jB4KHffZYBzxRQ11dOcW+hhdrqE9EfGWHG0KA6C8ckQpnFIWZeeHLiBCwf4EkyI=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7P192MB0819.EURP192.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(346002)(136003)(366004)(376002)(396003)(39830400003)(5660300002)(19627235002)(186003)(52536014)(2906002)(38100700002)(166002)(9686003)(7696005)(6506007)(86362001)(38070700005)(66946007)(966005)(66446008)(122000001)(71200400001)(64756008)(66556008)(33656002)(6916009)(76116006)(66476007)(508600001)(8936002)(316002)(55016003)(8676002)(83380400001)(26005)(66574015); DIR:OUT; SFP:1101;
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P192MB0164
X-TBoneOriginalFrom: Benjamin Häublein <Benjamin.Haeublein@cirosec.de>
X-TBoneOriginalTo: "oauth@ietf.org" <oauth@ietf.org>
X-TBoneDomainSigned: false
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----CE50A8C63823B73D828C089D0D1A4086"
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VI1EUR04FT062.eop-eur04.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 445134bb-3407-4363-6c3f-08d9cf6f5a49
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: LgFe8hqm3ybkEtpCn11hVCLQXkesdCwwlb/86jrb6lCiGKkmhO9PHTNuJC7K/VSVLZ2JFBLklnisjQbFKBNqJanN/jcVJ1TNQpQL8cM9XkChLtkMPN8zaWelPLLsYL2boutjUg1OZ6sesfIL5GrJn9uVs9y/vhDeEcH+1qhYUSEfSd81FFCBkvlmRD7KfpLKjHJj/B1SklIlFjHGr50GWn0MztdeK84/Y7mrEMpLQPHyTIOm1c9OYZbzSgbv26//FDOlThBYw2+H/AagtyAVSPVsY3GHpw+N2HeDKXyhpjBhbKZSMG9fxJ1B3DGhw0eymP8CRO+WlA0FKd81M18S8umOFkQmckNu2kyNkyxnWJO5NH6uFmCEKGQrUA6SrcR0tOg6z9jUJNye3f/dThl/Q3YrOw8CSVMGTAGP0TWc/975c+2lZ3vwzJKnNXvhe9GEC7ppXucG4avWv5L/kHEp7CE/ZDPOwT4A1mUWSKCq5ANqnnH5GJ1RDxWgWsC6r0HpXu7mWgQzo1qtsSY9BuH0Nyevpsd4/mWNJ5mnv81XmmIwYhvksKtRiKNW0U2JJxbm2zYK1aAfARnkUOZT7KzJfaLu8uciEwqzsDi7qnEkYmaO8xGY3BzUw+SE03MKIhxFv5ErLNaJdapkoHVD+DpyeY5yKIJBobvQ4v8ZPUPYKAYVT2vPc5+70z9ccn7txEnhXJ6jFv5ibfrsV4QxWd48+w5JY0eUXC7XKkV4uUAVX12fx20B7HYxDnRfgiSVmZnQgM79sJwbZOn9o/ISwhifk4AstYeQdIPeuoYtQhMoa9X0nnwlxWFgBnT8lcnEYdzG
X-Forefront-Antispam-Report: CIP:195.243.60.194; CTRY:DE; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:z1.cirosec.com; PTR:z1.cirosec.com; CAT:NONE; SFS:(4636009)(136003)(396003)(376002)(39830400003)(346002)(46966006)(36840700001)(9686003)(47076005)(8676002)(83380400001)(316002)(86362001)(52536014)(8936002)(7596003)(36860700001)(70586007)(966005)(70206006)(508600001)(356005)(6916009)(82310400004)(7696005)(2906002)(40480700001)(186003)(66574015)(7636003)(55016003)(235185007)(26005)(15974865002)(33656002)(336012)(6506007)(166002)(5660300002)(19627235002)(579004); DIR:OUT; SFP:1101;
X-OriginatorOrg: cirosec.de
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Jan 2022 10:45:52.8365 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 139a0838-d29f-4475-c50a-08d9cf6f613e
X-MS-Exchange-CrossTenant-Id: 21fbdf28-bed3-4a1a-b1ca-8bb38fcb05e0
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=21fbdf28-bed3-4a1a-b1ca-8bb38fcb05e0; Ip=[195.243.60.194]; Helo=[z1.cirosec.com]
X-MS-Exchange-CrossTenant-AuthSource: VI1EUR04FT062.eop-eur04.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8P192MB0581
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/f80lsbeVRvlvQ8jx4Es6LC1Amtw>
Subject: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2022 10:52:15 -0000

Hello everyone,
I think RFC 7636 "Proof Key for Code Exchange by OAuth Public Clients", section 4.6. "Server Verifies code_verifier before Returning the Tokens" leaves a tiny gap regarding the handling of verification when no code challenge was present in the authorization request:
   Upon receipt of the request at the token endpoint, the server
   verifies it by calculating the code challenge from the received
   "code_verifier" and comparing it with the previously associated
   "code_challenge", after first transforming it according to the
   "code_challenge_method" method specified by the client.
It is unspecified how the server should behave when "code_verifier" is present, but "code_challenge" and "code_challenge_method" were not set in the initial authorization request.
The following example worked for three well-known authorization servers where the client was configured in a way that PKCE could be used, but was not enforced:
Authorization Request:
https://XXXX/auth?client_id=YYYY&response_type=code&scope=openid+profile&redirect_uri=https://localhost
Subsequent Token Request:
POST /token HTTP/1.1
Host: XXXX
Content-Length: 256

code=ZZZZ&grant_type=authorization_code&client_id=YYYY&redirect_uri=https%3A%2F%2Flocalhost&code_verifier=IqiCQGM06JEyW73AB3f3oblCQKHOorapyqHUcYRujuSikDJx8cvBQ0kmFmzW75uIfaSBtXQrRmwuk71WWO6ryCzahTcxBPYX
As a result, an access token was issued although the code_verifier provided in the token request did not match the code_challenge and code_challenge_method in the authorization request.

Many applications consider the usage of PKCE as enough protection from Login-CSRF and do not use state or nonce (for example this blog entry by Daniel Fett https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/ suggests, that neither state nor nonce are necessary when PKCE is used). However, when the authorization server is not configured to require a specific code_challenge_method from the client and the authorization behaves as described in the example, PKCE does not protect from Login-CSRF.
I think the following mitigations are possible:

  *   Enforce usage of PKCE in the client configuration in the Authorization Server
  *   Implementation of the authorization server returns an error in the Access Token Response when code_verifier is present in the token request, but no code_challenge and code_challenge_method is present in the authorization request.
  *   Additionally, when the behavior of an AS is correct (verification of code_verifier fails when no code_challenge was present), a client that relies on PKCE for CSRF protection must always include a code_verifier parameter in the token request (even if no code_verifier is present on the client side).

Best regards,

Benjamin Häublein
Senior Consultant

cirosec GmbH
Ferdinand-Braun-Strasse 4
74074 Heilbronn
Germany
Phone: +49 (7131) 59455-74
Fax: +49 (7131) 59455-99
Mobile: +49 (151) 122414-74
www.cirosec.de

HRB Stuttgart 107883
CEO Stefan Strobel, CFO Peter Lips

v2.23.0 | Report a Bug | By Email