Re: [OAUTH-WG] Misplaced Resource Owner in PKCE
Brian Campbell <bcampbell@pingidentity.com> Thu, 29 January 2015 22:40 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E36F1A012D for <oauth@ietfa.amsl.com>; Thu, 29 Jan 2015 14:40:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ebsJ-38TnEwm for <oauth@ietfa.amsl.com>; Thu, 29 Jan 2015 14:40:18 -0800 (PST)
Received: from na3sys009aog124.obsmtp.com (na3sys009aog124.obsmtp.com [74.125.149.151]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0291A000D for <oauth@ietf.org>; Thu, 29 Jan 2015 14:40:18 -0800 (PST)
Received: from mail-ie0-f179.google.com ([209.85.223.179]) (using TLSv1) by na3sys009aob124.postini.com ([74.125.148.12]) with SMTP ID DSNKVMq20l9A/1egllW8EXLWuLFCrvBQKXWy@postini.com; Thu, 29 Jan 2015 14:40:18 PST
Received: by mail-ie0-f179.google.com with SMTP id x19so413673ier.10 for <oauth@ietf.org>; Thu, 29 Jan 2015 14:40:18 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=MSgX2G70WrPKnMFfTld6lAo+A0EWntnYqM4ZfF+wr04=; b=AoU3yWj3fspYWXxruS4ymL2GkvWKtKRUzFEK461JcAdvRJSQpRuN2sZyneAmYYkAgt dCXYblID2C7c1jjomfSCG4lnejmRWsoT0rqfc7c4gnY+Iz3Ra2tHUA6UDrv0LXESQjlf lryntPT6GnFtGJvzVNe8Ra5sQqMtOMqo8ja528Wx96Arw8tUZ/aihhp+bTIiHSciEE0N HGnNkfsELy/87x1YHsUh3jysGjnCGjgxhLo3uxjvaoo665u3n4A5sN31E0lA1SaWguNy peb8mxZQ/el2qr2OSSZu8WTSQh+Su/Gf4Je51DaKJO9EcwrHN5xIWbzE8IZKy4m4F9dv tO3Q==
X-Gm-Message-State: ALoCoQnC9/p7arJN3dh1yAudrBhxdklPuZO3cYCWlIBwoIkS1/CWV3+TAz9QPDygL983+B2qC3kevFVrrcPJbLur1rSxBR7XJTJ3oDFcWVkJFX7GzJYbZy7p3xi2yfF5JTfqpIa5depa
X-Received: by 10.43.95.2 with SMTP id ca2mr3178362icc.89.1422571218033; Thu, 29 Jan 2015 14:40:18 -0800 (PST)
X-Received: by 10.43.95.2 with SMTP id ca2mr3178349icc.89.1422571217904; Thu, 29 Jan 2015 14:40:17 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.33.75 with HTTP; Thu, 29 Jan 2015 14:39:47 -0800 (PST)
In-Reply-To: <3E4FF4CB-DEF4-4C3A-A09C-7B157DDEE2E2@ve7jtb.com>
References: <CA+k3eCS0BP5se-nbhw6bpCWH9HSe_4afQRXrS8fL8vYm3+LGmA@mail.gmail.com> <DE5F6289-144D-4002-85F0-34DCF3F783E6@ve7jtb.com> <CA+k3eCRrkExQk2Rkjq2aZaEUQW4k8jPZA50C3aO2nAHCBDry-g@mail.gmail.com> <3E4FF4CB-DEF4-4C3A-A09C-7B157DDEE2E2@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 29 Jan 2015 15:39:47 -0700
Message-ID: <CA+k3eCTfmUXCcBM82q0G=n+YeifPZLpeXfnMvmPLwrRYC8V+jA@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="bcaec51969551cbc28050dd22cf2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/fnCHyjXpr1j8fiYT4lKH7LN90JU>
Cc: oauth <oauth@ietf.org>, Naveen Agarwal <naa@google.com>
Subject: Re: [OAUTH-WG] Misplaced Resource Owner in PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2015 22:40:22 -0000
Good by me. On Thu, Jan 29, 2015 at 3:35 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > > +--------+ +---------------+ > | |--(A)-- Authorization Request --->| | > | | + t(code_verifier), t | Authorization | > | | | Endpoint | > | |<-(B)---- Authorization Code -----| | > | | +---------------+ > | Client | Authz Server > | | +---------------+ > | |--(C)--- Access Token Request --->| | > | | + code_verifier | Token | > | | | Endpoint | > | |<-(D)------ Access Token ---------| | > +--------+ +---------------+ > > Figure 2: Abstract Protocol Flow > > > > > > Sakimura, et al. Expires August 2, 2015 [Page 4] > > Internet-Draft oauth_pkce January 2015 > > > This specification adds additional parameters to the OAuth 2.0 > Authorization and Access Token Requests, shown in abstract form in > Figure 1. > > A. The client creates and records a secret named the "code_verifier", > and derives a transformed version "t(code_verifier)" (referred to > as the "code_challenge") which is sent in the OAuth 2.0 > Authorization Request, along with the transformation method "t". > B. The Authorization Endpoint responds as usual, but records > "t(code_verifier)" and the transformation method. > C. The client then sends the code in the Access Token Request as > usual, but includes the "code_verifier" secret generated at (A). > D. The authorization server transforms "code_verifier" and compares > it to "t(code_verifier)" from (B). Access is denied if they are > not equal. > > > On Jan 29, 2015, at 7:16 PM, Brian Campbell <bcampbell@pingidentity.com> > wrote: > > Works for me. The text below needs to be fixed up to match too. > > On Thu, Jan 29, 2015 at 3:14 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > >> How about >> >> +--------+ +---------------+ >> | |--(A)-- Authorization Request --->| | >> | | + t(code_verifier), t | Authorization | >> | | | Endpoint | >> | |<-(B)- Authorization Code Grant --| | >> | | +---------------+ >> | Client | >> | | +---------------+ >> | |--(C)--- Access Token Request --->| | >> | | + code_verifier | Token | >> | | | Endpoint | >> | |<-(D)------ Access Token ---------| | >> +--------+ +--------------- >> >> >> >> On Jan 29, 2015, at 7:01 PM, Brian Campbell <bcampbell@pingidentity.com> >> wrote: >> >> In SPOP/PKCE §1.1 [1] the figure and explanation have the authorization >> request going to the "Resource Owner" and goes on to say that 'the resource >> owner responds as usual, but records "t(code_verifier)" and the >> transformation method.' That's not what the resource owner does. >> >> I know the protocol flow in RFC 6749 tries to have authorization grants >> be these abstract things that sorta come from the resource owner but, in >> the context of the the authorization request and authorization code grant >> type, it really doesn't work like that. The content in §1.1 seems, at best, >> to be more abstract and complicated than it needs to be and is bordering >> on being just kinda wrong. >> >> The RO and AS boxes should probably be consolidated into just the AS. The >> RO could be omitted from the diagram, I think. Or stick it over with the >> client, if you really want it in there, and have it authenticating and >> approving authorization though an interaction with the AS. Or something >> like that... >> >> >> >> [1] https://tools.ietf.org/html/draft-ietf-oauth-spop-06#section-1.1 >> >> 1.1 <https://tools.ietf.org/html/draft-ietf-oauth-spop-06#section-1.1>. Protocol Flow >> >> +--------+ +---------------+ >> | |--(A)-- Authorization Request --->| | >> | | + t(code_verifier), t | Resource | >> | | | Owner | >> | |<-(B)--- Authorization Grant -----| | >> | | +---------------+ >> | Client | >> | | +---------------+ >> | |--(C)--- Access Token Request --->| | >> | | + code_verifier | Authorization | >> | | | Server | >> | |<-(D)------ Access Token ---------| | >> +--------+ +---------------+ >> >> Figure 2: Abstract Protocol Flow >> >> >> This specification adds additional parameters to the OAuth 2.0 >> Authorization and Access Token Requests, shown in abstract form in >> Figure 1. >> >> A. The client creates and records a secret named the "code_verifier", >> and derives a transformed version "t(code_verifier)" (referred to >> as the "code_challenge") which is sent in the OAuth 2.0 >> Authorization Request, along with the transformation method "t". >> B. The resource owner responds as usual, but records >> "t(code_verifier)" and the transformation method. >> C. The client then sends the code to the Access Token Request as >> usual, but includes the "code_verifier" secret generated at (A). >> D. The authorization server transforms "code_verifier" and compares >> it to "t(code_verifier)" from (B). Access is denied if they are >> not equal. >> >> >> >> > >
- [OAUTH-WG] Misplaced Resource Owner in PKCE Brian Campbell
- Re: [OAUTH-WG] Misplaced Resource Owner in PKCE John Bradley
- Re: [OAUTH-WG] Misplaced Resource Owner in PKCE Brian Campbell
- Re: [OAUTH-WG] Misplaced Resource Owner in PKCE John Bradley
- Re: [OAUTH-WG] Misplaced Resource Owner in PKCE Brian Campbell