Re: [OAUTH-WG] Misplaced Resource Owner in PKCE

Brian Campbell <bcampbell@pingidentity.com> Thu, 29 January 2015 22:40 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E36F1A012D for <oauth@ietfa.amsl.com>; Thu, 29 Jan 2015 14:40:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ebsJ-38TnEwm for <oauth@ietfa.amsl.com>; Thu, 29 Jan 2015 14:40:18 -0800 (PST)
Received: from na3sys009aog124.obsmtp.com (na3sys009aog124.obsmtp.com [74.125.149.151]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0291A000D for <oauth@ietf.org>; Thu, 29 Jan 2015 14:40:18 -0800 (PST)
Received: from mail-ie0-f179.google.com ([209.85.223.179]) (using TLSv1) by na3sys009aob124.postini.com ([74.125.148.12]) with SMTP ID DSNKVMq20l9A/1egllW8EXLWuLFCrvBQKXWy@postini.com; Thu, 29 Jan 2015 14:40:18 PST
Received: by mail-ie0-f179.google.com with SMTP id x19so413673ier.10 for <oauth@ietf.org>; Thu, 29 Jan 2015 14:40:18 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=MSgX2G70WrPKnMFfTld6lAo+A0EWntnYqM4ZfF+wr04=; b=AoU3yWj3fspYWXxruS4ymL2GkvWKtKRUzFEK461JcAdvRJSQpRuN2sZyneAmYYkAgt dCXYblID2C7c1jjomfSCG4lnejmRWsoT0rqfc7c4gnY+Iz3Ra2tHUA6UDrv0LXESQjlf lryntPT6GnFtGJvzVNe8Ra5sQqMtOMqo8ja528Wx96Arw8tUZ/aihhp+bTIiHSciEE0N HGnNkfsELy/87x1YHsUh3jysGjnCGjgxhLo3uxjvaoo665u3n4A5sN31E0lA1SaWguNy peb8mxZQ/el2qr2OSSZu8WTSQh+Su/Gf4Je51DaKJO9EcwrHN5xIWbzE8IZKy4m4F9dv tO3Q==
X-Gm-Message-State: ALoCoQnC9/p7arJN3dh1yAudrBhxdklPuZO3cYCWlIBwoIkS1/CWV3+TAz9QPDygL983+B2qC3kevFVrrcPJbLur1rSxBR7XJTJ3oDFcWVkJFX7GzJYbZy7p3xi2yfF5JTfqpIa5depa
X-Received: by 10.43.95.2 with SMTP id ca2mr3178362icc.89.1422571218033; Thu, 29 Jan 2015 14:40:18 -0800 (PST)
X-Received: by 10.43.95.2 with SMTP id ca2mr3178349icc.89.1422571217904; Thu, 29 Jan 2015 14:40:17 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.33.75 with HTTP; Thu, 29 Jan 2015 14:39:47 -0800 (PST)
In-Reply-To: <3E4FF4CB-DEF4-4C3A-A09C-7B157DDEE2E2@ve7jtb.com>
References: <CA+k3eCS0BP5se-nbhw6bpCWH9HSe_4afQRXrS8fL8vYm3+LGmA@mail.gmail.com> <DE5F6289-144D-4002-85F0-34DCF3F783E6@ve7jtb.com> <CA+k3eCRrkExQk2Rkjq2aZaEUQW4k8jPZA50C3aO2nAHCBDry-g@mail.gmail.com> <3E4FF4CB-DEF4-4C3A-A09C-7B157DDEE2E2@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 29 Jan 2015 15:39:47 -0700
Message-ID: <CA+k3eCTfmUXCcBM82q0G=n+YeifPZLpeXfnMvmPLwrRYC8V+jA@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary=bcaec51969551cbc28050dd22cf2
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/fnCHyjXpr1j8fiYT4lKH7LN90JU>
Cc: oauth <oauth@ietf.org>, Naveen Agarwal <naa@google.com>
Subject: Re: [OAUTH-WG] Misplaced Resource Owner in PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2015 22:40:22 -0000

Good by me.

On Thu, Jan 29, 2015 at 3:35 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

>
>        +--------+                                  +---------------+
>        |        |--(A)-- Authorization Request --->|               |
>        |        |        + t(code_verifier), t     | Authorization |
>        |        |                                  |    Endpoint   |
>        |        |<-(B)---- Authorization Code -----|               |
>        |        |                                  +---------------+
>        | Client |                                     Authz Server
>        |        |                                  +---------------+
>        |        |--(C)--- Access Token Request --->|               |
>        |        |          + code_verifier         |    Token      |
>        |        |                                  |   Endpoint    |
>        |        |<-(D)------ Access Token ---------|               |
>        +--------+                                  +---------------+
>
>                      Figure 2: Abstract Protocol Flow
>
>
>
>
>
> Sakimura, et al.         Expires August 2, 2015                 [Page 4]
> 
> Internet-Draft                 oauth_pkce                   January 2015
>
>
>    This specification adds additional parameters to the OAuth 2.0
>    Authorization and Access Token Requests, shown in abstract form in
>    Figure 1.
>
>    A. The client creates and records a secret named the "code_verifier",
>       and derives a transformed version "t(code_verifier)" (referred to
>       as the "code_challenge") which is sent in the OAuth 2.0
>       Authorization Request, along with the transformation method "t".
>    B. The Authorization Endpoint responds as usual, but records
>       "t(code_verifier)" and the transformation method.
>    C. The client then sends the code in the Access Token Request as
>       usual, but includes the "code_verifier" secret generated at (A).
>    D. The authorization server transforms "code_verifier" and compares
>       it to "t(code_verifier)" from (B).  Access is denied if they are
>       not equal.
>
>
> On Jan 29, 2015, at 7:16 PM, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> Works for me. The text below needs to be fixed up to match too.
>
> On Thu, Jan 29, 2015 at 3:14 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>> How about
>>
>>     +--------+                                  +---------------+
>>     |        |--(A)-- Authorization Request --->|               |
>>     |        |        + t(code_verifier), t     | Authorization |
>>     |        |                                  |    Endpoint   |
>>     |        |<-(B)- Authorization Code Grant --|               |
>>     |        |                                  +---------------+
>>     | Client |
>>     |        |                                  +---------------+
>>     |        |--(C)--- Access Token Request --->|               |
>>     |        |          + code_verifier         |    Token      |
>>     |        |                                  |   Endpoint    |
>>     |        |<-(D)------ Access Token ---------|               |
>>     +--------+                                  +---------------
>>
>>
>>
>> On Jan 29, 2015, at 7:01 PM, Brian Campbell <bcampbell@pingidentity.com>
>> wrote:
>>
>> In SPOP/PKCE §1.1 [1] the figure and explanation have the authorization
>> request going to the "Resource Owner" and goes on to say that 'the resource
>> owner responds as usual, but records "t(code_verifier)" and the
>> transformation method.' That's not what the resource owner does.
>>
>> I know the protocol flow in RFC 6749 tries to have authorization grants
>> be these abstract things that sorta come from the resource owner but, in
>> the context of the the authorization request and authorization code grant
>> type, it really doesn't work like that. The content in §1.1 seems, at best,
>> to be  more abstract and complicated than it needs to be and is bordering
>> on being just kinda wrong.
>>
>> The RO and AS boxes should probably be consolidated into just the AS. The
>> RO could be omitted from the diagram, I think. Or stick it over with the
>> client, if you really want it in there, and have it authenticating and
>> approving authorization though an interaction with the AS. Or something
>> like that...
>>
>>
>>
>> [1] https://tools.ietf.org/html/draft-ietf-oauth-spop-06#section-1.1
>>
>> 1.1 <https://tools.ietf.org/html/draft-ietf-oauth-spop-06#section-1.1>.  Protocol Flow
>>
>>        +--------+                                  +---------------+
>>        |        |--(A)-- Authorization Request --->|               |
>>        |        |        + t(code_verifier), t     |   Resource    |
>>        |        |                                  |     Owner     |
>>        |        |<-(B)--- Authorization Grant -----|               |
>>        |        |                                  +---------------+
>>        | Client |
>>        |        |                                  +---------------+
>>        |        |--(C)--- Access Token Request --->|               |
>>        |        |          + code_verifier         | Authorization |
>>        |        |                                  |     Server    |
>>        |        |<-(D)------ Access Token ---------|               |
>>        +--------+                                  +---------------+
>>
>>                      Figure 2: Abstract Protocol Flow
>>
>>
>>    This specification adds additional parameters to the OAuth 2.0
>>    Authorization and Access Token Requests, shown in abstract form in
>>    Figure 1.
>>
>>    A. The client creates and records a secret named the "code_verifier",
>>       and derives a transformed version "t(code_verifier)" (referred to
>>       as the "code_challenge") which is sent in the OAuth 2.0
>>       Authorization Request, along with the transformation method "t".
>>    B. The resource owner responds as usual, but records
>>       "t(code_verifier)" and the transformation method.
>>    C. The client then sends the code to the Access Token Request as
>>       usual, but includes the "code_verifier" secret generated at (A).
>>    D. The authorization server transforms "code_verifier" and compares
>>       it to "t(code_verifier)" from (B).  Access is denied if they are
>>       not equal.
>>
>>
>>
>>
>
>