Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Brian Campbell <bcampbell@pingidentity.com> Wed, 06 May 2020 21:03 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9996E3A0B04 for <oauth@ietfa.amsl.com>; Wed, 6 May 2020 14:03:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QnITsXxdCLjq for <oauth@ietfa.amsl.com>; Wed, 6 May 2020 14:03:26 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 626D63A09FC for <oauth@ietf.org>; Wed, 6 May 2020 14:03:26 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id z22so2593982lfd.0 for <oauth@ietf.org>; Wed, 06 May 2020 14:03:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WT1zhQodIJIpzlJRxq5w+DvTT/29gufOvNbzVX1xJuo=; b=CkabtBxTsLduKokOQKQlhbdFXwIvY1HvlT/W5+HjC7sWNNK7GnFcTgRXVg6vIVQFPX yNEhzXZNOrhBvGwKEIl2gkmvk9yy3ZkrmTnRvXiZ+gfdxsgO7PjruJqMNcOtKk+tcetp Kzl3t0gJ56xlFeUNqMYuhg8M4vMuCv/MdnXqnDugfsoQ+UoYOzmJuY9lMJCUP8aSFNMc yUhWciqV+i3EtjE7SA9ArCu5ZOY57t7qbm9iVlBFbdfSxzSLV+dCNLzyAkymaFqkI+1E mfHwHvWqXFKXtnLzqbz0iVzdgOnou1/27DmO/T6cf0LQbKwWk6cOMdHRGHwjI2sxVAen nN6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WT1zhQodIJIpzlJRxq5w+DvTT/29gufOvNbzVX1xJuo=; b=bLUM0np9OcSu45p2PJSqlaxT38aVaHd2as24iM4KrmB/wPgusoErpaMTYnCzWzBc5G gITnXOp2+aa6uac9aj/kKQ9C7M/izOkCvNMHUfNWzFToAGMmfy9JLgqmV4oTGgbU9Glv lHM+sGaP3+x8/CNGFrghgZfOz/MAOJhwGOG3YWqTewnFK7vTircv4yrtol5c0EcgOwVK yQk9+flCk229CYTTtnmLFQnVy3nEtLtgZ7j62V7BFIe88VrUTwX+8q9JsjQwmG85kuBZ 7d1rZYgps4xso74Ro+6xuD0v5LwYHlXKNba3/RqIgCdbXqOTcaFQZxWZYAAV1HbHgNXO qwew==
X-Gm-Message-State: AGi0PuZbJKVvNlnFH0mN1CQ0i7WH47XvYoOxDyLJLqzizEqhJkzCVRh1 8L9k4nOeL8LSHKiMP1rYQCUdYLSrpJp1RjNtvUCp9kMXxsxya1UEDh43nE4pUOc1XDZUgpEP/ei OiIhbwlaDesjiUw==
X-Google-Smtp-Source: APiQypLDoLEko7xCJq1b2OcvpdXEus7R4LZ9nGEgo9JJ4PujnAPB5TYgnpW32/k+f9pwB1w4+OR0e6JEz5KPVHHpK48=
X-Received: by 2002:ac2:57cd:: with SMTP id k13mr5795838lfo.104.1588799004188; Wed, 06 May 2020 14:03:24 -0700 (PDT)
MIME-Version: 1.0
References: <CH2PR00MB0679E201D6B65F383B978E28F5A40@CH2PR00MB0679.namprd00.prod.outlook.com> <CAGBSGjpZKjwDT-Mn+x4--5A-c0_WVk4RH_RA1asT+xrzBqvZyg@mail.gmail.com>
In-Reply-To: <CAGBSGjpZKjwDT-Mn+x4--5A-c0_WVk4RH_RA1asT+xrzBqvZyg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 06 May 2020 15:02:57 -0600
Message-ID: <CA+k3eCS-kk4tW=z6O7hpjQS2w9i6mX41_pr0HArQeecHUNpgHw@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000043e32e05a50118d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/g70oMi91nv07fwTcb5045fCCgQY>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 21:03:31 -0000

I think the point is that the Security BCP in
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
requires that the authz request has either the PKCE "code_challenge" or the
OIDC "nonce". Whereas 2.1 in
https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-4.1.1.3
flat out requires PKCE "code_challenge" in the authz request. They are not
equivalent and have very different ramifications on interoperability etc..


On Wed, May 6, 2020 at 2:43 PM Aaron Parecki <aaron@parecki.com> wrote:

> Going back to this point about server vs client requirements, since both
> the Security BCP and OAuth 2.1 currently say that ASs MUST support PKCE,
> isn't that already imposing additional requirements on OpenID Connect
> providers that don't currently exist in OpenID Connect alone?
>
> OPs that want to be compliant with the Security BCP will need to add PKCE
> support if they don't already have it (many of them already support it so
> for many of them this will not be any change), so it seems like a very
> small leap to also require clients implement PKCE as well.
>
> On Wed, May 6, 2020 at 12:31 PM Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
>> I realize what it says about servers.  My point is that OAuth 2.1’s
>> requirements on *clients* should match those in the security BCP and not
>> try to go beyond them.
>>
>>
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* Aaron Parecki <aaron@parecki.com>
>> *Sent:* Wednesday, May 6, 2020 12:24 PM
>> *To:* Mike Jones <Michael.Jones@microsoft.com>
>> *Cc:* Dick Hardt <dick.hardt@gmail.com>; oauth@ietf.org
>> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> Yes, the BCP says *clients* may use either PKCE or nonce to prevent
>> authorization code injection. Shortly after that quoted segment is the
>> below:
>>
>>
>>
>> > Authorization servers MUST support PKCE [RFC7636].
>>
>>
>>
>> On Wed, May 6, 2020 at 12:22 PM Mike Jones <Michael.Jones@microsoft.com>
>> wrote:
>>
>> Aaron, the section you cited at
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>> makes it clear that clients can support EITHER PKCE or the OpenID Connect
>> nonce.   The text is:
>>
>>
>>
>>    Clients MUST prevent injection (replay) of authorization codes into
>>
>>    the authorization response by attackers.  The use of PKCE [RFC7636
>> <https://tools.ietf.org/html/rfc7636>]
>>
>>    is RECOMMENDED to this end.  The OpenID Connect "nonce" parameter and
>>
>>    ID Token Claim [OpenID
>> <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#ref-OpenID>]
>> MAY be used as well.  The PKCE challenge or
>>
>>    OpenID Connect "nonce" MUST be transaction-specific and securely
>>
>>    bound to the client and the user agent in which the transaction was
>>
>>    started.
>>
>>
>>
>> We should not attempt to change that in OAuth 2.1, as doing so would
>> needlessly break already working and secure clients.
>>
>>
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* Aaron Parecki <aaron@parecki.com>
>> *Sent:* Wednesday, May 6, 2020 11:56 AM
>> *To:* Mike Jones <Michael.Jones@microsoft.com>
>> *Cc:* Dick Hardt <dick.hardt@gmail.com>; oauth@ietf.org
>> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> > In particular, authorization servers shouldn’t be required to support
>> PKCE when they already support the OpenID Connect nonce.
>>
>>
>>
>> The Security BCP already requires that ASs support PKCE:
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 Are
>> you suggesting that the Security BCP change that requirement as well? If
>> so, that's a discussion that needs to be had ASAP. If not, then that's an
>> implicit statement that it's okay for OpenID Connect implementations to not
>> be best-practice OAuth implementations. And if that's the case, then I also
>> think it's acceptable that they are not complete OAuth 2.1 implementations
>> either.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, May 6, 2020 at 11:21 AM Mike Jones <Michael.Jones=
>> 40microsoft.com@dmarc.ietf.org> wrote:
>>
>> The disadvantage of requiring PKCE for OpenID Connect implementations is
>> that you’re trying to add a normative requirement that’s not required of
>> OpenID Connect deployments today, which would bifurcate the ecosystem.
>> There are hundreds of implementations (including the 141 certified ones at
>> https://openid.net/certification/), none of which have ever been
>> required to support PKCE.  Therefore, most don’t.
>>
>>
>>
>> Per feedback already provided, I believe that OAuth 2.1 should align with
>> the guidance already in the draft Security BCP, requiring EITHER the use of
>> PKCE or the OpenID Connect nonce.  Trying to retroactively impose
>> unnecessary requirements on existing deployments is unlikely to succeed and
>> will significantly reduce the relevance of the OAuth 2.1 effort.
>>
>>
>>
>> In particular, authorization servers shouldn’t be required to support
>> PKCE when they already support the OpenID Connect nonce.  And clients
>> shouldn’t reject responses from servers that don’t support PKCE when they
>> do contain the OpenID Connect nonce.  Doing so would unnecessarily break
>> things and create confusion in the marketplace.
>>
>>
>>
>>                                                           -- Mike
>>
>>
>>
>> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Dick Hardt
>> *Sent:* Wednesday, May 6, 2020 10:48 AM
>> *To:* oauth@ietf.org
>> *Subject:* [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> Hello!
>>
>>
>>
>> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is
>> best practice for OAuth 2.0. It is not common in OpenID Connect servers as
>> the nonce solves some of the issues that PKCE protects against. We think
>> that most OpenID Connect implementations also support OAuth 2.0, and
>> hence have support for PKCE if following best practices.
>>
>>
>>
>> The advantages or requiring PKCE are:
>>
>>
>>
>> - a simpler programming model across all OAuth applications and profiles
>> as they all use PKCE
>>
>>
>>
>> - reduced attack surface when using  S256 as a fingerprint of the
>> verifier is sent through the browser instead of the clear text value
>>
>>
>>
>> - enforcement by AS not client - makes it easier to handle for client
>> developers and AS can ensure the check is conducted
>>
>>
>>
>> What are disadvantages besides the potential impact to OpenID Connect
>> deployments? How significant is that impact?
>>
>>
>>
>> Dick, Aaron, and Torsten
>>
>>
>>
>> ᐧ
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._