IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Mike Jones <Michael.Jones@microsoft.com> Fri, 08 May 2020 20:25 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57E813A0EAE for <oauth@ietfa.amsl.com>; Fri, 8 May 2020 13:25:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s29-2ethZ4Ty for <oauth@ietfa.amsl.com>; Fri, 8 May 2020 13:25:23 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640127.outbound.protection.outlook.com [40.107.64.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 274B03A0EB6 for <oauth@ietf.org>; Fri, 8 May 2020 13:24:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T0aJBuK58idLkbd+yrYFVitKyoFlvXrlAlhqPZwGluknKpls/mm4K8AAf+zqjyFObO34w6EM+6dimfNxJI5/ne7nVEkuo5f4Yk1fYz5jN/BLQxfuEFuPM533LdRn4lCUeZP5H9OqW+J4ulGzs617gR+jnVzhsH1LzV23k/J2abL+8VeEh36/gzViATfcno6Rm99GYeBPMuk7Zea2FQvJv3Ap8iD3S47UJWpghT6oXIlRjBpDNuXrQium5TJX2xlZn/iCVj6oE4EvdUvDubjOO5ve7+U2TIimeQejF6dHbqiQndNupjeFqsoVCz7GbcSnRb8/Wh/dFw1gZbZAoeNv9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FgUpHRPABASC/2zKclqPzc9uukMC6y0Xhg6Ws1TKhd4=; b=mTYIRalh9VTTzHYCyL0T7xWrgq6RUacoLAgPwonUzqgc/x2/msnbOd0aJqHBIRlnWVITxtQCJ9aXAkhRbeDf6UcRXIQQEjvV2f8n68Q9DvJUUp7sbTy5XwGcgw9JPHP5qTWeEwUyVPHN+d93eaZ8Wr0LwqaGdBECEObrNfP5SaHEidOsobSqJ6RSqQeZtPZiRxlSr/6YCmzo3dd8U9CJmL8JucGvbtg+GophYz/lYnLpQcVTYelUlNV7cCwd2Hhm2w4EdRTlapbbM5jnrp+3BhoNP/iHfBaTdRLw9Eauy7Lkpglxkeiy6qQLuRRfyO85+2cfdXdIJ85RAnxQRJQu0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FgUpHRPABASC/2zKclqPzc9uukMC6y0Xhg6Ws1TKhd4=; b=daDcWhBcBghuxvYpaAoA2uur51VZx5hdFlQCt98FAHP3xuzR0jNcRXQxfKa+0JBKerqnRjZBObJKvQph3zrhI0+qw6wnXJoFojE7HBUOA8vk/dZDMMrS6lvF9MAWKadnAVzDpwvwj16ahexal2xlfrWCCi64U5Ey1iakOWc4TD0=
Received: from MN2PR00MB0688.namprd00.prod.outlook.com (2603:10b6:208:199::23) by BL0PR00MB0339.namprd00.prod.outlook.com (2603:10b6:207:1f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3015.0; Fri, 8 May 2020 20:24:50 +0000
Received: from MN2PR00MB0688.namprd00.prod.outlook.com ([fe80::d8ef:3352:9393:c073]) by MN2PR00MB0688.namprd00.prod.outlook.com ([fe80::d8ef:3352:9393:c073%7]) with mapi id 15.20.3025.000; Fri, 8 May 2020 20:24:50 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Phillip Hunt <phil.hunt@independentid.com>, Dick Hardt <dick.hardt@gmail.com>
CC: Philippe De Ryck <philippe@pragmaticwebsecurity.com>, OAuth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] OAuth 2.1 - require PKCE?
Thread-Index: AdYldrhR4VOCGpg6R6+hy9/8Vn1Hdg==
Date: Fri, 08 May 2020 20:24:50 +0000
Message-ID: <MN2PR00MB0688255B6AE8C5369D26A0B5F5A20@MN2PR00MB0688.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=20e26554-c52d-4339-a3cd-000096c181ac; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-05-08T20:21:07Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: independentid.com; dkim=none (message not signed) header.d=none;independentid.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 00cb799b-653b-4bcb-91f6-08d7f38ddc0d
x-ms-traffictypediagnostic: BL0PR00MB0339:
x-microsoft-antispam-prvs: <BL0PR00MB0339698F9A73293E1ADB4D52F5A20@BL0PR00MB0339.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4941;
x-forefront-prvs: 039735BC4E
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: W9K4rsp9PhYiQjsXptdElJmP/63zzJzcmH/zbAI/UQUkuvE5nBbpLxm+44F93buMg4/C5sH/4aOjpg4ZdoE2Zs8rRADC1eIVXZZKx317FhC/xKTV8s4jG13MpuCvXJ7WmTRQ8kvd0mRLPfkTQoiNQXeD04uqSVYgYrC8lTgCYnv+z7jFZqFvthF3ES47tOlcc4WLGyN0OmhAPvYu7KcsNbp4ttTIGDtVrXLnPj2WA8jcMRB7REDYAv+qPd9xUsK6pD8LArUNrinq4yAGiQgU0WjuNriSHeX9LVWwK1L+DU+8fafRkDqnA7p9oBbgplMP74HOvJQQ9zHAUDla/nML6ua+RtafayRMViJ/wAT2kJtmGMGYlg6BAJPJichYJ+IIMmVinRxTZaorOXN3N71rQ9ShBdyOeb6V1BeXqANYEA52bJrObIZKnMe4Ytd4ovvyUjXvyp04+82AliWXWKcfeeaCPyFp4NjrSErB51f2+tjCFG8ldmhoqqoc5cm7iHPMMCXi3vumkF4Su+GnXJTdLQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0688.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(396003)(39860400002)(366004)(346002)(136003)(33430700001)(186003)(8936002)(9686003)(33656002)(166002)(316002)(26005)(2906002)(4326008)(66574014)(5660300002)(76236002)(8676002)(71200400001)(55016002)(966005)(110136005)(54906003)(53546011)(478600001)(64756008)(8990500004)(66556008)(6506007)(76116006)(66446008)(86362001)(7696005)(83320400001)(83310400001)(83300400001)(82960400001)(66946007)(10290500003)(52536014)(33440700001)(82950400001)(66476007)(99710200001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: Jm3vuB0ZSyT0Se2vbjJDsKaIZJePNDs7FLduK9evTXrRrOSooXCKG4jKaXpju3fOK/qc4+Hx3JvO18o50n42Apw7l14P/DCzMRtwOoqgWef4lBnvw08+dHhr0Yg38gaVtgVip8NH0Q4M72siMWTjOYa6l04m0RiphRChvzdJtDeXqkyi23kaFKltc82OnxfK4XM+txrwisMMbuYV05uVEkGyEtSQ6fdUKpGZXWH2zeE4Q68x0TqCLZFXyRqAcwa9HtIGE+r+pau6nGy6xJGUv5FpXEdh+Rtc7Pnd4bJuKF1geWEAsu088SmIQfO9sIXFGdsKfQdMEyNZcGI/briggop/UeueSj6sD1TP7yGyGv/EARr+uVV8GHKvqTcgD94FGjuCIh+IV+B6ppzvz+qowCT2BhzFigR51CnY5nqkkN0te/2i3H5LnEIIb0gKVaUWjiY3l9bwLXC/LpHbBPjhKCzvIh2owE+EhI7TwK++/KM=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB0688255B6AE8C5369D26A0B5F5A20MN2PR00MB0688namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR00MB0688.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 00cb799b-653b-4bcb-91f6-08d7f38ddc0d
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 May 2020 20:24:50.2267 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wxgyqGsBz80+Pfenvvzv1zHyZUUuggbrs74fGRiyIP7VzWreBhsGI3ogqLtNmK56YXNZuT34LkbNrjD1JDT9tw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0339
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ml8LhsTCN9YpUrUc2x186OiO58c>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2020 20:25:37 -0000

Actually, the first paragraph of the Security BCP section at https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1, which has gone through WGLC, includes the use of “nonce” to prevent authorization code injection as a best practice.  That’s already a pretty strong stamp of approval by the OAuth working group.

                                                       -- Mike

From: Phillip Hunt <phil.hunt@independentid.com>
Sent: Friday, May 8, 2020 12:45 PM
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Philippe De Ryck <philippe@pragmaticwebsecurity.com>; Mike Jones <Michael.Jones@microsoft.com>; OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

We are not discussing anything new here. We are discussing adoption of best practice.

The disconnect appears to be that one dependent standard’s “typical” use (nonces) does not have the ietf consensus as best practice.

This lack of consensus needs to be resolved.

Phil


On May 8, 2020, at 12:37 PM, Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:

FYI: An objective of OAuth 2.1 is not to introduce anything new -- it is OAuth 2.0 with best practices.

On Thu, May 7, 2020 at 10:36 PM Philippe De Ryck <philippe@pragmaticwebsecurity.com<mailto:philippe@pragmaticwebsecurity.com>> wrote:
From working with a lot of developers on understanding OAuth 2.0 and OIDC, I definitely vote for simplicity. Understanding the subtle nuances of when a nonce is fine and when PKCE should be used is impossible without in-depth knowledge of the flows and their properties. Misunderstandings will cause security vulnerabilities, which can easily be avoided.

Since OAuth 2.1 is a separate spec, I don’t really see a problem with existing code not being compliant. They support OAuth 2.0, and if they want to be OAuth 2.1 compliant, they add PKCE. If I’m not mistaken, other requirements of OAuth 2.1 would also clash with existing deployments (e.g., using non-exact redirect URIs).

I believe that optimizing for making OAuth 2.1 easier to understand will yield the highest return.

Philippe



On 8 May 2020, at 03:42, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org<mailto:Michael.Jones=40microsoft.com@dmarc.ietf.org>> wrote:

Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned about “the amount of explanation this will take”.  That’s optimizing for spec simplicity – a goal that I do understand.  However, by writing these few sentences or paragraphs, we’ll make it clear to developers that hundreds or thousands of deployed OpenID Connect RPs won’t have to change their deployments.  That’s optimizing for interoperability and minimizing the burden on developers, which are far more important.

As Brian Campbell wrote, “They are not equivalent and have very different ramifications on interoperability”.

Even if you’re optimizing for writing, taking a minimally invasive protocol change approach will optimize that, overall.  If we proceed as you’re suggesting, a huge amount of writing will occur on StackOverflow, Medium, SlashDot, blogs, and other developer forums, where confused developers will ask “Why do I have to change my deployed code?” with the answers being “Despite what the 2.1 spec says, there’s no need to change your deployed code.”

I’d gladly write a few sentences in our new specs now to prevent ongoing confusion and interop problems that would otherwise result.  Let me know when you’re ready to incorporate them into the spec text.

                                                       -- Mike

From: Aaron Parecki <aaron@parecki.com<mailto:aaron@parecki.com>>
Sent: Thursday, May 7, 2020 4:39 PM
To: Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>>
Cc: OAuth WG <oauth@ietf..org<mailto:oauth@ietf.org>>; Torsten Lodderstedt <torsten@lodderstedt.net<mailto:torsten@lodderstedt..net>>; Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
Subject: Re: OAuth 2.1 - require PKCE?

Backing up a step or two, there's another point here that I think has been missed in these discussions.

PKCE solves two problems: stolen authorization codes for public clients, and authorization code injection for all clients. We've only been talking about authorization code injection on the list so far. The quoted section of the security BCP (4.5.3) which says clients can do PKCE or use the nonce, is only talking about preventing authorization code injection.

The nonce parameter solves authorization code injection if the client requests an ID token. Public clients using the nonce parameter are still susceptible to stolen authorization codes so they still need to do PKCE as well.

The only case where OpenID Connect clients don't benefit from PKCE is if they are also confidential clients. Public client OIDC clients still need to do PKCE even if they check the nonce.

OpenID Connect servers working with confidential clients still benefit from PKCE because they can then enforce the authorization code injection protection server-side rather than cross their fingers that clients implemented the nonce check properly.

I really don't think it's worth the amount of explanation this will take in the future to write an exception into OAuth 2.1 or the Security BCP for only some types of OpenID Connect clients when all clients would benefit from PKCE anyway.

Aaron



On Wed, May 6, 2020 at 10:48 AM Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce solves some of the issues that PKCE protects against. We think that most OpenID Connect implementations also support OAuth 2.0, and hence have support for PKCE if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier is sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client developers and AS can ensure the check is conducted

What are disadvantages besides the potential impact to OpenID Connect deployments? How significant is that impact?

Dick, Aaron, and Torsten

ᐧ
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email