Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Mike Jones <Michael.Jones@microsoft.com> Wed, 06 May 2020 18:21 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D5C93A09F8 for <oauth@ietfa.amsl.com>; Wed, 6 May 2020 11:21:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kz7KmejfsISH for <oauth@ietfa.amsl.com>; Wed, 6 May 2020 11:21:35 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640103.outbound.protection.outlook.com [40.107.64.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AA093A09F3 for <oauth@ietf.org>; Wed, 6 May 2020 11:21:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EI1VuSk7PyKyJntKxKNi21ucgPMJny15Wdo3Aslva5XFeeqoKT/gUiRpXAWxi0g+xb+i7QQNqYbTwcEtCYFUvKzv99oJUB9rHgK7kHi0d9Md5SY5/bh4bvZ9TexDAQe69rJcjdkuCwTU0lefMqvVu/yXxh4qNMX7bilD20RN48S5SoH6QoIWI9BH86+IoO7Hl2t5npBsCTdw0P5wvpydhFXRPfY/P+r8n+k6U0gUV1s8TvSsF17IZNCCarUV1B88a/vvZGg8dpHSqHL/5XH6rvttRUV9t8lyqvVxdsPxfGfgzO7AVmNbMS83p9cf+0m36EhtXgetJE/UTQ/iyN83Ag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rBCiZKp192fEy/NXbjBTV6yHBz22P2QpncIarfHJn8g=; b=LBooBmCll/VYkEFQZlqXxBfE9hyrVn8x56BAPx1VHuKeS/rFzew30ttYQK4ORcXCe03fyhJsLbJEWVlWhdbONjg6miUoQRQS5h/6kqlVGv80S2t28DiIsFdJy2cxgPBMR0zYu5m4RhVX/hkNVMrecbyroN255P6m3KtrPg2JkhQ4KgmWTkDnDOqARLgk14EG8xnTEfn5l9ewQkHI4S9QPYPqs3yExRXE6BmfWLZBm7gEBF2b6wF9NltDafUoepDKLniFRBTR0rmd5LjVQI+HeP+oNOBq+1Vf365xKIMCC+034XuG+u9gFBCBgAzyzZekAIpa6prFA3wUFGoOFRthdg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rBCiZKp192fEy/NXbjBTV6yHBz22P2QpncIarfHJn8g=; b=ASxTuWt7RgzedkF6cUN38FXPy457XNtqVJPdOd5XxOxAxTgpkqRm4H/y+kBGRPXfgqvMY9yhbVbZ4WvQiGRs1GW0N9EhuiNg0E9IEnxZyKzkCCRJHU4dmCOePPcFqriy/6kcjIczYTCMNRLb0JrgXqoevNz0apoiGa1bvezSTTI=
Received: from DM6PR00MB0684.namprd00.prod.outlook.com (2603:10b6:5:21c::8) by DM6PR00MB0666.namprd00.prod.outlook.com (2603:10b6:5:220::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3019.0; Wed, 6 May 2020 18:21:19 +0000
Received: from DM6PR00MB0684.namprd00.prod.outlook.com ([fe80::28ba:39bb:f9ca:658b]) by DM6PR00MB0684.namprd00.prod.outlook.com ([fe80::28ba:39bb:f9ca:658b%5]) with mapi id 15.20.3015.000; Wed, 6 May 2020 18:21:19 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Dick Hardt <dick.hardt@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] OAuth 2.1 - require PKCE?
Thread-Index: AdYj0yIsbYPLqhhfTlu3+dAH+R+3ug==
Date: Wed, 6 May 2020 18:21:19 +0000
Message-ID: <DM6PR00MB068479502D207D9F2C8F1031F5A40@DM6PR00MB0684.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=5a379c11-bf0d-4664-918a-00006542b4d5; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-05-06T17:58:47Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: c78f096d-ff22-4602-6033-08d7f1ea45f0
x-ms-traffictypediagnostic: DM6PR00MB0666:
x-microsoft-antispam-prvs: <DM6PR00MB06663AD4A71656CA9126B9D7F5A40@DM6PR00MB0666.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 03950F25EC
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: m8yjVqYkcVrvvAz1aPduYW6q5SI+fY50XdoH7eOqKvZYCH4unKW5uFvMQM7tvVsnXEnCcogcNZZoUjYaBZD6TGpohwgb8YI8KdyhxAfgyj+Sr/oXkbwi0FL0d7dGmN+9crWH2BKlatZ3sMqXrnLU2i+LoHommPF4MWXQJ1rQFiVeELDKdbZlanVrieUve4Huv7FXFvX3jaWlE+z7tL3pEznkWNYcBqyyPRY1YlcM0G9ItXuo6JxFrmgI1QDql/QkAxadCfrcAhms75R58MMyMki2um2dp/0dCNwZ/lpb5aOpQ4hAM8qo1/ylZ9vFstA+B+rJz83OwrJ8nj8YaFG5XH4aLSWMp8NfAXTjw95Dt+VkJmJz9MQ18hT4d6cl1LlMTvNhk6GN+QSD720Izw1G/vIQ+8VjDHoKvUNUfoKz4aWAEu1/eFWjwo1IP1+2XN/b3HlUNlNOl2UW5bopQ+PNQSFATJIH60yAjykaWTz7Y/45nCXHrF8nQTmM81BCFdJGBwTzaSgKOETwoaIEvSluuw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR00MB0684.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(346002)(376002)(39860400002)(136003)(366004)(33430700001)(478600001)(33656002)(10290500003)(110136005)(5660300002)(8676002)(66476007)(66556008)(64756008)(66446008)(8990500004)(966005)(8936002)(53546011)(55016002)(66946007)(86362001)(6506007)(52536014)(26005)(33440700001)(66574014)(166002)(186003)(7696005)(2906002)(82950400001)(82960400001)(316002)(9686003)(76116006)(71200400001)(99710200001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: UEt8EqekFr0T48E0Fdlq3xH4dky50pwKXmnDADy1xVDGkYnG69ty6mvkLzoZOrUxqecKM7KcRYCiy6wnUMo9osSXbpezr9mwJV3uY77vpCcFoHLpNLkvJKyIExc3pHVCfSSZpmmimxW76mKFJnYt67zPijgacEGIj8s7oBKRUyxFCzR370eiGlKGwJfzOHFBLSkXkAgeS4Mv5yiOgVIXIn+n+IJQ2kWoi26gTiTZrC2M798CZIV88dgngCnrB5P+QJ866vqW/89YcovZqzdRTlWrOcvTkwFn1dfJ+iOMygEH46ikINm0XWFrzltaxDRO8Rmb31CZl3E4AOQFy3Cjnz379lparHXoghotI1vNe1+VI/CcciT66ofWb1Zx8WJ9S9lMRfjj0RPGXL/yCTMszmkcBjhLFvtK7a8pOHlfDkLKFzvJb/cqrCyCm4RCRsUQhHsnZFPizDjDPvcCA49wrabtzgQFxYp3S3mE+3sI93u2sMtq9XD43sl3hLc7MCxhlO6cbKKvGRc/Xw0WGXHp3CdAz9oCWgKYbXs4Ng4J5eBjQnEcwF/hdDV3SpOVhPtlH5IxYeak2AtUga7wF1diLq7Ee0KtL5PSIKuJ+mLM5eNRwU+2kRJ03SjRAKV7A9rp5h+9Lfsh2rYd73ewaWGXDxHgCn4G7xrEI47Z3Sltotbs2/f5Qa5nlP7AjKc67NU3TxdnzfbqBZ4lp8iKZkHKoSrHxGZhbbzdVBfwc6Gyt2R5isJeqA7KlCq+xU//Lbfq04duNliLxz4TOSM55ipnwobAv/CTg2y8lcINGH3MPzE=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB068479502D207D9F2C8F1031F5A40DM6PR00MB0684namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR00MB0684.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c78f096d-ff22-4602-6033-08d7f1ea45f0
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2020 18:21:19.2833 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ig1rzLtcGk0GoeDvgiE74HDpvAYSxrB/g5zklYAFAjkYwUeJ7mnQm6xpchA8Ck5LZYcRJ82a/lpHkK9f54Nzbw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0666
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JQgLi1dXEmc8kBBGSxzqoHg2EJw>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 18:21:37 -0000

The disadvantage of requiring PKCE for OpenID Connect implementations is that you’re trying to add a normative requirement that’s not required of OpenID Connect deployments today, which would bifurcate the ecosystem.  There are hundreds of implementations (including the 141 certified ones at https://openid.net/certification/), none of which have ever been required to support PKCE.  Therefore, most don’t.

Per feedback already provided, I believe that OAuth 2.1 should align with the guidance already in the draft Security BCP, requiring EITHER the use of PKCE or the OpenID Connect nonce.  Trying to retroactively impose unnecessary requirements on existing deployments is unlikely to succeed and will significantly reduce the relevance of the OAuth 2.1 effort.

In particular, authorization servers shouldn’t be required to support PKCE when they already support the OpenID Connect nonce.  And clients shouldn’t reject responses from servers that don’t support PKCE when they do contain the OpenID Connect nonce.  Doing so would unnecessarily break things and create confusion in the marketplace.

                                                          -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Dick Hardt
Sent: Wednesday, May 6, 2020 10:48 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce solves some of the issues that PKCE protects against. We think that most OpenID Connect implementations also support OAuth 2.0, and hence have support for PKCE if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier is sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client developers and AS can ensure the check is conducted

What are disadvantages besides the potential impact to OpenID Connect deployments? How significant is that impact?

Dick, Aaron, and Torsten

[https://mailfoogae..appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=452438ba-d429-4656-ace9-b284744bc171]ᐧ