IETF Logo Mail Archive

Re: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF

George Fletcher <gffletch@aol.com> Wed, 05 January 2022 16:50 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D1853A115D for <oauth@ietfa.amsl.com>; Wed, 5 Jan 2022 08:50:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.559
X-Spam-Level:
X-Spam-Status: No, score=-1.559 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.714, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5NDeCByVTzZs for <oauth@ietfa.amsl.com>; Wed, 5 Jan 2022 08:50:28 -0800 (PST)
Received: from sonic308-36.consmr.mail.ne1.yahoo.com (sonic308-36.consmr.mail.ne1.yahoo.com [66.163.187.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C02363A115B for <oauth@ietf.org>; Wed, 5 Jan 2022 08:50:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1641401427; bh=r/UQG9MT2qyx/9G/uWRso+SEZP1qD1fRHGdadqRdSQc=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Subject:Reply-To; b=Mhr0TC0lRbA0x4SL6Gk2rngG3D0kQIGlE7MZ4lnqbgLPsJwUcB2dAtkD9VczGxUjrac2c4Cn8uxDM/ENPlCBLYbvefwYx7lbb9MFKp36OxZHinVNsaq2J2gSjkep5ZXNqL7c/9sx1CIYNIQEYoXrv1TjUDQJs/9HVKCeZEp9/9VCO1mGyiSDEquBjAgPF5iwucjES+yr/5E7jSMIUvWYq4DlDB8qDBC0UXM3QqJ9CxWqBS3pz6jAykhseb5jwaox+ezBzCVOSxYKi5h0REYI/UsxrL7emOIE3LZSzBYrta0T4aJkXXrNBKMSzzx0DlbrxP3X2n+1ic7YQ2Z1mRoELA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1641401427; bh=ZR0PV770pOOuPXdEEB2rDQiLdcWBsoFIyNlEFye5wgl=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=t40we6QCumn8MjXQftWM2GfAHiAS2J3zPEgOSmw2HEaZZvNTGR83eMkRHsA7L9EZJSf0r9rKVxRa6MgfU+Y5QGOKEyYHoi2II1+prUXQf5kuzDMMPEcJ32JEhXAspcoh5U+fE1LJOO+29p+yl9OMBK1+LvI+uVDdXguIgpxeJktT6mcjeiRL8Sm77cOBS0uX6TJsn8UH5V48k1HgXdDnYeDuh+VGI2P6Fghc6iQDboPxVSCiaC2PfG+Jgh3PA/RKU8zFCLHR84xoFLz2TEaUnXzcOjUmGnp3e0WWlEsMAZI9XYcLoD7MHwLz/EaQye9g3l5b4HYCCIa7DtfKL9VJXQ==
X-YMail-OSG: vdvLdiIVM1kFVBP2kyWw1TkyZAh5GTOb1ULNI6sau_AjznegpHaCxXSa3Hgcb_j zKQ6R1.5apxpH25g7mcpqNa9s5zB4uU4cSEDDUq3ec9aEY908X8fDYtmE8LF2N_5WfuZ1R1q_9am uZe2xtylkmUcfYlRxuMVEGdxMRLTPEN_9KTzGU89NatYUMdY0sUNJMZ8f1maPpCNF6rwrIZ6DVcs CsgUqGJ67MSbgF.7shfUUHkt0w7.VY28tP4NqYCQRHrLhUWo8qWR73Sw0H5IIh7e6s03gtVZzIdf QzQAJCqsBpAFhYsJ35ybM3EQX1i84AgHJyzaJNygHCZBaUfsNc6KubXv4HJkLyysMmOK5al4chn3 kDsJ..1NHE1ONR76CPqGF8jT0tIXzahGkTj_Avy2zRrq9yiv9tdOc4nknVQwRkrZ9ZOabRjL0C2f 6Froel64zE88qXkaHTmugy260_jBfV3otnMlkaXSzRB50h5U0Y8InKxU6otWe0WfG5l5oKJiYwqR qfYGhcf9qR3Zn8tP9iRxW0lKQsKY39uhfqL4Gi1B0noe1BrgNX6VgkVU6xg4CPShdnr5Tju1Nf0q QR.XUnO34LZ_GyioI5_EHFaDLwP2aT2eF2NI.8aTRNdCnUyfEmuqhsmBEjgOdadtX0flYn7QQ4Pz ewAHXG65LmZmcDCH1ioajyRw.BXMaeoV3OHvCe.xvPUrX69j0.S65vAmlQd0U2lBaoOzGuXfZAo2 Py.shVAxWQvOUvgxfYwTiQ7o7w3z5gyEVogS_R8roPrCS7kujEXVePAjxt3se4PXHY92eQAB4qyo p_qh9yXQCMF94yRj7oihM6N4WqRaor72mikTRu_MFs4MWHuoyyTJ8mqKocIIEd7Sp8MYHWJ030kY bpUA.joL2tFD8st_7EHdNwBzFyNM8udQH08DjJ2ZghxErr4HwTlZ.jcWyHrn3bly4ZBSXpaIz9FS gWtKiR7MuSS2s8V.MHWpSzBN1Kkstl2UjPBEzrnmT3.5Dikl4Rondvp92w.BLIgMc4H41Fhi3mks Zzcw1wFGQzo6i6MofbgrcA2pDpnh1dI71wMZmLBDoziBhk5PCurj9MIdCtma3hXgEupGFEeWVr.q G0W4LSKB301jzpC_4ZZQrbJINlRDSK3wI1ixf7AQMe9ispUy2oQJstvyfthKwd50nX0fLqNdFFAq 5SVQtvRUL9ZA.V6PNWwhq4AjxYKQeL02Q2eky6rDnTfMte2.mtssFaVfYabOCMAPZPfaEw5RUYON 5ltYsJ4BKwXjY.S39aVeOe3tYh6CxXbwE34FpV5EeTd5D6D4JnGj9ga2PDiZTKPIRplE._dVjNyE 4KV3UufUF6pBMbMICrgreGPsQuPQEV_b5f48AMyJ9s8VGkGufjqxXG.2Po8L3bXZWRCgh8Zmac80 eA4BxjRuj8Nnlx6aepqinGzN4DHmgPlaTXCKTarFsrZhU.fP0yyni.98GAHsGyRNbQi7O_qlDGbS 9X4bZ6dZV1ksBLUrjTJARbGcTrqFARpvYCrvBT18hU2OJRsPn52q_JtHC94iD1YjUNMSU1GJUVly qnqTPc88mUu8BWPOyHAIjZgNJE4sc3QLR8MMrOkcIuMPezelnLLwDFQ9wipny2G.YfUV6nDKNcWq EA3QWVptBsJvclzfl2Dacnf.BG_szPZRIkkBM_rdnfNnseWM.8wesYyWMO9A8PO7RTOc9to961lV sUJOO_JVAmqJN_l4_Ph_kayIKui9MWz6mJx2uXcNtj1nYfVDosBA1zEVclmxNEpxWn_W6VY8pIWP ESs2UQlaJPQiSKv2GvF98MwfyvMKKZ8m6CAv_M3mSGisZgN_ehShJqEsArh7O1fYi7QhSuQr5JPK xr8agLmpswSDJJnp8p0HDjMLoFAe8TCTJzdY4jkanfsfU1Yx9jVC3W5Cbxw1QpazX9HrulLfLxav fbsv7ipKYWIn3wZCxW1X0RYvyZMzqJifNwYWccMfLyW_Jt9rg0j6NtiNDBoWkqx.PCtf6WL_1l_e BvP7tcHrfww9ziijHnsrVs4leDAKmEbowMDhLjxOE7zp1uaFBS3FU.gT5NN9JR2XUsrQaL1mAPN3 x1Wss4gTNyV6eOG0w6mBResfR6uaOdBCib040qeIrHlw3zAk6sEkc6OnLYTxTmQmAeVkQ6KhWhyN gCCaMGl9urJENEZTADuk3gbtlT.TkjWbQy4bhnWaY22XASXLP6JH0HyDTFBTmvCoA.W3XmQ--
X-Sonic-MF: <gffletch@aol.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Wed, 5 Jan 2022 16:50:27 +0000
Received: by kubenode548.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 7370956655f1e7ca8b13425d278af3ac; Wed, 05 Jan 2022 16:48:25 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------BlC5jV9MS3Zwbyrvubtlu5yf"
Message-ID: <db3efddd-ac34-116e-f5c1-64b916c4771e@aol.com>
Date: Wed, 05 Jan 2022 11:48:23 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.4.1
Content-Language: en-US
To: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>, Christopher Burroughs <chris.burroughs@protonmail.ch>
Cc: oauth <oauth@ietf.org>
References: <AM7P192MB0819568B6CF315C3BC3A9B15E44A9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM> <b711bc01-9674-6072-d941-7e1ba8f8c9ec@aol.com> <AM7P192MB081909F590F651D656ACC892E44B9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM> <CAJot-L2o32DCswBAoq6DKZgZmEKgafEk=_AGnj5y3q3CBPsa3A@mail.gmail.com> <AM7P192MB0819D3D6523981A8495D5CD7E44B9@AM7P192MB0819.EURP192.PROD.OUTLOOK.COM> <6Kxw1IhJ0CB5svSOaCq1pBJLwZcQNvswr1Uw4mq8xswG9Z8fDMMevvE95zYV8WxcT1eLriglIcDv1hPr3j-d5GQ0ByLae9zC2HM8SVmoHUI=@protonmail.ch> <CAJot-L2r7u2iL6cGEQPZg0N4SkiXTinmMLrXQZT0YN20U39vYw@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
In-Reply-To: <CAJot-L2r7u2iL6cGEQPZg0N4SkiXTinmMLrXQZT0YN20U39vYw@mail.gmail.com>
X-Mailer: WebService/1.1.19567 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nuWMT1sl_b4NNk-6DXwcZ0hC6ls>
Subject: Re: [OAUTH-WG] Edge case in RFC 7636, Server Verifies code_verifier facilitates Login-CSRF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2022 16:50:34 -0000

So it seems to me, two factors need to be present for something "bad" to 
happen...

1. The client always sends PKCE but the AS doesn't require the client to 
use PKCE
2. The client must accept uninitiated authorization response messages 
(i.e. from the attacker)

If either of the above are not true, then I think any attack fails. 
Please correct me if I'm wrong.

Mitigations then are...
1. AS requires designated clients to always provide PKCE parameters and 
fails the /authorization request if they are not present
2. The client does not accept uninitiated authorization response messages

It's best if both mitigations are implemented along with others 
identified in this thread.

My 2 cents:)

Thanks,
George

On 1/5/22 10:24 AM, Warren Parad wrote:
> The PKCE downgrade attack is the converse, here we are adding in PKCE 
> where there was none.
>
>     An attacker can thus send the victim the authorization response,
>     after the victim clicks the link, the client application sends a
>     Token Request with the code_verifier present with the client to
>     Keycloak.
>
> That isn't the whole flow though, right? You are missing what the 
> authorization request the attacker sent to the AS is, as well what 
> happens after the user agent gets back the access token, how is a 
> token generated this way a vulnerability.
>
> I think I see the suggested problem:
>
> if an AS-client interaction supports both PKCE and not PKCE, and the 
> client assumes that PKCE is sufficient for CSRF, when the auth code 
> request doesn't include the PKCE but the client didn't send 
> state/nonce. With OAuth 2.1 it is clear that the nonce/state must be 
> sent in this situation:
>
>   * State is required in OAuth authorization code requests if PKCE
>     isn't specified: OAuth 2.1 section 7.7
>     <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-7.7>
>   * State is required in OAuth token exchange requests if present:
>     Section 4.1.2
>     <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-4.1.2>
>
> Since the user agent won't contain the valid state/nonce generated by 
> the attacker, it isn't possible for it to send the attacker's state to 
> the AS. Therefore the AS will reject the token exchange due to the 
> state mismatch. It doesn't matter if the request isn't protected 
> against CSRF, because no valid token is going to be returned anyway.
>
> So I don't think there is an issue here, did I get that correct?
>
> 	
>
> Warren Parad
>
> Founder, CTO
>
> Secure your user data with IAM authorization as a service. Implement 
> Authress <https://authress.io/>.
>
>
> On Wed, Jan 5, 2022 at 3:56 PM Christopher Burroughs 
> <chris.burroughs@protonmail.ch> wrote:
>
>     Greetings,
>
>
>     Is this scenario any different from a PKCE downgrade attack, as
>     described in OAuth 2.0 Security Best Current Practice section 4.8.2 ?
>
>
>     Warm regards and happy new year!
>
>
>     Christopher Burroughs
>
>
>
>
>
>     -------- Original Message --------
>     On Jan 5, 2022, 21:29, Benjamin Häublein <
>     Benjamin.Haeublein@cirosec.de> wrote:
>
>
>         The following example shows this behavior in keycloak:
>
>         Authorization Request:
>
>         http://identity-provider:8080/auth/realms/XXX/protocol/openid-connect/auth?client_id=client-spa-public-pkce&redirect_uri=http%3A%2F%2Flocalhost%2F&response_mode=fragment&response_type=code&scope=openid
>         <http://identity-provider:8080/auth/realms/XXX/protocol/openid-connect/auth?client_id=client-spa-public-pkce&redirect_uri=http%3A%2F%2Flocalhost%2F&response_mode=fragment&response_type=code&scope=openid>
>
>         Authorization Response:
>
>         http://127.0.0.1/#session_state=46556363-c53f-489f-871c-58d376a8f9c1&code=2b84ee14-68ff-48c9-b480-4349ff9805f7.46556363-c53f-489f-871c-58d376a8f9c1.6fab0727-6184-47ad-8607-55f19896e945
>         <http://127.0.0.1/#session_state=46556363-c53f-489f-871c-58d376a8f9c1&code=2b84ee14-68ff-48c9-b480-4349ff9805f7.46556363-c53f-489f-871c-58d376a8f9c1.6fab0727-6184-47ad-8607-55f19896e945>
>
>         Token Request:
>
>         POST /auth/realms/XXX/protocol/openid-connect/token HTTP/1.1
>         Host: identity-provider:8080
>         Content-type: application/x-www-form-urlencoded
>
>         code=2b84ee14-68ff-48c9-b480-4349ff9805f7.46556363-c53f-489f-871c-58d376a8f9c1.6fab0727-6184-47ad-8607-55f19896e945&grant_type=authorization_code&client_id=client-spa-public-pkce&redirect_uri=http%3A%2F%2Flocalhost%2F&code_verifier=IqiCQGM06JEyW73AB3f3oblCQKHOorapyqHUcYRujuSikDJx8cvBQ0kmFmzW75uIfaSBtXQrRmwuk71WWO6ryCzahTcxBPYX
>
>         As a result, an access token was issued although the
>         code_verifier provided in the token request did not match the
>         code_challenge and code_challenge_method in the authorization
>         request as they were absent.
>
>         An attacker can thus send the victim the authorization
>         response, after the victim clicks the link, the client
>         application sends a Token Request with the code_verifier
>         present with the client to Keycloak.
>
>         As a result, a token is issued for the application, although
>         the code_verifier does not match the inexistent
>         code_challenge/code_challenge_method in the malicious
>         authorization response.
>
>         For this to work, the client must either generate a
>         code_verifier on the fly or have one already present. This
>         obviously depends on the precise implementation of the
>         respective client.
>
>         To reach such a state, an attacker could trick the user into
>         starting the authorization grant but clicking the malicious
>         link before the authorization response is sent.
>
>         Best Regards,
>
>         Benjamin Häublein
>         Senior Consultant
>
>         cirosec GmbH
>         Ferdinand-Braun-Strasse 4
>         74074 Heilbronn
>         Germany
>         Phone: +49 (7131) 59455-74
>         Fax: +49 (7131) 59455-99
>         Mobile: +49 (151) 122414-74
>         www.cirosec.de <http://www.cirosec.de>
>
>         HRB Stuttgart 107883
>         CEO Stefan Strobel, CFO Peter Lips
>
>         *Von:* Warren Parad <wparad@rhosys.ch>
>         *Gesendet:* Mittwoch, 5. Januar 2022 13:44
>         *An:* Benjamin Häublein <Benjamin.Haeublein@cirosec.de>
>         *Cc:* George Fletcher <gffletch@aol.com>; oauth@ietf.org
>         *Betreff:* Re: [OAUTH-WG] Edge case in RFC 7636, Server
>         Verifies code_verifier facilitates Login-CSRF
>
>
>         	
>
>         Sie erhalten nicht oft E-Mail von "wparad@rhosys.ch". Weitere
>         Informationen, warum dies wichtig ist
>         <http://aka.ms/LearnAboutSenderIdentification>
>
>         	
>
>         I'm not following to be honest. Could you detail concretely
>         what the flow would be that would result in vulnerability?
>
>
>         	
>
>         *Warren Parad*
>
>         Founder, CTO
>
>         Secure your user data with IAM authorization as a service.
>         Implement Authress <https://authress.io/>.
>
>         On Wed, Jan 5, 2022 at 1:41 PM Benjamin Häublein
>         <Benjamin.Haeublein@cirosec.de> wrote:
>
>             Finally, I'm not sure a client that doesn't send the
>             'code_challenge' and 'code_challenge_method' on the
>             authorization request but does send the 'code_verifier' on
>             the token request should consider that the client has
>             implemented PKCE correctly and hence can rely on it for CSRF.
>
>             My point is not, that a client behaves that way. The
>             problem is that an attacker could get a user (through
>             social engineering) to start the authorization process and
>             then click a link with an authorization response that the
>             attacker provides.
>
>             Then the client has send the 'code_challenge' and
>             'code_challenge_method' in the authorization request, but
>             the authorization response belongs to an authorization
>             request that does not have these parameters.
>
>             When the client sends the token request based on the
>             malicious authorization request but with the
>             ‘code_verifier’ for the original authorization request.
>
>             When the AS behaves as described the client has no way to
>             know that an attacker has interfered.
>
>             Best Regards,
>
>             Benjamin Häublein
>
>             *Von:* George Fletcher <gffletch@aol.com>
>             *Gesendet:* Dienstag, 4. Januar 2022 14:51
>             *An:* Benjamin Häublein <Benjamin.Haeublein@cirosec.de>;
>             oauth@ietf.org
>             *Betreff:* Re: [OAUTH-WG] Edge case in RFC 7636, Server
>             Verifies code_verifier facilitates Login-CSRF
>
>             My guess is that for an Authorization Server that doesn't
>             receive a 'code_challenge' and 'code_challenge_method' as
>             part of the authorization request, they treat the request
>             as a non-PKCE authorization request. Therefore when the
>             'code_verifier' is presented at the /token endpoint, the
>             AS ignores the parameter because it doesn't consider the
>             request to be a PKCE request. I can also see the AS
>             returning an error regarding an "unexpected parameter" or
>             "invalid request" error in this case.
>
>             I agree with your recommendation for the AS to require
>             specific clients to use PKCE and consider an authorization
>             request without PKCE to be an error.
>
>             Finally, I'm not sure a client that doesn't send the
>             'code_challenge' and 'code_challenge_method' on the
>             authorization request but does send the 'code_verifier' on
>             the token request should consider that the client has
>             implemented PKCE correctly and hence can rely on it for CSRF.
>
>             Thanks,
>             George
>
>             On 1/4/22 5:45 AM, Benjamin Häublein wrote:
>
>                 Hello everyone,
>
>                 I think RFC 7636 “Proof Key for Code Exchange by OAuth
>                 Public Clients”, section 4.6. “Server Verifies
>                 code_verifier before Returning the Tokens” leaves a
>                 tiny gap regarding the handling of verification when
>                 no code challenge was present in the authorization
>                 request:
>
>                 Upon receipt of the request at the token endpoint, the
>                 server
>
>                 verifies it by calculating the code challenge from the
>                 received
>
>                 "code_verifier" and comparing it with the previously
>                 associated
>
>                 "code_challenge", after first transforming it
>                 according to the
>
>                 "code_challenge_method" method specified by the client.
>
>                 It is unspecified how the server should behave when
>                 “code_verifier” is present, but “code_challenge” and
>                 “code_challenge_method” were not set in the initial
>                 authorization request.
>
>                 The following example worked for three well-known
>                 authorization servers where the client was configured
>                 in a way that PKCE could be used, but was not enforced:
>
>                 Authorization Request:
>
>                 https://XXXX/auth?client_id=YYYY&response_type=code&scope=openid+profile&redirect_uri=https://localhost
>                 <https://XXXX/auth?client_id=YYYY&response_type=code&scope=openid+profile&redirect_uri=https://localhost>
>
>                 Subsequent Token Request:
>
>                 POST /token HTTP/1.1
>                 Host: XXXX
>                 Content-Length: 256
>
>                 code=ZZZZ&grant_type=authorization_code&client_id=YYYY&redirect_uri=https%3A%2F%2Flocalhost&code_verifier=IqiCQGM06JEyW73AB3f3oblCQKHOorapyqHUcYRujuSikDJx8cvBQ0kmFmzW75uIfaSBtXQrRmwuk71WWO6ryCzahTcxBPYX
>
>                 As a result, an access token was issued although the
>                 code_verifier provided in the token request did not
>                 match the code_challenge and code_challenge_method in
>                 the authorization request.
>
>                 Many applications consider the usage of PKCE as enough
>                 protection from Login-CSRF and do not use state or
>                 nonce (for example this blog entry by Daniel Fett
>                 https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/
>                 suggests, that neither state nor nonce are necessary
>                 when PKCE is used). However, when the authorization
>                 server is not configured to require a specific
>                 code_challenge_method from the client and the
>                 authorization behaves as described in the example,
>                 PKCE does not protect from Login-CSRF.
>
>                 I think the following mitigations are possible:
>
>                  1. Enforce usage of PKCE in the client configuration
>                     in the Authorization Server
>                  2. Implementation of the authorization server returns
>                     an error in the Access Token Response when
>                     code_verifier is present in the token request, but
>                     no code_challenge and code_challenge_method is
>                     present in the authorization request.
>                  3. Additionally, when the behavior of an AS is
>                     correct (verification of code_verifier fails when
>                     no code_challenge was present), a client that
>                     relies on PKCE for CSRF protection must always
>                     include a code_verifier parameter in the token
>                     request (even if no code_verifier is present on
>                     the client side).
>
>                 Best regards,
>
>                 Benjamin Häublein
>                 Senior Consultant
>
>                 cirosec GmbH
>                 Ferdinand-Braun-Strasse 4
>                 74074 Heilbronn
>                 Germany
>                 Phone: +49 (7131) 59455-74
>                 Fax: +49 (7131) 59455-99
>                 Mobile: +49 (151) 122414-74
>                 www.cirosec.de <http://www.cirosec.de>
>
>                 HRB Stuttgart 107883
>                 CEO Stefan Strobel, CFO Peter Lips
>
>                 _______________________________________________
>
>                 OAuth mailing list
>
>                 OAuth@ietf.org
>
>                 https://www.ietf.org/mailman/listinfo/oauth
>
>             _______________________________________________
>             OAuth mailing list
>             OAuth@ietf.org
>             https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email