IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and OAuth 2.1

Sascha Preibisch <saschapreibisch@gmail.com> Wed, 13 October 2021 21:06 UTC

Return-Path: <saschapreibisch@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 791803A0BAD for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 14:06:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.987
X-Spam-Level:
X-Spam-Status: No, score=-1.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ct6pp9vo5vu for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 14:06:36 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86D813A0BA0 for <oauth@ietf.org>; Wed, 13 Oct 2021 14:06:35 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id u18so17345275lfd.12 for <oauth@ietf.org>; Wed, 13 Oct 2021 14:06:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FLOT5n0dqosqzcomtnF7i6LZlTVFOH8vdljQntUGh8Q=; b=XCWKoKLWIb2zgItyNb/28KxDU8lUPF1WqhRUA0EC6gf/FsihtNdysjfX1EdeV4W7QZ aXMYTrN2SC0kZlrmK5zV+2htoYbhBVS4NzdAj9vDbs2jEgWADoslvF8l+p/qGTB3SAcS oH+QE161naNG/ZG1dji92d3FKGLpaqvEyO45ZsbMFszyEMfquSF8WqshwxbbBzWztfU8 V3AgRyUI8t7AhfcOaMXV+btlYoB7MLijPAm8OOum7ZXq/2RDDEeJIoQjaapFwZa5V6zH tz0UrbwGCNNbR0cET4UbDRtmvgTyKrv74LPBW2OtQsCzLeIil3FnVhP+OFn8tuCDB64X f0SA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FLOT5n0dqosqzcomtnF7i6LZlTVFOH8vdljQntUGh8Q=; b=J08+K19PbzsYolFWgoMptHLpTvMFxcQ4UygZRSjcoql9KTBB5/hFLb50uDAFgH5J9z cyoIimG7sVg1BUUIQ06vW8PM44rQULmC5as5MMCX5m3nApTqNSEaxlQfzs0huc0R12fy B6JZuaywHCZyqeemEzPisqpwufy+r5S5v/bPgecanWGQ5WOftpP3SIdfCNg9rNOHcAK1 f36p3EcaY+PfYB6+kFDLoOIZM8CE/e3FM0WfxVA3H1Lfp5P8ZJM/ILuX7tb+q0dCkksn GkaSuzvYwCDUZDEYFYXSKPaRo3dBh/Ysb7j6wTPRVEViZVhtx5+JQJRu7K3Js6gAeObh uVVg==
X-Gm-Message-State: AOAM5313Qa1uD0YfI/nQFhWlDsH6RG2obhvGPobwqy4d7Yr0lqtaehnE JpeHGoZlrbkxw9FiV87fjXDOz5u5v/AInpxjF0mPwo7b
X-Google-Smtp-Source: ABdhPJzkUOPWvB6syV8+yJnIv3HHfv//+A8vo64P2XIejKtc2UjffQpIJQguDLBz7490StAKB4ebMALPiyPu5utLB8A=
X-Received: by 2002:a2e:554:: with SMTP id 81mr1717378ljf.59.1634159193493; Wed, 13 Oct 2021 14:06:33 -0700 (PDT)
MIME-Version: 1.0
References: <SA2PR00MB100244DAAD267EBD2FF51678F5B79@SA2PR00MB1002.namprd00.prod.outlook.com> <CAJot-L1HNvud7-ehODK7Bouv5-KotMy8EtEgLCyCzOXoSZCVCg@mail.gmail.com> <CAGBSGjpJrM4uUTdVvsEzh5sT0H9ZpEJ0D3yfo-p_1S9w_tdF8g@mail.gmail.com> <AM7PR83MB0452A256F01A7DE8BE65C98C91B79@AM7PR83MB0452.EURPRD83.prod.outlook.com> <CAGBSGjoNoHybJNZaxdFs2Z9D+rUi+zORzt9v_f0cdhYZaj=KcA@mail.gmail.com> <CAJot-L30=scUs0yon4fx_Ti6Sq8gW4xy758j2qGLR_Cg2R-82Q@mail.gmail.com> <CAGBSGjoGhoz203+sXOGtDLr14DJLsRhjEd1uA==7SNLNRZdzpQ@mail.gmail.com> <CAP=vD9tOAxCAKumBcNkK077jMiWC+r7xBgu46oCFPgJPsu2EnQ@mail.gmail.com> <CAGBSGjpg63Rq2eEh3v3vAS=cuN3eNXAycbAOokaDg6v74saRHQ@mail.gmail.com>
In-Reply-To: <CAGBSGjpg63Rq2eEh3v3vAS=cuN3eNXAycbAOokaDg6v74saRHQ@mail.gmail.com>
From: Sascha Preibisch <saschapreibisch@gmail.com>
Date: Wed, 13 Oct 2021 14:06:22 -0700
Message-ID: <CAP=vD9tKaSt2p_8_Ltcc7Ad5v5Yq6ST-tmf-VM6iKbXgZyP48A@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: IETF oauth WG <oauth@ietf.org>, Warren Parad <wparad@rhosys.ch>
Content-Type: multipart/alternative; boundary="0000000000003c13b405ce42569e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oMS_1VyOr59CaPwRLhUkCI-VawY>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 21:06:42 -0000

Ok, if the goal is to avoid unnecessary requirements I am suggesting to
point out why MUST was changed to SHOULD. Otherwise developers will start
to mix and match OAuth 2.0 and OAuth 2.1 requirements as they see them fit
their needs.
In regards to encrypted values in PKCE, Aaron, I can also not confirm that
as the general implementation.

On Wed, 13 Oct 2021 at 13:56, Aaron Parecki <aaron@parecki.com> wrote:

> The PKCE spec actually says "Typically, the "code_challenge" and
> "code_challenge_method" values are stored in encrypted form in the "code"
> itself" which I feel like might be a stretch to say that's typical, but
> this scenario was clearly thought of ahead of time. Doing that would enable
> an AS to avoid storing server-side state.
>
> On Wed, Oct 13, 2021 at 1:50 PM Sascha Preibisch <
> saschapreibisch@gmail.com> wrote:
>
>> If the challenge is based on distributed authorization server
>> configurations, how would they handle PKCE? I imagine that managing the
>> state for PKCE is not less challenging than managing authorization codes on
>> the server side, preventing reuse of them.
>> With that in mind I am not sure if I follow the given argument. I would
>> prefer to keep MUST as it is today.
>>
>>
>> On Wed, 13 Oct 2021 at 13:37, Aaron Parecki <aaron@parecki.com> wrote:
>>
>>> HTTPS, because if that's broken then the rest of OAuth falls apart too.
>>>
>>> On Wed, Oct 13, 2021 at 1:36 PM Warren Parad <wparad@rhosys.ch> wrote:
>>>
>>>> I feel like I'm missing something, what stops just plain old network
>>>> sniffing and replying the whole encrypted payload to the AS and getting
>>>> back a valid token?
>>>>
>>>> Warren Parad
>>>>
>>>> Founder, CTO
>>>> Secure your user data with IAM authorization as a service. Implement
>>>> Authress <https://authress.io/>.
>>>>
>>>>
>>>> On Wed, Oct 13, 2021 at 10:33 PM Aaron Parecki <aaron@parecki.com>
>>>> wrote:
>>>>
>>>>> Aside from the "plain" method, the PKCE code verifier never leaves the
>>>>> client until it's sent along with the authorization code in the POST
>>>>> request to the token endpoint. The only place it can leak at that point is
>>>>> if the authorization server itself leaks it. If you have things leaking
>>>>> from the authorization server log, you likely have much bigger problems
>>>>> than authorization code replays.
>>>>>
>>>>> Keep in mind that even with the proposed change to drop the
>>>>> requirement of authorization codes being one time use, authorization
>>>>> servers are free to enforce this still if they want. Authorization code
>>>>> lifetimes are still expected to be short lived as well.
>>>>>
>>>>> Aaron
>>>>>
>>>>>
>>>>> On Wed, Oct 13, 2021 at 1:25 PM Pieter Kasselman <
>>>>> pieter.kasselman@microsoft.com> wrote:
>>>>>
>>>>>> Aaron, I was curious what prevents an attacker from presenting an
>>>>>> Authorization Code and a PKCE Code Verifier for a second time if the one
>>>>>> time use requirement is removed. Is there another countermeasure in  PKCE
>>>>>> that would prevent it? For example, an attacker may obtain the
>>>>>> Authorization Code and the Code Verifier from a log and replay it.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>>
>>>>>>
>>>>>> Pieter
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Aaron Parecki
>>>>>> *Sent:* Wednesday 13 October 2021 18:40
>>>>>> *To:* Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
>>>>>> *Cc:* Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>;
>>>>>> oauth@ietf.org
>>>>>> *Subject:* [EXTERNAL] Re: [OAUTH-WG] Authorization code reuse and
>>>>>> OAuth 2.1
>>>>>>
>>>>>>
>>>>>>
>>>>>> Warren, I didn't see you on the interim call, so you might be missing
>>>>>> some context.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The issue that was discussed is that using PKCE already provides all
>>>>>> the security benefit that is gained by enforcing single-use authorization
>>>>>> codes. Therefore, requiring that they are single-use isn't necessary as it
>>>>>> doesn't provide any additional benefit.
>>>>>>
>>>>>>
>>>>>>
>>>>>> If anyone can think of a possible attack by allowing authorization
>>>>>> codes to be reused *even with a valid PKCE code verifier* then that would
>>>>>> warrant keeping this requirement.
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---
>>>>>>
>>>>>> Aaron Parecki
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Oct 13, 2021 at 10:27 AM Warren Parad <wparad=
>>>>>> 40rhosys.ch@dmarc.ietf.org> wrote:
>>>>>>
>>>>>> Isn't it better for it to be worded as we want it to be, with the
>>>>>> implication being that of course it might be difficult to do that, but that
>>>>>> AS devs will think long and hard about sometimes not denying the request?
>>>>>> Even with MUST, some AS will still allow reuse of auth codes. Isn't that
>>>>>> better than flat out saying: *sure, there's a valid reason*
>>>>>>
>>>>>>
>>>>>>
>>>>>> In other words, how do we think about RFCs? Do they exist to be
>>>>>> followed to the letter or not at all? Or do they exist to stipulate this is
>>>>>> the way, but acknowledge that not everyone will build a solution that holds
>>>>>> them as law.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Let's look at *SHOULD*
>>>>>>
>>>>>> This word, or the adjective "RECOMMENDED", mean that there may exist
>>>>>> valid reasons in particular circumstances to ignore a particular item, but
>>>>>> the full implications must be understood and carefully weighed before
>>>>>> choosing a different course.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I think *recommended* here is not sufficient nor are there valid
>>>>>> reasons. "It's too hard" isn't really a valid reason. Isn't it better in
>>>>>> this case for an AS to not be compliant with the RFC, than it is to relax
>>>>>> this to SHOULD and have lots of AS thinking reusing auth codes is a viable
>>>>>> solution, "because they are a special snowflake where SHOULD should apply".
>>>>>>
>>>>>>
>>>>>>
>>>>>> Are we setting the standard or instead attempting to sustain a number
>>>>>> of "AS that are in compliance with the RFC"?
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Warren Parad*
>>>>>>
>>>>>> Founder, CTO
>>>>>>
>>>>>> Secure your user data with IAM authorization as a service. Implement
>>>>>> Authress
>>>>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthress.io%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C64289cdc8a4743659b3108d98e70a5d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637697436788333255%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lw%2BH1z1Ut9kr6S%2F4aVsPmcErAcZx0eK2WV78OlEl2dU%3D&reserved=0>
>>>>>> .
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Oct 13, 2021 at 7:17 PM Mike Jones <Michael.Jones=
>>>>>> 40microsoft.com@dmarc.ietf.org> wrote:
>>>>>>
>>>>>> During today’s call, it was asked whether we should drop the OAuth
>>>>>> 2.0 language that:
>>>>>>
>>>>>>          The client MUST NOT use the authorization code
>>>>>>
>>>>>>          more than once.  If an authorization code is used more than
>>>>>>
>>>>>>          once, the authorization server MUST deny the request and
>>>>>> SHOULD
>>>>>>
>>>>>>          revoke (when possible) all tokens previously issued based on
>>>>>>
>>>>>>          that authorization code.”
>>>>>>
>>>>>>
>>>>>>
>>>>>> The rationale given was that enforcing one-time use is impractical in
>>>>>> distributed authorization server deployments.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thinking about this some more, at most, we should relax this to:
>>>>>>
>>>>>>          The client MUST NOT use the authorization code
>>>>>>
>>>>>>          more than once.  If an authorization code is used more than
>>>>>>
>>>>>>          once, the authorization server SHOULD deny the request and
>>>>>> SHOULD
>>>>>>
>>>>>>          revoke (when possible) all tokens previously issued based on
>>>>>>
>>>>>>          that authorization code.”
>>>>>>
>>>>>>
>>>>>>
>>>>>> In short, it should remain illegal for the client to try to reuse the
>>>>>> authorization code.  We can relax the MUST to SHOULD in the server
>>>>>> requirements in recognition of the difficulty of enforcing the MUST.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Code reuse is part of some attack scenarios.  We must not sanction it.
>>>>>>
>>>>>>
>>>>>>
>>>>>>                                                           -- Mike
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C64289cdc8a4743659b3108d98e70a5d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637697436788343208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ySJjihVbfLJJ85RtjNzEIMSPwe7kLZB8RKT8Ky3fYiA%3D&reserved=0>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C64289cdc8a4743659b3108d98e70a5d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637697436788343208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ySJjihVbfLJJ85RtjNzEIMSPwe7kLZB8RKT8Ky3fYiA%3D&reserved=0>
>>>>>>
>>>>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>

v2.23.0 | Report a Bug | By Email