IETF Logo Mail Archive

Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1

David Waite <david@alkaline-solutions.com> Wed, 13 October 2021 18:31 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93AAF3A0908 for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 11:31:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1jbwUJ0CKDEa for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 11:31:46 -0700 (PDT)
Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA8623A090F for <oauth@ietf.org>; Wed, 13 Oct 2021 11:31:46 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by caesium6.alkaline.solutions (Postfix) with ESMTPA id 70A712066BD; Wed, 13 Oct 2021 18:31:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1634149905; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=F0iLIsgliD63ZPXyGc+5qhLsIyxnGOXzOeugIUsn9lM=; b=lNIDa90DQ7paH1DT+asu3x7UaUPCnQ/qR5cuVoNh+wSSZYW8y/rfiQsGfTSi/FvIUYQ6iE la8BfW1KQqHxjYcFAwZS4IiK75tGdrXyviZkgv78coMHsnstEjVfLqLMfqYXFQdcBGph4T 69Yec/B6xOjB8Z2qM3RUG2MzspvO8QA=
From: David Waite <david@alkaline-solutions.com>
Message-Id: <5DED0061-0610-491E-9AD9-9FA88566AE7E@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_28CBD5C2-EC36-4B6E-8F11-0736862E4519"
Mime-Version: 1.0
Date: Wed, 13 Oct 2021 12:31:42 -0600
In-Reply-To: <SA2PR00MB100244DAAD267EBD2FF51678F5B79@SA2PR00MB1002.namprd00.prod.outlook.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
References: <SA2PR00MB100244DAAD267EBD2FF51678F5B79@SA2PR00MB1002.namprd00.prod.outlook.com>
Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pXrUC8DvADVIWipCY_U-xbItimg>
Subject: Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 18:31:52 -0000

I agree that PKCE (with a non-plain operational mode) protects the code from attacker use by the security BCP model (but not necessarily stronger models)

Would the prevalence for ASs which cannot enforce an atomic code grant warrant further language against plain PKCE?

-DW

> On Oct 13, 2021, at 11:16 AM, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
> 
> During today’s call, it was asked whether we should drop the OAuth 2.0 language that:
>          The client MUST NOT use the authorization code
>          more than once.  If an authorization code is used more than
>          once, the authorization server MUST deny the request and SHOULD
>          revoke (when possible) all tokens previously issued based on
>          that authorization code.”
>  
> The rationale given was that enforcing one-time use is impractical in distributed authorization server deployments.
>  
> Thinking about this some more, at most, we should relax this to:
>          The client MUST NOT use the authorization code
>          more than once.  If an authorization code is used more than
>          once, the authorization server SHOULD deny the request and SHOULD
>          revoke (when possible) all tokens previously issued based on
>          that authorization code.”
>  
> In short, it should remain illegal for the client to try to reuse the authorization code.  We can relax the MUST to SHOULD in the server requirements in recognition of the difficulty of enforcing the MUST.
>  
> Code reuse is part of some attack scenarios.  We must not sanction it.
>  
>                                                           -- Mike
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>

v2.23.0 | Report a Bug | By Email