IETF Logo Mail Archive

Re: [OAUTH-WG] proposed resolution for PKCE in OAuth 2.1

Neil Madden <neil.madden@forgerock.com> Mon, 11 May 2020 18:55 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED3B93A0C41 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 11:55:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FeNKSOY7Hcvf for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 11:55:15 -0700 (PDT)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC5933A0C3F for <oauth@ietf.org>; Mon, 11 May 2020 11:55:14 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id n5so5648118wmd.0 for <oauth@ietf.org>; Mon, 11 May 2020 11:55:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=P+qnc6pG1R0cL6njpScVO5FT6hMTQ8K2qOssfx0fMek=; b=edEJDdpf/LwcTcjTX8p37O8FYfJtsU6PXktW4fZ3/xvcpyHqoRFRJqbbeKSbFJohS3 mYB+UpsN1bj5wNdhAYlaygxe3/YvK9RYBHoUtSTx0uDuxyMP1pyZOQM/P/ejjm7FUYhB 5LrwQ0QM2I9wRkBhrLeLcfwbi/2yvdwCj72uk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=P+qnc6pG1R0cL6njpScVO5FT6hMTQ8K2qOssfx0fMek=; b=cfOPH+mMsYPJ8l7F0QD7cp0C0uCzP1VEi1j/p/18G46hy61LPjtkA4GHN9WJZt1W42 AMme67pTd+UEk0HIBhF+nEAAfH1hJCzCNkkVdeFNhJQfjfUEqwffNzF1SKtBk6S8K6o6 PsxYpX7XTF4RHjwXJ1/HgUMbtSFMYMmvaKCHSAyvDIYDRtfnTTkZKwTSlh1YmoOby00i iE7PlPWYrlHIb7Z4fKneeF1CHSq9aMifw/HlC573T/tEAUME4fxz8akjyaL4nN0ARaU/ oGg46eqrrK7SezN5bgPvavxooVX4IhdOmQtC9y6y4NOOG5C0meO1bYjex4PEtvWH1N59 VIzA==
X-Gm-Message-State: AGi0PuYb/b4zmNKtznjVIlnGL/GB0O/b77WL/u7HlXSAaJ6GlX08e9IW a0B7ahY+unDbohET2UCEkYXNTWZNXpk=
X-Google-Smtp-Source: APiQypJwYxLsRLBXORXI+plgDxf1jnuOYsxwBHQERppMto/hna79Ye9fMXMtNJQ7gEYiV3wiyeNQLQ==
X-Received: by 2002:a7b:c955:: with SMTP id i21mr34996368wml.25.1589223312876; Mon, 11 May 2020 11:55:12 -0700 (PDT)
Received: from [10.0.0.2] (181.58.93.209.dyn.plus.net. [209.93.58.181]) by smtp.gmail.com with ESMTPSA id t4sm20124921wri.54.2020.05.11.11.55.12 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 May 2020 11:55:12 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Message-Id: <450592A8-C609-424D-B321-F9CD3DBAEFB0@forgerock.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6924E5D8-55A8-424A-9621-8BA41CC19C74"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 11 May 2020 19:55:11 +0100
In-Reply-To: <CAGBSGjpRr=pHcX=ppHJygCC25ZZ8xVQztrviDyYq4yvG6KJ7YA@mail.gmail.com>
Cc: OAuth WG <oauth@ietf.org>
To: Aaron Parecki <aaron@parecki.com>
References: <CAGBSGjpRr=pHcX=ppHJygCC25ZZ8xVQztrviDyYq4yvG6KJ7YA@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qHcyUbTP4arWw4PueTnd1j8-Eh8>
Subject: Re: [OAUTH-WG] proposed resolution for PKCE in OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 18:55:17 -0000

I am happy with this proposed wording. Thanks for updating it.

— Neil

> On 11 May 2020, at 19:52, Aaron Parecki <aaron@parecki.com> wrote:
> 
> Thanks for the lively discussion around PKCE in OAuth 2.1 everyone! 
> 
> We would like to propose the following text, which is a slight variation from the text Neil proposed. This would replace the paragraph in 4.1.2.1 (https://tools.ietf.org/html/draft-parecki-oauth-v2-1-02#section-4.1.2.1 <https://tools.ietf.org/html/draft-parecki-oauth-v2-1-02#section-4.1.2.1>) that begins with "If the client does not send the "code_challenge" in the request..."
> 
> "An AS MUST reject requests without a code_challenge from public clients, and MUST reject such requests from other clients unless there is reasonable assurance that the client mitigates authorization code injection in other ways. See section 9.7 for details."
> 
> Section 9.7 is where the nuances of PKCE vs nonce are described.
> 
> As Neil described, we believe this will allow ASs to support both OAuth 2.0 and 2.1 clients simultaneously. The change from Neil's text is the clarification of which threats, and changing to MUST instead of SHOULD. The "MUST...unless" is more specific than "SHOULD", and since we are already describing the explicit exception to the rule, it's more clear as a MUST here.
> 
> Aaron Parecki
> 
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email