Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)

Nat Sakimura <sakimura@gmail.com> Tue, 19 January 2016 14:32 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6054D1B2F96 for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 06:32:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9lvomG8IytuT for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 06:32:02 -0800 (PST)
Received: from mail-qg0-x22c.google.com (mail-qg0-x22c.google.com [IPv6:2607:f8b0:400d:c04::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21C4E1B2F92 for <oauth@ietf.org>; Tue, 19 Jan 2016 06:32:02 -0800 (PST)
Received: by mail-qg0-x22c.google.com with SMTP id e32so492928757qgf.3 for <oauth@ietf.org>; Tue, 19 Jan 2016 06:32:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=1kbjsoo3E8BHGep/zwh8Zr6fQOuSaylPookVQc/izV4=; b=Fv0/1CaVOkhf3qt2Pe6e+a4eAITE+POOhNEE1/yiWRWkpqi9SkKcmAJP1eWknMCaKG s3OqFbGe5H+l4y7Hc8HtzEKAIFqeT6u/uUwbACScm3mo3XV43J0QVwZ65z5A+CJ7SH0Q HGLUAhrLDBpEZ+hDut2yT++O7j4IjaYDYE+fAukuEm6WbqgH4xrkDj1nyp6NZGFyHmej 3VFMTNphUBn2NFgfXUQ2v+HPARu24bKT2tOlqeO7zqQkAqGTNYFS3/1g+IyKXMzWec9V WVnWvWibkx+boSrQGxfebyj6eIIoZRU0JiGb7T+CNiCWffUHC3+fBpcG5P7AdOQ6gBJ5 LOIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=1kbjsoo3E8BHGep/zwh8Zr6fQOuSaylPookVQc/izV4=; b=B96nUVvPAOrAGsH4EfNtc9YHoCaTa4pVy7ngv1Uq78JUmgWrEgkgVq8WuC2FFv4ib6 Ko/SQXhLzA7MZVNDptGB77bbnv3SaqOghqEyj0uWcRkOHbz9+PNSVnYIM+Gy7jrkZcQa hCrEIlFSqmtMckLOYkdl8HgXoRq/MiljTmd2vFLIUdUGuGeVB8KA1vGjw0CWjphL6nQi yBK7V/969jKguTa51JxVplG64REK7sike5dPtPoJgumvqv8ReXKlOY6oHKMDOWEq9Udi LIHmxiCxd9HOjSNiVFuhb1tsPzaPy2NrTms9Jg9tV3SFJepDCImSU3Sh9/DWvuzARakU 8AEg==
X-Gm-Message-State: ALoCoQlc+ikv2jgRHFWAS1xTs4YN4v2NJw84IV4LpjydQOfW108tuqhhuCymL7EQ8TRwKytPWbkym6gU6f5WBgJLs+Oz5157KQ==
X-Received: by 10.140.158.4 with SMTP id e4mr40494445qhe.81.1453213921198; Tue, 19 Jan 2016 06:32:01 -0800 (PST)
MIME-Version: 1.0
References: <CAAP42hD3vpwnBYzu6YZVXtTimVuFHzgQ9Pksn1RQNEwogPZRJw@mail.gmail.com> <8E6EBF44-2057-4429-8347-1BA447C3F3DB@ve7jtb.com>
In-Reply-To: <8E6EBF44-2057-4429-8347-1BA447C3F3DB@ve7jtb.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 19 Jan 2016 14:31:51 +0000
Message-ID: <CABzCy2DBP7k-mAa6ABxGkWB9yzc8MTsbNByp-zzaoF+umS9hkw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>, William Denniss <wdenniss@google.com>
Content-Type: multipart/alternative; boundary=001a113a09de8e49ea0529b0bbf2
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/sD4IpOwt3LeilxNav_Sro-JXknI>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2016 14:32:04 -0000

Agreed. It should give out an error.
It might have been easier for the developers to get a special error so that
they can debug, but giving less information in general is better
security-wise, so...

Nat

2016年1月19日(火) 21:33 John Bradley <ve7jtb@ve7jtb.com>;:

> Great news.
>
> If you have sent a PKCE challenge and no verifier that should be a
> authentication failure as if the value were wrong.
>
> I don’t know if it needs a special error.
>
> Thanks for bringing it up.
>
> John B.
>
> On Jan 19, 2016, at 2:46 AM, William Denniss <wdenniss@google.com>; wrote:
>
> This month we rolled out full PKCE (RFC7636) support on our OAuth
> endpoints.
>
> We'd previously implemented an earlier draft but were not conformant to
> the final spec when it was published – now we are. Both "plain" and "S256"
> transforms are supported. As always, get the latest endpoints from our
> discovery document:
> https://accounts.google.com/.well-known/openid-configuration
>
> If you give it a spin, let me know how you go! The team monitors the Stack
> Overflow google-oauth
> <http://stackoverflow.com/questions/tagged/google-oauth> tag too, for any
> implementation questions.
>
> I'm keen to know what we should be putting in our discovery doc to declare
> PKCE support (see the thread "Advertise PKCE support in OAuth 2.0
> Discovery"), hope we can agree on that soon.
>
> One implementation detail not covered in the spec: we error if you
> send code_verifier to the token endpoint when exchanging a code that was
> issued without a code_challenge being present. The assumption being that if
> you are sending code_verifier on the token exchange, you are using PKCE and
> should have sent code_challenge on the authorization request, so something
> is amiss.
>
> William
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>