Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)

William Denniss <wdenniss@google.com> Tue, 19 January 2016 17:15 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E23E61B32C9 for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 09:15:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id axdAlS6WUjge for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 09:15:01 -0800 (PST)
Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 512241B32C8 for <oauth@ietf.org>; Tue, 19 Jan 2016 09:15:01 -0800 (PST)
Received: by mail-oi0-x230.google.com with SMTP id o124so188351952oia.3 for <oauth@ietf.org>; Tue, 19 Jan 2016 09:15:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=C68L9vqwz5J3tm5fSQAog8ou2izQ28d5SJ9DZXmB18o=; b=gdTFa8652T6eYPoILY6HSBWy5l2CZWZLVcn9M2GbJeNMhEjQjdDk5C1m+zuFHSEXgB Sdd0aY1RqzHhKS2JGVxro+9zqVXjJaOev816QlTwDcCU5Sa/1oaXHq7WZ/7X1kohpv5D Yft4WV6fPau5PXaM9pQxxR2Sr6Z/LsTomDs2APH3Z/u6pv70+cWnClXQHbuf5kLnSn27 Zg6zJmbolA0BarCFqxdSi69tV/anqg0EDfrAc39AzJJMTjQo0tDNnD8cpvk1Hks0ol1/ /jq2PMi9xPtdC4aNt4I8tzyx9g0L8SSSVxF941dW7Pg/t1yuHwiC1FkL9kufItKrzb17 idjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=C68L9vqwz5J3tm5fSQAog8ou2izQ28d5SJ9DZXmB18o=; b=GgNgJulp76cDNHLm4ofugtbU7FA07JLz1FvG4EimUXXutn0JFZmNaJVNJS+A5XzNIJ J+MI03XfO6VL99Rmd+0kMWQGL28mtSURkT+UvBtlKpksVb5FV5mol+NKl41jpVyI0H35 KNkrvF8czgluNbpGVlccrKVzI1WssH/UcD3VDN/+hgkRutIhIV86O8w/iG/bOO+XMStb TU/Xb9DeTazLXRjBoUlftYcni31OiUYtl3LKtuuDCemE/Ua3DkaK1Q8GV8kjDEv1WjrZ dRV4t7IFbKJCA8L4qP5dOE7DxzeqHj0d5yqvsNSem+JCB2/lecYaDBEV56cbgp161WOO oHXg==
X-Gm-Message-State: ALoCoQl74wJOgj6fnfy4HRT0n4lx9FLVz5sYyru+IpdEjq9vPanCg0AvX9lNh3Xzm8JJu6kxX4xXAcyhgkkD7Vd1AhzEroTRwpaMs3iEbrYRySr6PhDJLsM=
X-Received: by 10.202.226.141 with SMTP id z135mr23120384oig.21.1453223700576; Tue, 19 Jan 2016 09:15:00 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.227.39 with HTTP; Tue, 19 Jan 2016 09:14:40 -0800 (PST)
In-Reply-To: <569E5E2E.40204@connect2id.com>
References: <CAAP42hD3vpwnBYzu6YZVXtTimVuFHzgQ9Pksn1RQNEwogPZRJw@mail.gmail.com> <569E5E2E.40204@connect2id.com>
From: William Denniss <wdenniss@google.com>
Date: Tue, 19 Jan 2016 09:14:40 -0800
Message-ID: <CAAP42hDksSuEFeWaxOV=k0vY5-k-+YP2d-4Tjkew1T8-pz=KtQ@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Content-Type: multipart/alternative; boundary=001a11408cf87412630529b302ae
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/tzo-5FX4eJLbH6WQ9YxWgp-a5tY>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2016 17:15:03 -0000

Awesome! Great to hear you've implemented it too :)

I added client-side support this weekend into an iOS client that I'm
writing, didn't take long at all.

On Tue, Jan 19, 2016 at 8:02 AM, Vladimir Dzhuvinov <vladimir@connect2id.com
> wrote:

> This is good news William! I hope more developers will become aware of
> PKCE through its adoption by Google. Right now there's virtually zero
> awareness about this option among devs.
>
> Coincidentally we also put support for PKCE in the Nimbus OAuth/OIDC SDK
> this week. Regarding errors we practice what Nat suggested - i.e. we don't
> detail the exact cause of the error, but in the "error_description" field
> we list all possible causes that a client dev should check - invalid code,
> redirect_uri mismatch, bad pkce challenge, etc.
>
> Cheers,
>
> Vladimir
>
> On 19/01/16 07:46, William Denniss wrote:
>
> This month we rolled out full PKCE (RFC7636) support on our OAuth endpoints.
>
> We'd previously implemented an earlier draft but were not conformant to the
> final spec when it was published – now we are. Both "plain" and "S256"
> transforms are supported. As always, get the latest endpoints from our
> discovery document:https://accounts.google.com/.well-known/openid-configuration
>
> If you give it a spin, let me know how you go! The team monitors the Stack
> Overflow google-oauth<http://stackoverflow.com/questions/tagged/google-oauth> <http://stackoverflow.com/questions/tagged/google-oauth> tag too, for any
> implementation questions.
>
> I'm keen to know what we should be putting in our discovery doc to declare
> PKCE support (see the thread "Advertise PKCE support in OAuth 2.0
> Discovery"), hope we can agree on that soon.
>
> One implementation detail not covered in the spec: we error if you
> send code_verifier to the token endpoint when exchanging a code that was
> issued without a code_challenge being present. The assumption being that if
> you are sending code_verifier on the token exchange, you are using PKCE and
> should have sent code_challenge on the authorization request, so something
> is amiss.
>
> William
>
>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
> --
> Vladimir Dzhuvinov
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>