Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E23E61B32C9 for ; Tue, 19 Jan 2016 09:15:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.379 X-Spam-Level: X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id axdAlS6WUjge for ; Tue, 19 Jan 2016 09:15:01 -0800 (PST) Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 512241B32C8 for ; Tue, 19 Jan 2016 09:15:01 -0800 (PST) Received: by mail-oi0-x230.google.com with SMTP id o124so188351952oia.3 for ; Tue, 19 Jan 2016 09:15:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=C68L9vqwz5J3tm5fSQAog8ou2izQ28d5SJ9DZXmB18o=; b=gdTFa8652T6eYPoILY6HSBWy5l2CZWZLVcn9M2GbJeNMhEjQjdDk5C1m+zuFHSEXgB Sdd0aY1RqzHhKS2JGVxro+9zqVXjJaOev816QlTwDcCU5Sa/1oaXHq7WZ/7X1kohpv5D Yft4WV6fPau5PXaM9pQxxR2Sr6Z/LsTomDs2APH3Z/u6pv70+cWnClXQHbuf5kLnSn27 Zg6zJmbolA0BarCFqxdSi69tV/anqg0EDfrAc39AzJJMTjQo0tDNnD8cpvk1Hks0ol1/ /jq2PMi9xPtdC4aNt4I8tzyx9g0L8SSSVxF941dW7Pg/t1yuHwiC1FkL9kufItKrzb17 idjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=C68L9vqwz5J3tm5fSQAog8ou2izQ28d5SJ9DZXmB18o=; b=GgNgJulp76cDNHLm4ofugtbU7FA07JLz1FvG4EimUXXutn0JFZmNaJVNJS+A5XzNIJ J+MI03XfO6VL99Rmd+0kMWQGL28mtSURkT+UvBtlKpksVb5FV5mol+NKl41jpVyI0H35 KNkrvF8czgluNbpGVlccrKVzI1WssH/UcD3VDN/+hgkRutIhIV86O8w/iG/bOO+XMStb TU/Xb9DeTazLXRjBoUlftYcni31OiUYtl3LKtuuDCemE/Ua3DkaK1Q8GV8kjDEv1WjrZ dRV4t7IFbKJCA8L4qP5dOE7DxzeqHj0d5yqvsNSem+JCB2/lecYaDBEV56cbgp161WOO oHXg== X-Gm-Message-State: ALoCoQl74wJOgj6fnfy4HRT0n4lx9FLVz5sYyru+IpdEjq9vPanCg0AvX9lNh3Xzm8JJu6kxX4xXAcyhgkkD7Vd1AhzEroTRwpaMs3iEbrYRySr6PhDJLsM= X-Received: by 10.202.226.141 with SMTP id z135mr23120384oig.21.1453223700576; Tue, 19 Jan 2016 09:15:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.227.39 with HTTP; Tue, 19 Jan 2016 09:14:40 -0800 (PST) In-Reply-To: <569E5E2E.40204@connect2id.com> References: <569E5E2E.40204@connect2id.com> From: William Denniss Date: Tue, 19 Jan 2016 09:14:40 -0800 Message-ID: To: Vladimir Dzhuvinov Content-Type: multipart/alternative; boundary=001a11408cf87412630529b302ae Archived-At: Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jan 2016 17:15:03 -0000 --001a11408cf87412630529b302ae Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Awesome! Great to hear you've implemented it too :) I added client-side support this weekend into an iOS client that I'm writing, didn't take long at all. On Tue, Jan 19, 2016 at 8:02 AM, Vladimir Dzhuvinov wrote: > This is good news William! I hope more developers will become aware of > PKCE through its adoption by Google. Right now there's virtually zero > awareness about this option among devs. > > Coincidentally we also put support for PKCE in the Nimbus OAuth/OIDC SDK > this week. Regarding errors we practice what Nat suggested - i.e. we don'= t > detail the exact cause of the error, but in the "error_description" field > we list all possible causes that a client dev should check - invalid code= , > redirect_uri mismatch, bad pkce challenge, etc. > > Cheers, > > Vladimir > > On 19/01/16 07:46, William Denniss wrote: > > This month we rolled out full PKCE (RFC7636) support on our OAuth endpoin= ts. > > We'd previously implemented an earlier draft but were not conformant to t= he > final spec when it was published =E2=80=93 now we are. Both "plain" and "= S256" > transforms are supported. As always, get the latest endpoints from our > discovery document:https://accounts.google.com/.well-known/openid-configu= ration > > If you give it a spin, let me know how you go! The team monitors the Stac= k > Overflow google-oauth tag too, for = any > implementation questions. > > I'm keen to know what we should be putting in our discovery doc to declar= e > PKCE support (see the thread "Advertise PKCE support in OAuth 2.0 > Discovery"), hope we can agree on that soon. > > One implementation detail not covered in the spec: we error if you > send code_verifier to the token endpoint when exchanging a code that was > issued without a code_challenge being present. The assumption being that = if > you are sending code_verifier on the token exchange, you are using PKCE a= nd > should have sent code_challenge on the authorization request, so somethin= g > is amiss. > > William > > > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oau= th > > > -- > Vladimir Dzhuvinov > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --001a11408cf87412630529b302ae Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Awesome! Great to hear you've implemented it too :)
I added client-side support this weekend into an iOS clien= t that I'm writing, didn't take long at all.

On Tue, Jan 19, 2016 at 8:02 AM, V= ladimir Dzhuvinov <vladimir@connect2id.com> wrote:
=
=20 =20 =20
This is good news William! I hope more developers will become aware of PKCE through its adoption by Google. Right now there's virtually zero awareness about this option among devs.

Coincidentally we also put support for PKCE in the Nimbus OAuth/OIDC SDK this week. Regarding errors we practice what Nat suggested - i.e. we don't detail the exact cause of the error, but in the "error_description" field we list all possible causes that a = client dev should check - invalid code, redirect_uri mismatch, bad pkce challenge, etc.

Cheers,

Vladimir

On 19/01/16 07:46, William Denniss wrote:
This month we rolled out full PKCE (RFC7636) su=
pport on our OAuth endpoints.

We'd previously implemented an earlier draft but were not conformant to=
 the
final spec when it was published =E2=80=93 now we are. Both "plain&quo=
t; and "S256"
transforms are supported. As always, get the latest endpoints from our
discovery document:
https://accounts.google.com/.well-known/openid-configuratio=
n

If you give it a spin, let me know how you go! The team monitors the Stack
Overflow google-oauth
<http://stackoverflow.com/questions/tagged/google-oauth=
> tag too, for any
implementation questions.

I'm keen to know what we should be putting in our discovery doc to decl=
are
PKCE support (see the thread "Advertise PKCE support in OAuth 2.0
Discovery"), hope we can agree on that soon.

One implementation detail not covered in the spec: we error if you
send code_verifier to the token endpoint when exchanging a code that was
issued without a code_challenge being present. The assumption being that if
you are sending code_verifier on the token exchange, you are using PKCE and
should have sent code_challenge on the authorization request, so something
is amiss.

William




_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth


--=20
Vladimir Dzhuvinov

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--001a11408cf87412630529b302ae--