[OAUTH-WG] Comments about PKCE / RFC7636
isciurus <isciurus@gmail.com> Tue, 10 May 2016 21:58 UTC
Return-Path: <isciurus@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7FBC12D177 for <oauth@ietfa.amsl.com>; Tue, 10 May 2016 14:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6xH47p0yFJI7 for <oauth@ietfa.amsl.com>; Tue, 10 May 2016 14:58:53 -0700 (PDT)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4BB812D15C for <oauth@ietf.org>; Tue, 10 May 2016 14:58:53 -0700 (PDT)
Received: by mail-qk0-x22a.google.com with SMTP id n63so15394026qkf.0 for <oauth@ietf.org>; Tue, 10 May 2016 14:58:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=fBkXnf5rWwU10A5frPIVwuNue8tSo0vrJBg/Ly3K5gg=; b=U/z9Rz2ycaovTOepBJWnenTL2Qmq839889DZLBn4Bb3G75/3Di3IxpXxZSEz5UnkQ0 AvjaI1Y0vSfgfWEjKVjsVhBK07ED+xf8rDtWscR7fKsboiEMcGbwqiSvQi6cR8wyMWQN UEX7ZKBUPrj5xyRqbDiE+Y9G4a40cnD1sz3AjXo9CNP4hKExFNq0g6CJeSimjYxEv3p9 FazrK0vh4htIwodpN9iD6yKFk8ojbKUDFOhfOVUcqvWWzxZrRITLvUEkT6keLCssWA6m rOeO74O67LsVnrkKgt67fDyJziwRcjUTacpjvksb+qj9jJlUPKWQ18xXCd4X8LfpE1t6 Oq3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=fBkXnf5rWwU10A5frPIVwuNue8tSo0vrJBg/Ly3K5gg=; b=YCWA0umFehQd6j55EHunYKipii4z3oqVZ7oOtY7B98F0RtVa9FuGwTfDk9RVhq7TK4 ecsJQzhYWot7Qd0wz+1gucwye2THmnEjQ/pFZbZMkcDPimhJpftLfgIaTuQhUP+fs0Jh YVDIG3+5Gi+DizO/HPAPyqZK+LWlDSv1BM0j2XHVgP5QypCRmaercmDDG5/viss2Vdx8 LjbiKfJyqZUw1CL6hSBZR0WJh3/pR2IWwD+VOLVNuf4jbGN9BZ2aLMWRfg1T47lyUms1 sbpDL5HfI6mwaBmAPuiO+Zj13gTpiR8bJ8mnODXnh36psZFrylnc+fo0qj6mdYsH4bo0 Mkbw==
X-Gm-Message-State: AOPr4FUrsL/kG26Clu+slrIEFOW3z/kVedLPloqFEdpuYhL7Q4haGbWGJOB5tevqU1WyQcV5saUMSiBknnaWqA==
X-Received: by 10.55.215.25 with SMTP id m25mr12704958qki.34.1462917532834; Tue, 10 May 2016 14:58:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.102.213 with HTTP; Tue, 10 May 2016 14:58:33 -0700 (PDT)
From: isciurus <isciurus@gmail.com>
Date: Tue, 10 May 2016 14:58:33 -0700
Message-ID: <CAAJG_r-WypopxsEKj-WAAVKV4sEiGf5ST8mm4rDVUqcoPSTS+A@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a1149adc2e161cd05328407eb"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ugP4NE29UUvOgNLx0nn3VlE61X4>
Subject: [OAUTH-WG] Comments about PKCE / RFC7636
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2016 21:58:56 -0000
Hi, I have a few comments regarding the Proof Key for Code Exchange spec: 1. I wonder how exactly PKCE guarantees the protection for native apps in the context of generic OAuth 2 flow with an external browser, considering that a malicious app can initiate an authz request itself? More precisely, I believe there are two cases PKCE doesn't cover: - Malicious app generates its own code_verifier and opens an authz request in an external browser, which allows it to follow "1.1. Protocol Flow", eavesdrop the code at the callback uri it hijacked, and exchange it for token - Malicious app abuses the "5. Compatibility" section by initiating authz request without code_verifier for clients not supporting this extension, which allows it to just eavesdrop the code at the callback uri it hijacked, and exchange it for token By using parameter such as "immediate=true" / "display=none" app can even make authz request undetectable as it would silently succeed for previously TOSed apps and considering an existing browser session on provider. 2. Is it actually meant to be a sufficient protection to just follow PKCE in the generic OAuth 2 flow case for public clients (vs. using PKCE together with other improvements, such as with native apps sso flow http://www.thread-safe.com/2015/01/napps-high-level-flow-for-ios.html)? 3. What is meant by a "secure API" in the following claim from the "1. Introduction": "Step (1) happens through a secure API that cannot be intercepted, though it may potentially be observed in advanced attack scenarios."? Thanks, Andrey
- [OAUTH-WG] Comments about PKCE / RFC7636 isciurus
- Re: [OAUTH-WG] Comments about PKCE / RFC7636 Brian Campbell