Re: [OAUTH-WG] authorization code injection - draft-ietf-oauth-security-topics-13

Daniel Fett <fett@danielfett.de> Mon, 25 November 2019 15:12 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9DAB120978 for <oauth@ietfa.amsl.com>; Mon, 25 Nov 2019 07:12:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WEk95efXauKv for <oauth@ietfa.amsl.com>; Mon, 25 Nov 2019 07:12:17 -0800 (PST)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 070BE120137 for <oauth@ietf.org>; Mon, 25 Nov 2019 07:12:17 -0800 (PST)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id C1D9F1B1C for <oauth@ietf.org>; Mon, 25 Nov 2019 15:12:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1574694734; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4W1lxipKbSYAL2e+ekl5Ypciq5bOHIZrk/P4eEBNhDk=; b=ouamWRwSyIpy0y45ZOF77yJe0/vOdZfBjq8b639GHqt+4/NgmWuWw2fWfzA7a2lupu/s57 fz69N2eJtmnXUJd8hnKxuBtly3BlpnLKkY9o8LIDgIC/lGnCUilFKKdfR12Fzqu2C1LqKB yoYQ8iscpAQHIoiFjrtVZeqT2hFh58Q=
To: oauth@ietf.org
References: <CAGBSGjqpXjXDMH-YMap5kEeWg4qA0R447nNK9zjLUP+mJ=XT2w@mail.gmail.com> <97C1CF0C-451E-430F-8B35-AF8B5A4D2E2D@lodderstedt.net> <CAGBSGjpOoTKEqHEgpGP3zn4B1tzQ6Ez2e2VMANn1wn1x6bxv5w@mail.gmail.com>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <2e928a72-e058-5744-f604-ccc55625164e@danielfett.de>
Date: Mon, 25 Nov 2019 16:12:14 +0100
MIME-Version: 1.0
In-Reply-To: <CAGBSGjpOoTKEqHEgpGP3zn4B1tzQ6Ez2e2VMANn1wn1x6bxv5w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------E44F3A1F05232C3F94BA3E56"
Content-Language: de-AT-frami
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1574694734; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4W1lxipKbSYAL2e+ekl5Ypciq5bOHIZrk/P4eEBNhDk=; b=cWzhGr7lRzRKl6ZB/Ua387jnFWkWhNeGQI3fDf4iRv9cLEIs4tEG35DKogYAJCpwYPLn16 uS2e9nj7NHKZRC3WmbWBQSG+VwVCKUyr+pt91Vbo/328UDIZCOJl16CU62XL6qzIP+AKIn kGryOFZF/R/4+dXdu7VO6e3Nsf0LVBc=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1574694734; a=rsa-sha256; cv=none; b=cMVVR6Kp9ZwXKCXU7Z6VnqQ2H5S9U1Ye827VsBODu5kH7H5DYoAfclkibJsSGAhcUY1UNaZarEVpxUSdSIxY9fdgAny6Np4cY9jGgc8rqencRVgjDAWKL4yREMMU9egs9gq5b3QVffiaCllZjBTDe2qOXO7YU+WRynOj3mfqwEQ=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/w1CCqmvy9OIB8bC0Sayl2i_IUMc>
Subject: Re: [OAUTH-WG] authorization code injection - draft-ietf-oauth-security-topics-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Nov 2019 15:12:20 -0000

Am 16.11.19 um 14:28 schrieb Aaron Parecki:
> Thanks for the reply. You're right, PKCE requires maintaining
> application state as well, and does solve the main worry I have.
>
> However I think there is still something more. I guess my concern is
> around the specific wording:
>
>> in this case, 'state' may be used again for its original purpose...
> My concern is if people see this recommendation, (even though it's
> clarified that it only applies if the authorization server supports
> PKCE), they may revert back to static "state" values *regardless* of
> whether the server supports PKCE, opening up a security hole again.
> This is especially problematic because of the way PKCE works where
> clients have no indication as to whether the server supports PKCE if
> the whole flow is successful.
>
> I guess I just would rather not mention the possibility of using
> static state values again.
I would like to keep this note. We could change the wording, however.
How about this:


"If PKCE [RFC7636] is used by the client and the client *has ensured*
that the authorization server supports PKCE, the client MAY opt to not
use "state" for CSRF protection".

-Daniel