[OAUTH-WG] OAuth 2.1 - require PKCE?

Dick Hardt <dick.hardt@gmail.com> Wed, 06 May 2020 17:48 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8714F3A00D2 for <oauth@ietfa.amsl.com>; Wed, 6 May 2020 10:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.994
X-Spam-Level:
X-Spam-Status: No, score=-0.994 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_16=1.092, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4vYUoKLSKDkO for <oauth@ietfa.amsl.com>; Wed, 6 May 2020 10:48:37 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7C613A0947 for <oauth@ietf.org>; Wed, 6 May 2020 10:48:36 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id a21so3292234ljj.11 for <oauth@ietf.org>; Wed, 06 May 2020 10:48:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=VYZF2fDqPbh/acr8mfK5nO9cEkdx7dcctH7r36C/HEo=; b=C1l6pwcVJg+fToxMsw6WsuP5uVMeWMiOb0b8guPfkNaBQZIVaLiCg+P5mFwFwdc9bO xmrdXEfHM3197uaGsl7FhvIjFt3Bt4N/ZTdtKp7FkcKVkdIaEcDgtvJptICYx23dZWK3 2V9aiq/8Yy/7mr9ZE4mteUtKG7E7BqHNfGIv8IqBEIsBKBHPm5JpKo2ZIbrosBaa63WL 0tffkCrRod+wgzX14Xb7olzvFS7s/m4PiTTj2xztWsPAnu6PWHpNyrBLoeNggSd7pu8j XaSgbbV/o9o0p+BKLC63J7/9ebObKshUgSp2nyEMbtKqXO/YO9q4KmL5Uuf0hXE0h7l9 FscA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=VYZF2fDqPbh/acr8mfK5nO9cEkdx7dcctH7r36C/HEo=; b=TlLfKpb/9ClRJVErmgfRzATFRS4W8cdHXDhEv/BtVcKejyNbk2Tmj71ZxogXMQootw 6Y2W5JKi1ECjGav01Cd1Sju/LuyD/jqhTmucMr/Qnx33rC3onDHAKni5408OhHgWYxWz iYFGszngU5ekO/20AZ9ZucNEoiBpZXIEhMXIKfsE4WXcwnqc5l95BWD9NPgTEvC0hh/+ NX51fDm8yi8ROLsiPjjfjYqfYFwe+K8Crn9vI05C06ls5cN22xboFFFT8zx7QAaCRmHt bVOHpRZrMYP8Vm6ZuIw8pP1Ou2B4H/I1d3GxqQsqZtP893dzoS3UhdNeaL88nraUmI1H l/dQ==
X-Gm-Message-State: AGi0PuaYV4/MxLy4eKE7rSdAZJQ6kr9rsqYZfoaZvQjDcV48OOVjPL68 O+/6gtquw05a8sHCadJV4bh3Ws6X8sgAL1u8YI5yUuSMwkk=
X-Google-Smtp-Source: APiQypJuc71xtM+8wmgY+PVJQltN80QoXUEsBWTz193bvUmPV86pwAjh0rVTviUWMrgewBsw9ekKwXEcDVMtllnHijQ=
X-Received: by 2002:a2e:b1c9:: with SMTP id e9mr5983035lja.102.1588787314456; Wed, 06 May 2020 10:48:34 -0700 (PDT)
MIME-Version: 1.0
From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 6 May 2020 10:48:08 -0700
Message-ID: <CAD9ie-sRjnt67qjZ9Uw1E7KNR+YbKr6NiyA+uG1dDWqjDC082A@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008080ea05a4fe5ff6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/w64QPBrwwtyeKVtKReawHHvE3Ec>
Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 17:48:39 -0000

Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
practice for OAuth 2.0. It is not common in OpenID Connect servers as the
nonce solves some of the issues that PKCE protects against. We think that
most OpenID Connect implementations also support OAuth 2.0, and hence have
support for PKCE if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as
they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier
is sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client
developers and AS can ensure the check is conducted

What are disadvantages besides the potential impact to OpenID Connect
deployments? How significant is that impact?

Dick, Aaron, and Torsten

ᐧ