Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)

"Nat Sakimura" <n-sakimura@nri.co.jp> Tue, 19 January 2016 09:45 UTC

Return-Path: <n-sakimura@nri.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 055DA1AD055 for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 01:45:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.309
X-Spam-Level: ***
X-Spam-Status: No, score=3.309 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V7t4FYy_huvw for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 01:45:20 -0800 (PST)
Received: from nrifs02.index.or.jp (nrigw01.index.or.jp [133.250.250.1]) by ietfa.amsl.com (Postfix) with ESMTP id B356C1ACF5B for <oauth@ietf.org>; Tue, 19 Jan 2016 01:45:19 -0800 (PST)
Received: from nriea04.index.or.jp (unknown [172.19.246.39]) by nrifs02.index.or.jp (Postfix) with SMTP id DB165196880; Tue, 19 Jan 2016 18:45:18 +0900 (JST)
Received: from nrims00a.nri.co.jp ([192.50.135.11]) by nriea04.index.or.jp (unknown) with ESMTP id u0J9jI4D018932; Tue, 19 Jan 2016 18:45:18 +0900
Received: from nrims00a.nri.co.jp (localhost.localdomain [127.0.0.1]) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id u0J9jI75051238; Tue, 19 Jan 2016 18:45:18 +0900
Received: (from mailnull@localhost) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.0/Submit) id u0J9jIfX051237; Tue, 19 Jan 2016 18:45:18 +0900
X-Authentication-Warning: nrims00a.nri.co.jp: mailnull set sender to n-sakimura@nri.co.jp using -f
Received: from nrizmf13.index.or.jp ([172.100.25.22]) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id u0J9jIB6051232; Tue, 19 Jan 2016 18:45:18 +0900
From: "Nat Sakimura" <n-sakimura@nri.co.jp>
To: "'William Denniss'" <wdenniss@google.com>, <oauth@ietf.org>
References: <CAAP42hD3vpwnBYzu6YZVXtTimVuFHzgQ9Pksn1RQNEwogPZRJw@mail.gmail.com>
In-Reply-To: <CAAP42hD3vpwnBYzu6YZVXtTimVuFHzgQ9Pksn1RQNEwogPZRJw@mail.gmail.com>
Date: Tue, 19 Jan 2016 18:45:28 +0900
Message-ID: <046601d1529e$213c10b0$63b43210$@nri.co.jp>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0467_01D152E9.91273B20"
X-Mailer: Microsoft Outlook 15.0
thread-index: AQFmWO0EHwXYNXWS+OyceOcyoSZ/G5/Yijog
Content-Language: ja
X-MailAdviser: 20141126
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/xpx5jVTTy0LqKThdYh9aqUIba1c>
Subject: Re: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2016 09:45:22 -0000

Wow, Congratulations, and thanks very much!

 

Best, 

 

--

PLEASE READ :This e-mail is confidential and intended for the

named recipient only. If you are not an intended recipient,

please notify the sender  and delete this e-mail.

 

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of William Denniss
Sent: Tuesday, January 19, 2016 2:46 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)

 

This month we rolled out full PKCE (RFC7636) support on our OAuth endpoints.

 

We'd previously implemented an earlier draft but were not conformant to the final spec when it was published – now we are. Both "plain" and "S256" transforms are supported. As always, get the latest endpoints from our discovery document: https://accounts.google.com/.well-known/openid-configuration

 

If you give it a spin, let me know how you go! The team monitors the Stack Overflow google-oauth <http://stackoverflow.com/questions/tagged/google-oauth>  tag too, for any implementation questions.

 

I'm keen to know what we should be putting in our discovery doc to declare PKCE support (see the thread "Advertise PKCE support in OAuth 2.0 Discovery"), hope we can agree on that soon.

 

One implementation detail not covered in the spec: we error if you send code_verifier to the token endpoint when exchanging a code that was issued without a code_challenge being present. The assumption being that if you are sending code_verifier on the token exchange, you are using PKCE and should have sent code_challenge on the authorization request, so something is amiss.

 

William