Requiring a change to every deployed RP is not “a very small leap”. It’s an
invasive big deal, introducing a breaking change and bifurcating a
well-functioning ecosystem without sufficient cause.
What this actually points out to me is that we should modify the language in
the Security BCP to say something like “OAuth Servers MUST support PKCE unless
they are only used for OpenID Connect Authentication Requests”. I’d thought
that that was already the case, as that mirrors the client requirements and I
apparently failed to read it closely enough. I’ll submit a separate request
for the change to the Security BCP to make it self-consistent.
-- Mike
From: Aaron Parecki <aa...@parecki.com>
Sent: Wednesday, May 6, 2020 1:43 PM
To: Mike Jones <michael.jo...@microsoft.com>
Cc: Dick Hardt <dick.ha...@gmail.com>; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
Going back to this point about server vs client requirements, since both the
Security BCP and OAuth 2.1 currently say that ASs MUST support PKCE, isn't that
already imposing additional requirements on OpenID Connect providers that don't
currently exist in OpenID Connect alone?
OPs that want to be compliant with the Security BCP will need to add PKCE
support if they don't already have it (many of them already support it so for
many of them this will not be any change), so it seems like a very small leap
to also require clients implement PKCE as well.
On Wed, May 6, 2020 at 12:31 PM Mike Jones
<michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>> wrote:
I realize what it says about servers. My point is that OAuth 2.1’s
requirements on clients should match those in the security BCP and not try to
go beyond them.
-- Mike
From: Aaron Parecki <aa...@parecki.com<mailto:aa...@parecki.com>>
Sent: Wednesday, May 6, 2020 12:24 PM
To: Mike Jones <michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>>
Cc: Dick Hardt <dick.ha...@gmail.com<mailto:dick.ha...@gmail.com>>;
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
Yes, the BCP says *clients* may use either PKCE or nonce to prevent
authorization code injection. Shortly after that quoted segment is the below:
> Authorization servers MUST support PKCE [RFC7636].
On Wed, May 6, 2020 at 12:22 PM Mike Jones
<michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>> wrote:
Aaron, the section you cited at
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
makes it clear that clients can support EITHER PKCE or the OpenID Connect
nonce. The text is:
Clients MUST prevent injection (replay) of authorization codes into
the authorization response by attackers. The use of PKCE
[RFC7636<https://tools.ietf.org/html/rfc7636>]
is RECOMMENDED to this end. The OpenID Connect "nonce" parameter and
ID Token Claim
[OpenID<https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#ref-OpenID>]
MAY be used as well. The PKCE challenge or
OpenID Connect "nonce" MUST be transaction-specific and securely
bound to the client and the user agent in which the transaction was
started.
We should not attempt to change that in OAuth 2.1, as doing so would needlessly
break already working and secure clients.
-- Mike
From: Aaron Parecki <aa...@parecki.com<mailto:aa...@parecki.com>>
Sent: Wednesday, May 6, 2020 11:56 AM
To: Mike Jones <michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>>
Cc: Dick Hardt <dick.ha...@gmail.com<mailto:dick.ha...@gmail.com>>;
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
> In particular, authorization servers shouldn’t be required to support PKCE
> when they already support the OpenID Connect nonce.
The Security BCP already requires that ASs support PKCE:
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
Are you suggesting that the Security BCP change that requirement as well? If
so, that's a discussion that needs to be had ASAP. If not, then that's an
implicit statement that it's okay for OpenID Connect implementations to not be
best-practice OAuth implementations. And if that's the case, then I also think
it's acceptable that they are not complete OAuth 2.1 implementations either.
On Wed, May 6, 2020 at 11:21 AM Mike Jones
<Michael.Jones=40microsoft....@dmarc.ietf.org<mailto:40microsoft....@dmarc.ietf.org>>
wrote:
The disadvantage of requiring PKCE for OpenID Connect implementations is that
you’re trying to add a normative requirement that’s not required of OpenID
Connect deployments today, which would bifurcate the ecosystem. There are
hundreds of implementations (including the 141 certified ones at
https://openid.net/certification/), none of which have ever been required to
support PKCE. Therefore, most don’t.
Per feedback already provided, I believe that OAuth 2.1 should align with the
guidance already in the draft Security BCP, requiring EITHER the use of PKCE or
the OpenID Connect nonce. Trying to retroactively impose unnecessary
requirements on existing deployments is unlikely to succeed and will
significantly reduce the relevance of the OAuth 2.1 effort.
In particular, authorization servers shouldn’t be required to support PKCE when
they already support the OpenID Connect nonce. And clients shouldn’t reject
responses from servers that don’t support PKCE when they do contain the OpenID
Connect nonce. Doing so would unnecessarily break things and create confusion
in the marketplace.
-- Mike
From: OAuth <oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>> On Behalf
Of Dick Hardt
Sent: Wednesday, May 6, 2020 10:48 AM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?
Hello!
We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce
solves some of the issues that PKCE protects against. We think that most OpenID
Connect implementations also support OAuth 2.0, and hence have support for PKCE
if following best practices.
The advantages or requiring PKCE are:
- a simpler programming model across all OAuth applications and profiles as
they all use PKCE
- reduced attack surface when using S256 as a fingerprint of the verifier is
sent through the browser instead of the clear text value
- enforcement by AS not client - makes it easier to handle for client
developers and AS can ensure the check is conducted
What are disadvantages besides the potential impact to OpenID Connect
deployments? How significant is that impact?
Dick, Aaron, and Torsten
[https://mailfoogae..appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=452438ba-d429-4656-ace9-b284744bc171]ᐧ
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
