Daniel, you wrote:
> We would then have:
> - use PKCE, except if you use OIDC with a nonce, then you don't need PKCE,
> except if you are a public client, then you still need PKCE.
> - use state, except if you use PKCE, then you don't need state.
I believe that this is an accurate statement of the facts, balancing
interoperability and simplicity. That’s what we should therefore say in the
spec (possibly rewording it to make it easier to parse and understand).
I would be OK going so far as also saying something along the lines of:
- Alternatively, new implementations may choose to always use PKCE, provided
that the client somehow can determine that the server it is communicating with
also supports PKCE.
That seems like a viable compromise, giving developers accurate information
that is actionable.
But mandating PKCE in all cases, even when unnecessary, would be an interop
disaster and would cause many to simply ignore the new spec.
OAuth 2.1 was supposed to not introduce breaking changes. If you want to do
that, please do it in TxAuth instead.
-- Mike
From: OAuth <oauth-boun...@ietf.org> On Behalf Of Daniel Fett
Sent: Thursday, May 7, 2020 11:50 PM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
+1 to all what Aaron said. Thanks for pointing this out!
We need to address this in the security BCP and this will be a normative change
that affects OpenID Connect Core (just as our current recommendation on the
usage of nonce).
We would then have:
- use PKCE, except if you use OIDC with a nonce, then you don't need PKCE,
except if you are a public client, then you still need PKCE.
- use state, except if you use PKCE, then you don't need state.
I think there are very good reasons to simplify this down to
- use PKCE
- you may or may not use state
First and foremost, not many people will understand why there are cases when
the BCP/OAuth 2.1 mandate PKCE and some where they don't. However,
understanding why you have to do something is key to compliance. The short
version "PKCE protects the code; there is a specific case where it is not
needed, but its better to use it all the time" is easy to understand. We will
not see many implementations following the long version above correctly.
Second, we dramatically reduce technical complexity by reducing cases that need
to be handled. We reduce correctness and compliance testing complexity in the
same way. We reduce the cost of security analysis, which scales really badly to
more cases.
And finally, using nonce to protect against code injection is less robust than
PKCE. AS have a better track record than clients when it comes to correctly
implementing security mechanisms.
Yes, this will make a number of implementations non-spec-compliant, but I do
not think that this is a huge problem. Software needs to adapt all the time and
a software that has not been changed in a while is probably not one you would
want to use anyway. We are setting a new goal for implementations to meet and
eventually, maintained implementations will get there.
-Daniel
Am 08.05.20 um 01:38 schrieb Aaron Parecki:
Backing up a step or two, there's another point here that I think has been
missed in these discussions.
PKCE solves two problems: stolen authorization codes for public clients, and
authorization code injection for all clients. We've only been talking about
authorization code injection on the list so far. The quoted section of the
security BCP (4.5.3) which says clients can do PKCE or use the nonce, is only
talking about preventing authorization code injection.
The nonce parameter solves authorization code injection if the client requests
an ID token. Public clients using the nonce parameter are still susceptible to
stolen authorization codes so they still need to do PKCE as well.
The only case where OpenID Connect clients don't benefit from PKCE is if they
are also confidential clients. Public client OIDC clients still need to do PKCE
even if they check the nonce.
OpenID Connect servers working with confidential clients still benefit from
PKCE because they can then enforce the authorization code injection protection
server-side rather than cross their fingers that clients implemented the nonce
check properly.
I really don't think it's worth the amount of explanation this will take in the
future to write an exception into OAuth 2.1 or the Security BCP for only some
types of OpenID Connect clients when all clients would benefit from PKCE anyway.
Aaron
On Wed, May 6, 2020 at 10:48 AM Dick Hardt
<dick.ha...@gmail.com<mailto:dick.ha...@gmail.com>> wrote:
Hello!
We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce
solves some of the issues that PKCE protects against. We think that most OpenID
Connect implementations also support OAuth 2.0, and hence have support for PKCE
if following best practices.
The advantages or requiring PKCE are:
- a simpler programming model across all OAuth applications and profiles as
they all use PKCE
- reduced attack surface when using S256 as a fingerprint of the verifier is
sent through the browser instead of the clear text value
- enforcement by AS not client - makes it easier to handle for client
developers and AS can ensure the check is conducted
What are disadvantages besides the potential impact to OpenID Connect
deployments? How significant is that impact?
Dick, Aaron, and Torsten
ᐧ
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
