date:20200506

Re: [OAUTH-WG] Aligning PKCE requirements within the OAuth Security BCP

2020-05-06 Thread Sascha Preibisch

The document is called "...Best Current Practice ..." and includes
recommendations. Could it be sufficient to say "Authorization servers
support PKCE" in section 2.1.1?  I believe MUST and other such terms
may not necessarily belong into such document.

Regards,
Sascha

On Wed, 6 May 2020 at 14:04, Mike Jones
 wrote:
>
> As is being discussed in the thread “[OAUTH-WG] OAuth 2.1 - require PKCE?”, 
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1..1
>  has inconsistent requirements for PKCE support between clients and servers.  
> Per the first paragraph, clients must either use PKCE or use the OpenID 
> Connect nonce to prevent authorization code injection.  Whereas the fourth 
> paragraph says “Authorization servers MUST support PKCE [RFC7636].”.  This 
> imposes a requirement on servers that isn’t present for corresponding 
> clients.  (I missed this internal discrepancy within the specification when I 
> did my review.)
>
>
>
> I therefore request that the fourth paragraph by change to read: “OAuth 
> Servers MUST support PKCE [RFC7636] unless they are only used for OpenID 
> Connect Authentication Requests”, making the requirements on clients and 
> servers parallel.  That way PKCE will still be there unless you don’t need 
> it.  (And it still could be there if the server implementer chooses to have 
> it in all cases, but that should be their call.)
>
>
>
>Thank you,
>
>-- Mike
>
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Brian Campbell

I think the point is that the Security BCP in
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1..1
requires that the authz request has either the PKCE "code_challenge" or the
OIDC "nonce". Whereas 2.1 in
https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-4.1.1.3
flat out requires PKCE "code_challenge" in the authz request. They are not
equivalent and have very different ramifications on interoperability etc..


On Wed, May 6, 2020 at 2:43 PM Aaron Parecki  wrote:

> Going back to this point about server vs client requirements, since both
> the Security BCP and OAuth 2.1 currently say that ASs MUST support PKCE,
> isn't that already imposing additional requirements on OpenID Connect
> providers that don't currently exist in OpenID Connect alone?
>
> OPs that want to be compliant with the Security BCP will need to add PKCE
> support if they don't already have it (many of them already support it so
> for many of them this will not be any change), so it seems like a very
> small leap to also require clients implement PKCE as well.
>
> On Wed, May 6, 2020 at 12:31 PM Mike Jones 
> wrote:
>
>> I realize what it says about servers.  My point is that OAuth 2.1’s
>> requirements on *clients* should match those in the security BCP and not
>> try to go beyond them.
>>
>>
>>
>>-- Mike
>>
>>
>>
>> *From:* Aaron Parecki 
>> *Sent:* Wednesday, May 6, 2020 12:24 PM
>> *To:* Mike Jones 
>> *Cc:* Dick Hardt ; oauth@ietf.org
>> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> Yes, the BCP says *clients* may use either PKCE or nonce to prevent
>> authorization code injection. Shortly after that quoted segment is the
>> below:
>>
>>
>>
>> > Authorization servers MUST support PKCE [RFC7636].
>>
>>
>>
>> On Wed, May 6, 2020 at 12:22 PM Mike Jones 
>> wrote:
>>
>> Aaron, the section you cited at
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>> makes it clear that clients can support EITHER PKCE or the OpenID Connect
>> nonce.   The text is:
>>
>>
>>
>>Clients MUST prevent injection (replay) of authorization codes into
>>
>>the authorization response by attackers.  The use of PKCE [RFC7636
>> ]
>>
>>is RECOMMENDED to this end.  The OpenID Connect "nonce" parameter and
>>
>>ID Token Claim [OpenID
>> ]
>> MAY be used as well.  The PKCE challenge or
>>
>>OpenID Connect "nonce" MUST be transaction-specific and securely
>>
>>bound to the client and the user agent in which the transaction was
>>
>>started.
>>
>>
>>
>> We should not attempt to change that in OAuth 2.1, as doing so would
>> needlessly break already working and secure clients.
>>
>>
>>
>>-- Mike
>>
>>
>>
>> *From:* Aaron Parecki 
>> *Sent:* Wednesday, May 6, 2020 11:56 AM
>> *To:* Mike Jones 
>> *Cc:* Dick Hardt ; oauth@ietf.org
>> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> > In particular, authorization servers shouldn’t be required to support
>> PKCE when they already support the OpenID Connect nonce.
>>
>>
>>
>> The Security BCP already requires that ASs support PKCE:
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>>  Are
>> you suggesting that the Security BCP change that requirement as well? If
>> so, that's a discussion that needs to be had ASAP. If not, then that's an
>> implicit statement that it's okay for OpenID Connect implementations to not
>> be best-practice OAuth implementations. And if that's the case, then I also
>> think it's acceptable that they are not complete OAuth 2.1 implementations
>> either.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, May 6, 2020 at 11:21 AM Mike Jones > 40microsoft@dmarc.ietf.org> wrote:
>>
>> The disadvantage of requiring PKCE for OpenID Connect implementations is
>> that you’re trying to add a normative requirement that’s not required of
>> OpenID Connect deployments today, which would bifurcate the ecosystem.
>> There are hundreds of implementations (including the 141 certified ones at
>> https://openid.net/certification/), none of which have ever been
>> required to support PKCE.  Therefore, most don’t.
>>
>>
>>
>> Per feedback already provided, I believe that OAuth 2.1 should align with
>> the guidance already in the draft Security BCP, requiring EITHER the use of
>> PKCE or the OpenID Connect nonce.  Trying to retroactively impose
>> unnecessary requirements on existing deployments is unlikely to succeed and
>> will significantly reduce the relevance of the OAuth 2.1 effort.
>>
>>
>>
>> In particular, authorization servers shouldn’t be required to support
>> PKCE when they already support the OpenID Connect nonce.  And clients
>> shouldn’t reject responses from servers that don’t support PKCE when they
>> do

[OAUTH-WG] Aligning PKCE requirements within the OAuth Security BCP

2020-05-06 Thread Mike Jones

As is being discussed in the thread "[OAUTH-WG] OAuth 2.1 - require PKCE?", 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
has inconsistent requirements for PKCE support between clients and servers.  
Per the first paragraph, clients must either use PKCE or use the OpenID Connect 
nonce to prevent authorization code injection.  Whereas the fourth paragraph 
says "Authorization servers MUST support PKCE [RFC7636].".  This imposes a 
requirement on servers that isn't present for corresponding clients.  (I missed 
this internal discrepancy within the specification when I did my review.)

I therefore request that the fourth paragraph by change to read: "OAuth Servers 
MUST support PKCE [RFC7636] unless they are only used for OpenID Connect 
Authentication Requests", making the requirements on clients and servers 
parallel.  That way PKCE will still be there unless you don't need it.  (And it 
still could be there if the server implementer chooses to have it in all cases, 
but that should be their call.)

   Thank you,
   -- Mike

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Mike Jones

Requiring a change to every deployed RP is not “a very small leap”.  It’s an 
invasive big deal, introducing a breaking change and bifurcating a 
well-functioning ecosystem without sufficient cause.

What this actually points out to me is that we should modify the language in 
the Security BCP to say something like “OAuth Servers MUST support PKCE unless 
they are only used for OpenID Connect Authentication Requests”.  I’d thought 
that that was already the case, as that mirrors the client requirements and I 
apparently failed to read it closely enough.  I’ll submit a separate request 
for the change to the Security BCP to make it self-consistent.

   -- Mike

From: Aaron Parecki 
Sent: Wednesday, May 6, 2020 1:43 PM
To: Mike Jones 
Cc: Dick Hardt ; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Going back to this point about server vs client requirements, since both the 
Security BCP and OAuth 2.1 currently say that ASs MUST support PKCE, isn't that 
already imposing additional requirements on OpenID Connect providers that don't 
currently exist in OpenID Connect alone?

OPs that want to be compliant with the Security BCP will need to add PKCE 
support if they don't already have it (many of them already support it so for 
many of them this will not be any change), so it seems like a very small leap 
to also require clients implement PKCE as well.

On Wed, May 6, 2020 at 12:31 PM Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:
I realize what it says about servers.  My point is that OAuth 2.1’s 
requirements on clients should match those in the security BCP and not try to 
go beyond them.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Wednesday, May 6, 2020 12:24 PM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Dick Hardt mailto:dick.ha...@gmail.com>>; 
oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Yes, the BCP says *clients* may use either PKCE or nonce to prevent 
authorization code injection. Shortly after that quoted segment is the below:

> Authorization servers MUST support PKCE [RFC7636].

On Wed, May 6, 2020 at 12:22 PM Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:
Aaron, the section you cited at 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
makes it clear that clients can support EITHER PKCE or the OpenID Connect 
nonce.   The text is:

   Clients MUST prevent injection (replay) of authorization codes into
   the authorization response by attackers.  The use of PKCE 
[RFC7636]
   is RECOMMENDED to this end.  The OpenID Connect "nonce" parameter and
   ID Token Claim 
[OpenID]
 MAY be used as well.  The PKCE challenge or
   OpenID Connect "nonce" MUST be transaction-specific and securely
   bound to the client and the user agent in which the transaction was
   started.

We should not attempt to change that in OAuth 2.1, as doing so would needlessly 
break already working and secure clients.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Wednesday, May 6, 2020 11:56 AM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Dick Hardt mailto:dick.ha...@gmail.com>>; 
oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

> In particular, authorization servers shouldn’t be required to support PKCE 
> when they already support the OpenID Connect nonce.

The Security BCP already requires that ASs support PKCE: 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
Are you suggesting that the Security BCP change that requirement as well? If 
so, that's a discussion that needs to be had ASAP. If not, then that's an 
implicit statement that it's okay for OpenID Connect implementations to not be 
best-practice OAuth implementations. And if that's the case, then I also think 
it's acceptable that they are not complete OAuth 2.1 implementations either.

On Wed, May 6, 2020 at 11:21 AM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
The disadvantage of requiring PKCE for OpenID Connect implementations is that 
you’re trying to add a normative requirement that’s not required of OpenID 
Connect deployments today, which would bifurcate the ecosystem.  There are 
hundreds of implementations (including the 141 certified ones at 
https://openid.net/certification/), none of which have ever been required to 
support PKCE.  Therefore, most don’t.

Per feedback already provided, I believe that OAuth 2.1 should align with the 
guidance already in the draft Security BCP, requiring EITHER the use of PKCE or 
the OpenID Connect nonce.  Trying to retroactively impose unnecessary 
requirements on existing deployments

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Dick Hardt

I hear Mike's point on breaking existing RPs. There are alot of them out
there.

For discussion purposes, let's call the current version OIDC 1.0 and the
version running OAuth 2.1, OIDC 1.1

Is there a reason a server can't be running both versions at the same time,
and support clients running both versions at the same time? The AS could
then enforce new and migrated clients running OIDC 1.1 to use PKCE.









ᐧ

On Wed, May 6, 2020 at 1:43 PM Aaron Parecki  wrote:

> Going back to this point about server vs client requirements, since both
> the Security BCP and OAuth 2.1 currently say that ASs MUST support PKCE,
> isn't that already imposing additional requirements on OpenID Connect
> providers that don't currently exist in OpenID Connect alone?
>
> OPs that want to be compliant with the Security BCP will need to add PKCE
> support if they don't already have it (many of them already support it so
> for many of them this will not be any change), so it seems like a very
> small leap to also require clients implement PKCE as well.
>
> On Wed, May 6, 2020 at 12:31 PM Mike Jones 
> wrote:
>
>> I realize what it says about servers.  My point is that OAuth 2.1’s
>> requirements on *clients* should match those in the security BCP and not
>> try to go beyond them.
>>
>>
>>
>>-- Mike
>>
>>
>>
>> *From:* Aaron Parecki 
>> *Sent:* Wednesday, May 6, 2020 12:24 PM
>> *To:* Mike Jones 
>> *Cc:* Dick Hardt ; oauth@ietf.org
>> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> Yes, the BCP says *clients* may use either PKCE or nonce to prevent
>> authorization code injection. Shortly after that quoted segment is the
>> below:
>>
>>
>>
>> > Authorization servers MUST support PKCE [RFC7636].
>>
>>
>>
>> On Wed, May 6, 2020 at 12:22 PM Mike Jones 
>> wrote:
>>
>> Aaron, the section you cited at
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>> makes it clear that clients can support EITHER PKCE or the OpenID Connect
>> nonce.   The text is:
>>
>>
>>
>>Clients MUST prevent injection (replay) of authorization codes into
>>
>>the authorization response by attackers.  The use of PKCE [RFC7636
>> ]
>>
>>is RECOMMENDED to this end.  The OpenID Connect "nonce" parameter and
>>
>>ID Token Claim [OpenID
>> ]
>> MAY be used as well.  The PKCE challenge or
>>
>>OpenID Connect "nonce" MUST be transaction-specific and securely
>>
>>bound to the client and the user agent in which the transaction was
>>
>>started.
>>
>>
>>
>> We should not attempt to change that in OAuth 2.1, as doing so would
>> needlessly break already working and secure clients.
>>
>>
>>
>>-- Mike
>>
>>
>>
>> *From:* Aaron Parecki 
>> *Sent:* Wednesday, May 6, 2020 11:56 AM
>> *To:* Mike Jones 
>> *Cc:* Dick Hardt ; oauth@ietf.org
>> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> > In particular, authorization servers shouldn’t be required to support
>> PKCE when they already support the OpenID Connect nonce.
>>
>>
>>
>> The Security BCP already requires that ASs support PKCE:
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>>  Are
>> you suggesting that the Security BCP change that requirement as well? If
>> so, that's a discussion that needs to be had ASAP. If not, then that's an
>> implicit statement that it's okay for OpenID Connect implementations to not
>> be best-practice OAuth implementations. And if that's the case, then I also
>> think it's acceptable that they are not complete OAuth 2.1 implementations
>> either.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, May 6, 2020 at 11:21 AM Mike Jones > 40microsoft@dmarc.ietf.org> wrote:
>>
>> The disadvantage of requiring PKCE for OpenID Connect implementations is
>> that you’re trying to add a normative requirement that’s not required of
>> OpenID Connect deployments today, which would bifurcate the ecosystem.
>> There are hundreds of implementations (including the 141 certified ones at
>> https://openid.net/certification/), none of which have ever been
>> required to support PKCE.  Therefore, most don’t.
>>
>>
>>
>> Per feedback already provided, I believe that OAuth 2.1 should align with
>> the guidance already in the draft Security BCP, requiring EITHER the use of
>> PKCE or the OpenID Connect nonce.  Trying to retroactively impose
>> unnecessary requirements on existing deployments is unlikely to succeed and
>> will significantly reduce the relevance of the OAuth 2.1 effort.
>>
>>
>>
>> In particular, authorization servers shouldn’t be required to support
>> PKCE when they already support the OpenID Connect nonce.  And clients
>> shouldn’t reject responses from servers that don’t support PKCE when they
>> do contain the OpenID Connect nonce.

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Aaron Parecki

Going back to this point about server vs client requirements, since both
the Security BCP and OAuth 2.1 currently say that ASs MUST support PKCE,
isn't that already imposing additional requirements on OpenID Connect
providers that don't currently exist in OpenID Connect alone?

OPs that want to be compliant with the Security BCP will need to add PKCE
support if they don't already have it (many of them already support it so
for many of them this will not be any change), so it seems like a very
small leap to also require clients implement PKCE as well.

On Wed, May 6, 2020 at 12:31 PM Mike Jones 
wrote:

> I realize what it says about servers.  My point is that OAuth 2.1’s
> requirements on *clients* should match those in the security BCP and not
> try to go beyond them.
>
>
>
>-- Mike
>
>
>
> *From:* Aaron Parecki 
> *Sent:* Wednesday, May 6, 2020 12:24 PM
> *To:* Mike Jones 
> *Cc:* Dick Hardt ; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Yes, the BCP says *clients* may use either PKCE or nonce to prevent
> authorization code injection. Shortly after that quoted segment is the
> below:
>
>
>
> > Authorization servers MUST support PKCE [RFC7636].
>
>
>
> On Wed, May 6, 2020 at 12:22 PM Mike Jones 
> wrote:
>
> Aaron, the section you cited at
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2..1.1
> makes it clear that clients can support EITHER PKCE or the OpenID Connect
> nonce.   The text is:
>
>
>
>Clients MUST prevent injection (replay) of authorization codes into
>
>the authorization response by attackers.  The use of PKCE [RFC7636
> ]
>
>is RECOMMENDED to this end.  The OpenID Connect "nonce" parameter and
>
>ID Token Claim [OpenID
> ]
> MAY be used as well.  The PKCE challenge or
>
>OpenID Connect "nonce" MUST be transaction-specific and securely
>
>bound to the client and the user agent in which the transaction was
>
>started.
>
>
>
> We should not attempt to change that in OAuth 2.1, as doing so would
> needlessly break already working and secure clients.
>
>
>
>-- Mike
>
>
>
> *From:* Aaron Parecki 
> *Sent:* Wednesday, May 6, 2020 11:56 AM
> *To:* Mike Jones 
> *Cc:* Dick Hardt ; oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> > In particular, authorization servers shouldn’t be required to support
> PKCE when they already support the OpenID Connect nonce.
>
>
>
> The Security BCP already requires that ASs support PKCE:
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2..1.1
>  Are
> you suggesting that the Security BCP change that requirement as well? If
> so, that's a discussion that needs to be had ASAP. If not, then that's an
> implicit statement that it's okay for OpenID Connect implementations to not
> be best-practice OAuth implementations. And if that's the case, then I also
> think it's acceptable that they are not complete OAuth 2.1 implementations
> either.
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Wed, May 6, 2020 at 11:21 AM Mike Jones  40microsoft@dmarc.ietf.org> wrote:
>
> The disadvantage of requiring PKCE for OpenID Connect implementations is
> that you’re trying to add a normative requirement that’s not required of
> OpenID Connect deployments today, which would bifurcate the ecosystem.
> There are hundreds of implementations (including the 141 certified ones at
> https://openid.net/certification/), none of which have ever been required
> to support PKCE.  Therefore, most don’t.
>
>
>
> Per feedback already provided, I believe that OAuth 2.1 should align with
> the guidance already in the draft Security BCP, requiring EITHER the use of
> PKCE or the OpenID Connect nonce.  Trying to retroactively impose
> unnecessary requirements on existing deployments is unlikely to succeed and
> will significantly reduce the relevance of the OAuth 2.1 effort.
>
>
>
> In particular, authorization servers shouldn’t be required to support PKCE
> when they already support the OpenID Connect nonce.  And clients shouldn’t
> reject responses from servers that don’t support PKCE when they do contain
> the OpenID Connect nonce.  Doing so would unnecessarily break things and
> create confusion in the marketplace.
>
>
>
>   -- Mike
>
>
>
> *From:* OAuth  *On Behalf Of *Dick Hardt
> *Sent:* Wednesday, May 6, 2020 10:48 AM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hello!
>
>
>
> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
> practice for OAuth 2.0. It is not common in OpenID Connect servers as the
> nonce solves some of the issues that PKCE protects against. We think that
> most OpenID Connect implementations also support

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Mike Jones

It could, but that would require an explicit decision by the OpenID Connect 
working group to make existing RPs incompatible with new OPs, breaking 
interoperability.  That’s not a decision we should make lightly or without a 
compelling reason to do so.

   -- Mike

From: Phillip Hunt 
Sent: Wednesday, May 6, 2020 1:16 PM
To: Mike Jones 
Cc: Aaron Parecki ; Steinar Noem ; 
oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Why couldn’t OIDC evolve as a spec to conform and match FAPI and 2.1?
Phil

On May 6, 2020, at 12:34 PM, Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:

Yes, FAPI requires PKCE, which is great.  Many of its requirements come from 
OpenID Connect but some of them are intentionally incompatible – such as 
requiring that Basic authentication not be supported, whereas Connect requires 
that it be supported.  It’s a different ecosystem with different requirements.

Don’t get me wrong, I support PKCE where it makes sense, such as when you’re 
doing bare OAuth without OpenID Connect.  But trying to impose an unnecessary 
requirement on a working and secure ecosystem will just create grief for us and 
our customers and lessen our credibility as stewards of the OAuth ecosystem.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Wednesday, May 6, 2020 12:29 PM
To: Steinar Noem mailto:stei...@udelt.no>>
Cc: Phillip Hunt 
mailto:phil.h...@independentid.com>>; Mike Jones 
mailto:michael.jo...@microsoft.com>>; 
oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

I should add that even some OpenID Connect profiles require PKCE, such as FAPI:

https://openid.net/specs/openid-financial-api-part-1.html#authorization-server

So the precedent for requiring PKCE already exists within some OpenID Connect 
profiles.

On Wed, May 6, 2020 at 12:23 PM Aaron Parecki 
mailto:aa...@parecki.com>> wrote:
Yes, and also, many of those providers very likely already support PKCE 
already. Skimming through that list of certified OPs, I recognize many names 
there from providers that I know support PKCE.

On Wed, May 6, 2020 at 12:18 PM Steinar Noem 
mailto:stei...@udelt.no>> wrote:
So, wouldn't a MUST just mean that we would have some OPs that are 2.1 
compliant and some that aren't?

ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt 
mailto:phil.h...@independentid.com>>:
Mike,

The point of 2.1 is to raise the security bar..

Yes it adds new MUST requirements.

But what about OIDC would break other than required implementation of PKCE to 
support 2.1?

Eg Would additional signaling be required to facilitate interoperability and 
migration between versions? Would that be an oauth issue or an OIDC one?

Phil

On May 6, 2020, at 11:56 AM, Aaron Parecki 
mailto:aa...@parecki.com>> wrote:

> In particular, authorization servers shouldn’t be required to support PKCE 
> when they already support the OpenID Connect nonce.

The Security BCP already requires that ASs support PKCE: 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
Are you suggesting that the Security BCP change that requirement as well? If 
so, that's a discussion that needs to be had ASAP. If not, then that's an 
implicit statement that it's okay for OpenID Connect implementations to not be 
best-practice OAuth implementations. And if that's the case, then I also think 
it's acceptable that they are not complete OAuth 2.1 implementations either.

On Wed, May 6, 2020 at 11:21 AM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
The disadvantage of requiring PKCE for OpenID Connect implementations is that 
you’re trying to add a normative requirement that’s not required of OpenID 
Connect deployments today, which would bifurcate the ecosystem.  There are 
hundreds of implementations (including the 141 certified ones at 
https://openid.net/certification/), none of which have ever been required to 
support PKCE.  Therefore, most don’t.

Per feedback already provided, I believe that OAuth 2.1 should align with the 
guidance already in the draft Security BCP, requiring EITHER the use of PKCE or 
the OpenID Connect nonce.  Trying to retroactively impose unnecessary 
requirements on existing deployments is unlikely to succeed and will 
significantly reduce the relevance of the OAuth 2.1 effort.

In particular, authorization servers shouldn’t be required to support PKCE when 
they already support the OpenID Connect nonce.  And clients shouldn’t reject 
responses from servers that don’t support PKCE when they do contain the OpenID 
Connect nonce.  Doing so would unnecessarily break things and create confusion 
in the marketplace.

  -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Dick Hardt
Sent: Wednesday, May 6, 2020 10:48 AM
To: oauth@ietf.org
Subject:

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Phillip Hunt

Why couldn’t OIDC evolve as a spec to conform and match FAPI and 2.1?  

Phil

> On May 6, 2020, at 12:34 PM, Mike Jones  wrote:
> 
> 
> Yes, FAPI requires PKCE, which is great.  Many of its requirements come from 
> OpenID Connect but some of them are intentionally incompatible – such as 
> requiring that Basic authentication not be supported, whereas Connect 
> requires that it be supported.  It’s a different ecosystem with different 
> requirements.
>  
> Don’t get me wrong, I support PKCE where it makes sense, such as when you’re 
> doing bare OAuth without OpenID Connect.  But trying to impose an unnecessary 
> requirement on a working and secure ecosystem will just create grief for us 
> and our customers and lessen our credibility as stewards of the OAuth 
> ecosystem.
>  
>-- Mike
>  
> From: Aaron Parecki  
> Sent: Wednesday, May 6, 2020 12:29 PM
> To: Steinar Noem 
> Cc: Phillip Hunt ; Mike Jones 
> ; oauth@ietf.org
> Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>  
> I should add that even some OpenID Connect profiles require PKCE, such as 
> FAPI:
>  
> https://openid.net/specs/openid-financial-api-part-1.html#authorization-server
>  
> So the precedent for requiring PKCE already exists within some OpenID Connect 
> profiles.
>  
> On Wed, May 6, 2020 at 12:23 PM Aaron Parecki  wrote:
> Yes, and also, many of those providers very likely already support PKCE 
> already. Skimming through that list of certified OPs, I recognize many names 
> there from providers that I know support PKCE.
>  
> On Wed, May 6, 2020 at 12:18 PM Steinar Noem  wrote:
> So, wouldn't a MUST just mean that we would have some OPs that are 2.1 
> compliant and some that aren't?
>  
> ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt :
> Mike,
>  
> The point of 2.1 is to raise the security bar.. 
>  
> Yes it adds new MUST requirements. 
>  
> But what about OIDC would break other than required implementation of PKCE to 
> support 2.1?
>  
> Eg Would additional signaling be required to facilitate interoperability and 
> migration between versions? Would that be an oauth issue or an OIDC one?
>  
> Phil
> 
> 
> On May 6, 2020, at 11:56 AM, Aaron Parecki  wrote:
> 
> 
> > In particular, authorization servers shouldn’t be required to support PKCE 
> > when they already support the OpenID Connect nonce.
>  
> The Security BCP already requires that ASs support PKCE: 
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
> Are you suggesting that the Security BCP change that requirement as well? If 
> so, that's a discussion that needs to be had ASAP. If not, then that's an 
> implicit statement that it's okay for OpenID Connect implementations to not 
> be best-practice OAuth implementations. And if that's the case, then I also 
> think it's acceptable that they are not complete OAuth 2.1 implementations 
> either.
>  
>  
>  
>  
>  
>  
> On Wed, May 6, 2020 at 11:21 AM Mike Jones 
>  wrote:
> The disadvantage of requiring PKCE for OpenID Connect implementations is that 
> you’re trying to add a normative requirement that’s not required of OpenID 
> Connect deployments today, which would bifurcate the ecosystem.  There are 
> hundreds of implementations (including the 141 certified ones at 
> https://openid.net/certification/), none of which have ever been required to 
> support PKCE.  Therefore, most don’t.
>  
> Per feedback already provided, I believe that OAuth 2.1 should align with the 
> guidance already in the draft Security BCP, requiring EITHER the use of PKCE 
> or the OpenID Connect nonce.  Trying to retroactively impose unnecessary 
> requirements on existing deployments is unlikely to succeed and will 
> significantly reduce the relevance of the OAuth 2.1 effort.
>  
> In particular, authorization servers shouldn’t be required to support PKCE 
> when they already support the OpenID Connect nonce.  And clients shouldn’t 
> reject responses from servers that don’t support PKCE when they do contain 
> the OpenID Connect nonce.  Doing so would unnecessarily break things and 
> create confusion in the marketplace.
>  
>   -- Mike
>  
> From: OAuth  On Behalf Of Dick Hardt
> Sent: Wednesday, May 6, 2020 10:48 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?
>  
> Hello!
>  
> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
> practice for OAuth 2.0. It is not common in OpenID Connect servers as the 
> nonce solves some of the issues that PKCE protects against. We think that 
> most OpenID Connect implementations also support OAuth 2.0, and hence have 
> support for PKCE if following best practices.
>  
> The advantages or requiring PKCE are:
>  
> - a simpler programming model across all OAuth applications and profiles as 
> they all use PKCE
>  
> - reduced attack surface when using  S256 as a fingerprint of the verifier is 
>

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Mike Jones

Yes, FAPI requires PKCE, which is great.  Many of its requirements come from 
OpenID Connect but some of them are intentionally incompatible – such as 
requiring that Basic authentication not be supported, whereas Connect requires 
that it be supported.  It’s a different ecosystem with different requirements.

Don’t get me wrong, I support PKCE where it makes sense, such as when you’re 
doing bare OAuth without OpenID Connect.  But trying to impose an unnecessary 
requirement on a working and secure ecosystem will just create grief for us and 
our customers and lessen our credibility as stewards of the OAuth ecosystem.

   -- Mike

From: Aaron Parecki 
Sent: Wednesday, May 6, 2020 12:29 PM
To: Steinar Noem 
Cc: Phillip Hunt ; Mike Jones 
; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

I should add that even some OpenID Connect profiles require PKCE, such as FAPI:

https://openid.net/specs/openid-financial-api-part-1.html#authorization-server

So the precedent for requiring PKCE already exists within some OpenID Connect 
profiles.

On Wed, May 6, 2020 at 12:23 PM Aaron Parecki 
mailto:aa...@parecki.com>> wrote:
Yes, and also, many of those providers very likely already support PKCE 
already. Skimming through that list of certified OPs, I recognize many names 
there from providers that I know support PKCE.

On Wed, May 6, 2020 at 12:18 PM Steinar Noem 
mailto:stei...@udelt.no>> wrote:
So, wouldn't a MUST just mean that we would have some OPs that are 2.1 
compliant and some that aren't?

ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt 
mailto:phil.h...@independentid.com>>:
Mike,

The point of 2.1 is to raise the security bar..

Yes it adds new MUST requirements.

But what about OIDC would break other than required implementation of PKCE to 
support 2.1?

Eg Would additional signaling be required to facilitate interoperability and 
migration between versions? Would that be an oauth issue or an OIDC one?

Phil

On May 6, 2020, at 11:56 AM, Aaron Parecki 
mailto:aa...@parecki.com>> wrote:

> In particular, authorization servers shouldn’t be required to support PKCE 
> when they already support the OpenID Connect nonce.

The Security BCP already requires that ASs support PKCE: 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
Are you suggesting that the Security BCP change that requirement as well? If 
so, that's a discussion that needs to be had ASAP. If not, then that's an 
implicit statement that it's okay for OpenID Connect implementations to not be 
best-practice OAuth implementations. And if that's the case, then I also think 
it's acceptable that they are not complete OAuth 2.1 implementations either.

On Wed, May 6, 2020 at 11:21 AM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
The disadvantage of requiring PKCE for OpenID Connect implementations is that 
you’re trying to add a normative requirement that’s not required of OpenID 
Connect deployments today, which would bifurcate the ecosystem.  There are 
hundreds of implementations (including the 141 certified ones at 
https://openid.net/certification/), none of which have ever been required to 
support PKCE.  Therefore, most don’t.

Per feedback already provided, I believe that OAuth 2.1 should align with the 
guidance already in the draft Security BCP, requiring EITHER the use of PKCE or 
the OpenID Connect nonce.  Trying to retroactively impose unnecessary 
requirements on existing deployments is unlikely to succeed and will 
significantly reduce the relevance of the OAuth 2.1 effort.

In particular, authorization servers shouldn’t be required to support PKCE when 
they already support the OpenID Connect nonce.  And clients shouldn’t reject 
responses from servers that don’t support PKCE when they do contain the OpenID 
Connect nonce.  Doing so would unnecessarily break things and create confusion 
in the marketplace.

  -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Dick Hardt
Sent: Wednesday, May 6, 2020 10:48 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce 
solves some of the issues that PKCE protects against. We think that most OpenID 
Connect implementations also support OAuth 2.0, and hence have support for PKCE 
if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as 
they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier is 
sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client 
developers and AS can ensure the check is conducted

What are

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Mike Jones

I realize what it says about servers.  My point is that OAuth 2.1’s 
requirements on clients should match those in the security BCP and not try to 
go beyond them.

   -- Mike

From: Aaron Parecki 
Sent: Wednesday, May 6, 2020 12:24 PM
To: Mike Jones 
Cc: Dick Hardt ; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Yes, the BCP says *clients* may use either PKCE or nonce to prevent 
authorization code injection. Shortly after that quoted segment is the below:

> Authorization servers MUST support PKCE [RFC7636].

On Wed, May 6, 2020 at 12:22 PM Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:
Aaron, the section you cited at 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
makes it clear that clients can support EITHER PKCE or the OpenID Connect 
nonce.   The text is:

   Clients MUST prevent injection (replay) of authorization codes into
   the authorization response by attackers.  The use of PKCE 
[RFC7636]
   is RECOMMENDED to this end.  The OpenID Connect "nonce" parameter and
   ID Token Claim 
[OpenID]
 MAY be used as well.  The PKCE challenge or
   OpenID Connect "nonce" MUST be transaction-specific and securely
   bound to the client and the user agent in which the transaction was
   started.

We should not attempt to change that in OAuth 2.1, as doing so would needlessly 
break already working and secure clients.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Wednesday, May 6, 2020 11:56 AM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Dick Hardt mailto:dick.ha...@gmail.com>>; 
oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

> In particular, authorization servers shouldn’t be required to support PKCE 
> when they already support the OpenID Connect nonce.

The Security BCP already requires that ASs support PKCE: 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
Are you suggesting that the Security BCP change that requirement as well? If 
so, that's a discussion that needs to be had ASAP. If not, then that's an 
implicit statement that it's okay for OpenID Connect implementations to not be 
best-practice OAuth implementations. And if that's the case, then I also think 
it's acceptable that they are not complete OAuth 2.1 implementations either.

On Wed, May 6, 2020 at 11:21 AM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
The disadvantage of requiring PKCE for OpenID Connect implementations is that 
you’re trying to add a normative requirement that’s not required of OpenID 
Connect deployments today, which would bifurcate the ecosystem.  There are 
hundreds of implementations (including the 141 certified ones at 
https://openid.net/certification/), none of which have ever been required to 
support PKCE.  Therefore, most don’t.

Per feedback already provided, I believe that OAuth 2.1 should align with the 
guidance already in the draft Security BCP, requiring EITHER the use of PKCE or 
the OpenID Connect nonce.  Trying to retroactively impose unnecessary 
requirements on existing deployments is unlikely to succeed and will 
significantly reduce the relevance of the OAuth 2.1 effort.

In particular, authorization servers shouldn’t be required to support PKCE when 
they already support the OpenID Connect nonce.  And clients shouldn’t reject 
responses from servers that don’t support PKCE when they do contain the OpenID 
Connect nonce.  Doing so would unnecessarily break things and create confusion 
in the marketplace.

  -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Dick Hardt
Sent: Wednesday, May 6, 2020 10:48 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce 
solves some of the issues that PKCE protects against. We think that most OpenID 
Connect implementations also support OAuth 2.0, and hence have support for PKCE 
if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as 
they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier is 
sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client 
developers and AS can ensure the check is conducted

What are disadvantages besides the potential impact to OpenID Connect 
deployments? How significant is that impact?

Dick, Aaron, and Torsten

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Aaron Parecki

I should add that even some OpenID Connect profiles require PKCE, such as
FAPI:

https://openid.net/specs/openid-financial-api-part-1.html#authorization-server

So the precedent for requiring PKCE already exists within some OpenID
Connect profiles.

On Wed, May 6, 2020 at 12:23 PM Aaron Parecki  wrote:

> Yes, and also, many of those providers very likely already support PKCE
> already. Skimming through that list of certified OPs, I recognize many
> names there from providers that I know support PKCE.
>
> On Wed, May 6, 2020 at 12:18 PM Steinar Noem  wrote:
>
>> So, wouldn't a MUST just mean that we would have some OPs that are 2.1
>> compliant and some that aren't?
>>
>> ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt <
>> phil.h...@independentid.com>:
>>
>>> Mike,
>>>
>>> The point of 2.1 is to raise the security bar.
>>>
>>> Yes it adds new MUST requirements.
>>>
>>> But what about OIDC would break other than required implementation of
>>> PKCE to support 2.1?
>>>
>>> Eg Would additional signaling be required to facilitate interoperability
>>> and migration between versions? Would that be an oauth issue or an OIDC one?
>>>
>>> Phil
>>>
>>> On May 6, 2020, at 11:56 AM, Aaron Parecki  wrote:
>>>
>>> 
>>> > In particular, authorization servers shouldn’t be required to support
>>> PKCE when they already support the OpenID Connect nonce.
>>>
>>> The Security BCP already requires that ASs support PKCE:
>>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>>>  Are
>>> you suggesting that the Security BCP change that requirement as well? If
>>> so, that's a discussion that needs to be had ASAP. If not, then that's an
>>> implicit statement that it's okay for OpenID Connect implementations to not
>>> be best-practice OAuth implementations. And if that's the case, then I also
>>> think it's acceptable that they are not complete OAuth 2.1 implementations
>>> either.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, May 6, 2020 at 11:21 AM Mike Jones >> 40microsoft@dmarc.ietf.org> wrote:
>>>
 The disadvantage of requiring PKCE for OpenID Connect implementations
 is that you’re trying to add a normative requirement that’s not required of
 OpenID Connect deployments today, which would bifurcate the ecosystem.
 There are hundreds of implementations (including the 141 certified ones at
 https://openid.net/certification/), none of which have ever been
 required to support PKCE.  Therefore, most don’t.

 Per feedback already provided, I believe that OAuth 2.1 should align
 with the guidance already in the draft Security BCP, requiring EITHER the
 use of PKCE or the OpenID Connect nonce.  Trying to retroactively impose
 unnecessary requirements on existing deployments is unlikely to succeed and
 will significantly reduce the relevance of the OAuth 2.1 effort.

 In particular, authorization servers shouldn’t be required to support
 PKCE when they already support the OpenID Connect nonce.  And clients
 shouldn’t reject responses from servers that don’t support PKCE when they
 do contain the OpenID Connect nonce.  Doing so would unnecessarily break
 things and create confusion in the marketplace.

   -- Mike

 *From:* OAuth  *On Behalf Of * Dick Hardt
 *Sent:* Wednesday, May 6, 2020 10:48 AM
 *To:* oauth@ietf.org
 *Subject:* [OAUTH-WG] OAuth 2.1 - require PKCE?

 Hello!

 We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is
 best practice for OAuth 2.0. It is not common in OpenID Connect servers as
 the nonce solves some of the issues that PKCE protects against. We think
 that most OpenID Connect implementations also support OAuth 2.0, and
 hence have support for PKCE if following best practices.

 The advantages or requiring PKCE are:

 - a simpler programming model across all OAuth applications and
 profiles as they all use PKCE

 - reduced attack surface when using  S256 as a fingerprint of the
 verifier is sent through the browser instead of the clear text value

 - enforcement by AS not client - makes it easier to handle for client
 developers and AS can ensure the check is conducted

 What are disadvantages besides the potential impact to OpenID Connect
 deployments? How significant is that impact?

 Dick, Aaron, and Torsten

 ᐧ
 ___
 OAuth mailing list
 OAuth@ietf.org
 https://www.ietf.org/mailman/listinfo/oauth

>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> ___
>>> OAuth mailing list
>>>

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

2020-05-06 Thread Aaron Parecki

Yes, the BCP says *clients* may use either PKCE or nonce to prevent
authorization code injection. Shortly after that quoted segment is the
below:

> Authorization servers MUST support PKCE [RFC7636].

On Wed, May 6, 2020 at 12:22 PM Mike Jones 
wrote:

> Aaron, the section you cited at
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2..1.1
> makes it clear that clients can support EITHER PKCE or the OpenID Connect
> nonce.   The text is:
>
>
>
>Clients MUST prevent injection (replay) of authorization codes into
>
>the authorization response by attackers.  The use of PKCE [RFC7636
> ]
>
>is RECOMMENDED to this end.  The OpenID Connect "nonce" parameter and
>
>ID Token Claim [OpenID
> ]
> MAY be used as well.  The PKCE challenge or
>
>OpenID Connect "nonce" MUST be transaction-specific and securely
>
>bound to the client and the user agent in which the transaction was
>
>started.
>
>
>
> We should not attempt to change that in OAuth 2.1, as doing so would
> needlessly break already working and secure clients.
>
>
>
>-- Mike
>
>
>
> *From:* Aaron Parecki 
> *Sent:* Wednesday, May 6, 2020 11:56 AM
> *To:* Mike Jones 
> *Cc:* Dick Hardt ; oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> > In particular, authorization servers shouldn’t be required to support
> PKCE when they already support the OpenID Connect nonce.
>
>
>
> The Security BCP already requires that ASs support PKCE:
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2..1.1
>  Are
> you suggesting that the Security BCP change that requirement as well? If
> so, that's a discussion that needs to be had ASAP. If not, then that's an
> implicit statement that it's okay for OpenID Connect implementations to not
> be best-practice OAuth implementations. And if that's the case, then I also
> think it's acceptable that they are not complete OAuth 2.1 implementations
> either.
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Wed, May 6, 2020 at 11:21 AM Mike Jones  40microsoft@dmarc.ietf.org> wrote:
>
> The disadvantage of requiring PKCE for OpenID Connect implementations is
> that you’re trying to add a normative requirement that’s not required of
> OpenID Connect deployments today, which would bifurcate the ecosystem.
> There are hundreds of implementations (including the 141 certified ones at
> https://openid.net/certification/), none of which have ever been required
> to support PKCE.  Therefore, most don’t.
>
>
>
> Per feedback already provided, I believe that OAuth 2.1 should align with
> the guidance already in the draft Security BCP, requiring EITHER the use of
> PKCE or the OpenID Connect nonce.  Trying to retroactively impose
> unnecessary requirements on existing deployments is unlikely to succeed and
> will significantly reduce the relevance of the OAuth 2.1 effort.
>
>
>
> In particular, authorization servers shouldn’t be required to support PKCE
> when they already support the OpenID Connect nonce.  And clients shouldn’t
> reject responses from servers that don’t support PKCE when they do contain
> the OpenID Connect nonce.  Doing so would unnecessarily break things and
> create confusion in the marketplace.
>
>
>
>   -- Mike
>
>
>
> *From:* OAuth  *On Behalf Of *Dick Hardt
> *Sent:* Wednesday, May 6, 2020 10:48 AM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hello!
>
>
>
> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
> practice for OAuth 2.0. It is not common in OpenID Connect servers as the
> nonce solves some of the issues that PKCE protects against. We think that
> most OpenID Connect implementations also support OAuth 2.0, and hence have
> support for PKCE if following best practices.
>
>
>
> The advantages or requiring PKCE are:
>
>
>
> - a simpler programming model across all OAuth applications and profiles
> as they all use PKCE
>
>
>
> - reduced attack surface when using  S256 as a fingerprint of the verifier
> is sent through the browser instead of the clear text value
>
>
>
> - enforcement by AS not client - makes it easier to handle for client
> developers and AS can ensure the check is conducted
>
>
>
> What are disadvantages besides the potential impact to OpenID Connect
> deployments? How significant is that impact?
>
>
>
> Dick, Aaron, and Torsten
>
>
>
> ᐧ
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Aaron Parecki

Yes, and also, many of those providers very likely already support PKCE
already. Skimming through that list of certified OPs, I recognize many
names there from providers that I know support PKCE.

On Wed, May 6, 2020 at 12:18 PM Steinar Noem  wrote:

> So, wouldn't a MUST just mean that we would have some OPs that are 2.1
> compliant and some that aren't?
>
> ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt  >:
>
>> Mike,
>>
>> The point of 2.1 is to raise the security bar.
>>
>> Yes it adds new MUST requirements.
>>
>> But what about OIDC would break other than required implementation of
>> PKCE to support 2.1?
>>
>> Eg Would additional signaling be required to facilitate interoperability
>> and migration between versions? Would that be an oauth issue or an OIDC one?
>>
>> Phil
>>
>> On May 6, 2020, at 11:56 AM, Aaron Parecki  wrote:
>>
>> 
>> > In particular, authorization servers shouldn’t be required to support
>> PKCE when they already support the OpenID Connect nonce.
>>
>> The Security BCP already requires that ASs support PKCE:
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>>  Are
>> you suggesting that the Security BCP change that requirement as well? If
>> so, that's a discussion that needs to be had ASAP. If not, then that's an
>> implicit statement that it's okay for OpenID Connect implementations to not
>> be best-practice OAuth implementations. And if that's the case, then I also
>> think it's acceptable that they are not complete OAuth 2.1 implementations
>> either.
>>
>>
>>
>>
>>
>>
>> On Wed, May 6, 2020 at 11:21 AM Mike Jones > 40microsoft@dmarc.ietf.org> wrote:
>>
>>> The disadvantage of requiring PKCE for OpenID Connect implementations is
>>> that you’re trying to add a normative requirement that’s not required of
>>> OpenID Connect deployments today, which would bifurcate the ecosystem.
>>> There are hundreds of implementations (including the 141 certified ones at
>>> https://openid.net/certification/), none of which have ever been
>>> required to support PKCE.  Therefore, most don’t.
>>>
>>>
>>>
>>> Per feedback already provided, I believe that OAuth 2.1 should align
>>> with the guidance already in the draft Security BCP, requiring EITHER the
>>> use of PKCE or the OpenID Connect nonce.  Trying to retroactively impose
>>> unnecessary requirements on existing deployments is unlikely to succeed and
>>> will significantly reduce the relevance of the OAuth 2.1 effort.
>>>
>>>
>>>
>>> In particular, authorization servers shouldn’t be required to support
>>> PKCE when they already support the OpenID Connect nonce.  And clients
>>> shouldn’t reject responses from servers that don’t support PKCE when they
>>> do contain the OpenID Connect nonce.  Doing so would unnecessarily break
>>> things and create confusion in the marketplace.
>>>
>>>
>>>
>>>   -- Mike
>>>
>>>
>>>
>>> *From:* OAuth  *On Behalf Of * Dick Hardt
>>> *Sent:* Wednesday, May 6, 2020 10:48 AM
>>> *To:* oauth@ietf.org
>>> *Subject:* [OAUTH-WG] OAuth 2.1 - require PKCE?
>>>
>>>
>>>
>>> Hello!
>>>
>>>
>>>
>>> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is
>>> best practice for OAuth 2.0. It is not common in OpenID Connect servers as
>>> the nonce solves some of the issues that PKCE protects against. We think
>>> that most OpenID Connect implementations also support OAuth 2.0, and
>>> hence have support for PKCE if following best practices.
>>>
>>>
>>>
>>> The advantages or requiring PKCE are:
>>>
>>>
>>>
>>> - a simpler programming model across all OAuth applications and profiles
>>> as they all use PKCE
>>>
>>>
>>>
>>> - reduced attack surface when using  S256 as a fingerprint of the
>>> verifier is sent through the browser instead of the clear text value
>>>
>>>
>>>
>>> - enforcement by AS not client - makes it easier to handle for client
>>> developers and AS can ensure the check is conducted
>>>
>>>
>>>
>>> What are disadvantages besides the potential impact to OpenID Connect
>>> deployments? How significant is that impact?
>>>
>>>
>>>
>>> Dick, Aaron, and Torsten
>>>
>>>
>>>
>>> ᐧ
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
> --
> Vennlig hilsen
>
> Steinar Noem
> Partner Udelt AS
> Systemutvikler
>
> | stei...@udelt.no | h...@udelt.no  | +47 955 21 620 | www.udelt.no |
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

2020-05-06 Thread Mike Jones

Aaron, the section you cited at 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
makes it clear that clients can support EITHER PKCE or the OpenID Connect 
nonce.   The text is:

   Clients MUST prevent injection (replay) of authorization codes into
   the authorization response by attackers.  The use of PKCE 
[RFC7636]
   is RECOMMENDED to this end.  The OpenID Connect "nonce" parameter and
   ID Token Claim 
[OpenID]
 MAY be used as well.  The PKCE challenge or
   OpenID Connect "nonce" MUST be transaction-specific and securely
   bound to the client and the user agent in which the transaction was
   started.

We should not attempt to change that in OAuth 2.1, as doing so would needlessly 
break already working and secure clients.

   -- Mike

From: Aaron Parecki 
Sent: Wednesday, May 6, 2020 11:56 AM
To: Mike Jones 
Cc: Dick Hardt ; oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

> In particular, authorization servers shouldn’t be required to support PKCE 
> when they already support the OpenID Connect nonce.

The Security BCP already requires that ASs support PKCE: 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
Are you suggesting that the Security BCP change that requirement as well? If 
so, that's a discussion that needs to be had ASAP. If not, then that's an 
implicit statement that it's okay for OpenID Connect implementations to not be 
best-practice OAuth implementations. And if that's the case, then I also think 
it's acceptable that they are not complete OAuth 2.1 implementations either.

On Wed, May 6, 2020 at 11:21 AM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
The disadvantage of requiring PKCE for OpenID Connect implementations is that 
you’re trying to add a normative requirement that’s not required of OpenID 
Connect deployments today, which would bifurcate the ecosystem.  There are 
hundreds of implementations (including the 141 certified ones at 
https://openid.net/certification/), none of which have ever been required to 
support PKCE.  Therefore, most don’t.

Per feedback already provided, I believe that OAuth 2.1 should align with the 
guidance already in the draft Security BCP, requiring EITHER the use of PKCE or 
the OpenID Connect nonce.  Trying to retroactively impose unnecessary 
requirements on existing deployments is unlikely to succeed and will 
significantly reduce the relevance of the OAuth 2.1 effort.

In particular, authorization servers shouldn’t be required to support PKCE when 
they already support the OpenID Connect nonce.  And clients shouldn’t reject 
responses from servers that don’t support PKCE when they do contain the OpenID 
Connect nonce.  Doing so would unnecessarily break things and create confusion 
in the marketplace.

  -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Dick Hardt
Sent: Wednesday, May 6, 2020 10:48 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce 
solves some of the issues that PKCE protects against. We think that most OpenID 
Connect implementations also support OAuth 2.0, and hence have support for PKCE 
if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as 
they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier is 
sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client 
developers and AS can ensure the check is conducted

What are disadvantages besides the potential impact to OpenID Connect 
deployments? How significant is that impact?

Dick, Aaron, and Torsten

[https://mailfoogae..appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D=zerocontent=452438ba-d429-4656-ace9-b284744bc171]ᐧ
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Phillip Hunt

Yes. Some would be 2.0 and some2.1. Not unlike TLS versioning.  

 Maybe i should not have said that. ;-)

Phil

> On May 6, 2020, at 12:18 PM, Steinar Noem  wrote:
> 
> 
> So, wouldn't a MUST just mean that we would have some OPs that are 2.1 
> compliant and some that aren't?
> 
>> ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt :
>> Mike,
>> 
>> The point of 2.1 is to raise the security bar. 
>> 
>> Yes it adds new MUST requirements. 
>> 
>> But what about OIDC would break other than required implementation of PKCE 
>> to support 2.1?
>> 
>> Eg Would additional signaling be required to facilitate interoperability and 
>> migration between versions? Would that be an oauth issue or an OIDC one?
>> 
>> Phil
>> 
 On May 6, 2020, at 11:56 AM, Aaron Parecki  wrote:

>>> 
>>> > In particular, authorization servers shouldn’t be required to support 
>>> > PKCE when they already support the OpenID Connect nonce.
>>> 
>>> The Security BCP already requires that ASs support PKCE: 
>>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>>>  Are you suggesting that the Security BCP change that requirement as well? 
>>> If so, that's a discussion that needs to be had ASAP. If not, then that's 
>>> an implicit statement that it's okay for OpenID Connect implementations to 
>>> not be best-practice OAuth implementations. And if that's the case, then I 
>>> also think it's acceptable that they are not complete OAuth 2.1 
>>> implementations either.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
 On Wed, May 6, 2020 at 11:21 AM Mike Jones 
  wrote:
 The disadvantage of requiring PKCE for OpenID Connect implementations is 
 that you’re trying to add a normative requirement that’s not required of 
 OpenID Connect deployments today, which would bifurcate the ecosystem.  
 There are hundreds of implementations (including the 141 certified ones at 
 https://openid.net/certification/), none of which have ever been required 
 to support PKCE.  Therefore, most don’t.

 Per feedback already provided, I believe that OAuth 2.1 should align with 
 the guidance already in the draft Security BCP, requiring EITHER the use 
 of PKCE or the OpenID Connect nonce.  Trying to retroactively impose 
 unnecessary requirements on existing deployments is unlikely to succeed 
 and will significantly reduce the relevance of the OAuth 2.1 effort.

 In particular, authorization servers shouldn’t be required to support PKCE 
 when they already support the OpenID Connect nonce.  And clients shouldn’t 
 reject responses from servers that don’t support PKCE when they do contain 
 the OpenID Connect nonce.  Doing so would unnecessarily break things and 
 create confusion in the marketplace.

   -- Mike

 From: OAuth  On Behalf Of Dick Hardt
 Sent: Wednesday, May 6, 2020 10:48 AM
 To: oauth@ietf.org
 Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?

 Hello!

 We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
 practice for OAuth 2.0. It is not common in OpenID Connect servers as the 
 nonce solves some of the issues that PKCE protects against. We think that 
 most OpenID Connect implementations also support OAuth 2.0, and hence have 
 support for PKCE if following best practices.

 The advantages or requiring PKCE are:

 - a simpler programming model across all OAuth applications and profiles 
 as they all use PKCE

 - reduced attack surface when using  S256 as a fingerprint of the verifier 
 is sent through the browser instead of the clear text value

 - enforcement by AS not client - makes it easier to handle for client 
 developers and AS can ensure the check is conducted

 What are disadvantages besides the potential impact to OpenID Connect 
 deployments? How significant is that impact?

 Dick, Aaron, and Torsten

 ᐧ

 ___
 OAuth mailing list
 OAuth@ietf.org
 https://www.ietf.org/mailman/listinfo/oauth
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> -- 
> Vennlig hilsen
> 
> Steinar Noem
> Partner Udelt AS
> Systemutvikler
>  
> | stei...@udelt.no | h...@udelt.no  | +47 955 21 620 | www.udelt.no | 
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Steinar Noem

So, wouldn't a MUST just mean that we would have some OPs that are 2.1
compliant and some that aren't?

ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt :

> Mike,
>
> The point of 2.1 is to raise the security bar.
>
> Yes it adds new MUST requirements.
>
> But what about OIDC would break other than required implementation of PKCE
> to support 2.1?
>
> Eg Would additional signaling be required to facilitate interoperability
> and migration between versions? Would that be an oauth issue or an OIDC one?
>
> Phil
>
> On May 6, 2020, at 11:56 AM, Aaron Parecki  wrote:
>
> 
> > In particular, authorization servers shouldn’t be required to support
> PKCE when they already support the OpenID Connect nonce.
>
> The Security BCP already requires that ASs support PKCE:
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2..1.1
>  Are
> you suggesting that the Security BCP change that requirement as well? If
> so, that's a discussion that needs to be had ASAP. If not, then that's an
> implicit statement that it's okay for OpenID Connect implementations to not
> be best-practice OAuth implementations. And if that's the case, then I also
> think it's acceptable that they are not complete OAuth 2.1 implementations
> either.
>
>
>
>
>
>
> On Wed, May 6, 2020 at 11:21 AM Mike Jones  40microsoft@dmarc.ietf.org> wrote:
>
>> The disadvantage of requiring PKCE for OpenID Connect implementations is
>> that you’re trying to add a normative requirement that’s not required of
>> OpenID Connect deployments today, which would bifurcate the ecosystem.
>> There are hundreds of implementations (including the 141 certified ones at
>> https://openid.net/certification/), none of which have ever been
>> required to support PKCE.  Therefore, most don’t.
>>
>>
>>
>> Per feedback already provided, I believe that OAuth 2.1 should align with
>> the guidance already in the draft Security BCP, requiring EITHER the use of
>> PKCE or the OpenID Connect nonce.  Trying to retroactively impose
>> unnecessary requirements on existing deployments is unlikely to succeed and
>> will significantly reduce the relevance of the OAuth 2.1 effort.
>>
>>
>>
>> In particular, authorization servers shouldn’t be required to support
>> PKCE when they already support the OpenID Connect nonce.  And clients
>> shouldn’t reject responses from servers that don’t support PKCE when they
>> do contain the OpenID Connect nonce.  Doing so would unnecessarily break
>> things and create confusion in the marketplace.
>>
>>
>>
>>   -- Mike
>>
>>
>>
>> *From:* OAuth  *On Behalf Of * Dick Hardt
>> *Sent:* Wednesday, May 6, 2020 10:48 AM
>> *To:* oauth@ietf.org
>> *Subject:* [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> Hello!
>>
>>
>>
>> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is
>> best practice for OAuth 2.0. It is not common in OpenID Connect servers as
>> the nonce solves some of the issues that PKCE protects against. We think
>> that most OpenID Connect implementations also support OAuth 2.0, and
>> hence have support for PKCE if following best practices.
>>
>>
>>
>> The advantages or requiring PKCE are:
>>
>>
>>
>> - a simpler programming model across all OAuth applications and profiles
>> as they all use PKCE
>>
>>
>>
>> - reduced attack surface when using  S256 as a fingerprint of the
>> verifier is sent through the browser instead of the clear text value
>>
>>
>>
>> - enforcement by AS not client - makes it easier to handle for client
>> developers and AS can ensure the check is conducted
>>
>>
>>
>> What are disadvantages besides the potential impact to OpenID Connect
>> deployments? How significant is that impact?
>>
>>
>>
>> Dick, Aaron, and Torsten
>>
>>
>>
>> ᐧ
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler

| stei...@udelt.no | h...@udelt.no  | +47 955 21 620 | www.udelt.no |
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Phillip Hunt

Mike,

The point of 2.1 is to raise the security bar. 

Yes it adds new MUST requirements. 

But what about OIDC would break other than required implementation of PKCE to 
support 2.1?

Eg Would additional signaling be required to facilitate interoperability and 
migration between versions? Would that be an oauth issue or an OIDC one?

Phil

> On May 6, 2020, at 11:56 AM, Aaron Parecki  wrote:
> 
> 
> > In particular, authorization servers shouldn’t be required to support PKCE 
> > when they already support the OpenID Connect nonce.
> 
> The Security BCP already requires that ASs support PKCE: 
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
> Are you suggesting that the Security BCP change that requirement as well? If 
> so, that's a discussion that needs to be had ASAP. If not, then that's an 
> implicit statement that it's okay for OpenID Connect implementations to not 
> be best-practice OAuth implementations. And if that's the case, then I also 
> think it's acceptable that they are not complete OAuth 2.1 implementations 
> either.
> 
> 
> 
> 
> 
> 
>> On Wed, May 6, 2020 at 11:21 AM Mike Jones 
>>  wrote:
>> The disadvantage of requiring PKCE for OpenID Connect implementations is 
>> that you’re trying to add a normative requirement that’s not required of 
>> OpenID Connect deployments today, which would bifurcate the ecosystem.  
>> There are hundreds of implementations (including the 141 certified ones at 
>> https://openid.net/certification/), none of which have ever been required to 
>> support PKCE.  Therefore, most don’t.
>> 
>>  
>> 
>> Per feedback already provided, I believe that OAuth 2.1 should align with 
>> the guidance already in the draft Security BCP, requiring EITHER the use of 
>> PKCE or the OpenID Connect nonce.  Trying to retroactively impose 
>> unnecessary requirements on existing deployments is unlikely to succeed and 
>> will significantly reduce the relevance of the OAuth 2.1 effort.
>> 
>>  
>> 
>> In particular, authorization servers shouldn’t be required to support PKCE 
>> when they already support the OpenID Connect nonce.  And clients shouldn’t 
>> reject responses from servers that don’t support PKCE when they do contain 
>> the OpenID Connect nonce.  Doing so would unnecessarily break things and 
>> create confusion in the marketplace.
>> 
>>  
>> 
>>   -- Mike
>> 
>>  
>> 
>> From: OAuth  On Behalf Of Dick Hardt
>> Sent: Wednesday, May 6, 2020 10:48 AM
>> To: oauth@ietf.org
>> Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?
>> 
>>  
>> 
>> Hello!
>> 
>>  
>> 
>> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
>> practice for OAuth 2.0. It is not common in OpenID Connect servers as the 
>> nonce solves some of the issues that PKCE protects against. We think that 
>> most OpenID Connect implementations also support OAuth 2.0, and hence have 
>> support for PKCE if following best practices.
>> 
>>  
>> 
>> The advantages or requiring PKCE are:
>> 
>>  
>> 
>> - a simpler programming model across all OAuth applications and profiles as 
>> they all use PKCE
>> 
>>  
>> 
>> - reduced attack surface when using  S256 as a fingerprint of the verifier 
>> is sent through the browser instead of the clear text value
>> 
>>  
>> 
>> - enforcement by AS not client - makes it easier to handle for client 
>> developers and AS can ensure the check is conducted
>> 
>>  
>> 
>> What are disadvantages besides the potential impact to OpenID Connect 
>> deployments? How significant is that impact?
>> 
>>  
>> 
>> Dick, Aaron, and Torsten
>> 
>>  
>> 
>> ᐧ
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Aaron Parecki

> In particular, authorization servers shouldn’t be required to support
PKCE when they already support the OpenID Connect nonce.

The Security BCP already requires that ASs support PKCE:
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1..1
Are
you suggesting that the Security BCP change that requirement as well? If
so, that's a discussion that needs to be had ASAP. If not, then that's an
implicit statement that it's okay for OpenID Connect implementations to not
be best-practice OAuth implementations. And if that's the case, then I also
think it's acceptable that they are not complete OAuth 2.1 implementations
either.






On Wed, May 6, 2020 at 11:21 AM Mike Jones  wrote:

> The disadvantage of requiring PKCE for OpenID Connect implementations is
> that you’re trying to add a normative requirement that’s not required of
> OpenID Connect deployments today, which would bifurcate the ecosystem.
> There are hundreds of implementations (including the 141 certified ones at
> https://openid.net/certification/), none of which have ever been required
> to support PKCE.  Therefore, most don’t.
>
>
>
> Per feedback already provided, I believe that OAuth 2.1 should align with
> the guidance already in the draft Security BCP, requiring EITHER the use of
> PKCE or the OpenID Connect nonce.  Trying to retroactively impose
> unnecessary requirements on existing deployments is unlikely to succeed and
> will significantly reduce the relevance of the OAuth 2.1 effort.
>
>
>
> In particular, authorization servers shouldn’t be required to support PKCE
> when they already support the OpenID Connect nonce.  And clients shouldn’t
> reject responses from servers that don’t support PKCE when they do contain
> the OpenID Connect nonce.  Doing so would unnecessarily break things and
> create confusion in the marketplace.
>
>
>
>   -- Mike
>
>
>
> *From:* OAuth  *On Behalf Of * Dick Hardt
> *Sent:* Wednesday, May 6, 2020 10:48 AM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hello!
>
>
>
> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
> practice for OAuth 2.0. It is not common in OpenID Connect servers as the
> nonce solves some of the issues that PKCE protects against. We think that
> most OpenID Connect implementations also support OAuth 2.0, and hence have
> support for PKCE if following best practices.
>
>
>
> The advantages or requiring PKCE are:
>
>
>
> - a simpler programming model across all OAuth applications and profiles
> as they all use PKCE
>
>
>
> - reduced attack surface when using  S256 as a fingerprint of the verifier
> is sent through the browser instead of the clear text value
>
>
>
> - enforcement by AS not client - makes it easier to handle for client
> developers and AS can ensure the check is conducted
>
>
>
> What are disadvantages besides the potential impact to OpenID Connect
> deployments? How significant is that impact?
>
>
>
> Dick, Aaron, and Torsten
>
>
>
> ᐧ
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Mike Jones

The disadvantage of requiring PKCE for OpenID Connect implementations is that 
you’re trying to add a normative requirement that’s not required of OpenID 
Connect deployments today, which would bifurcate the ecosystem.  There are 
hundreds of implementations (including the 141 certified ones at 
https://openid.net/certification/), none of which have ever been required to 
support PKCE.  Therefore, most don’t.

Per feedback already provided, I believe that OAuth 2.1 should align with the 
guidance already in the draft Security BCP, requiring EITHER the use of PKCE or 
the OpenID Connect nonce.  Trying to retroactively impose unnecessary 
requirements on existing deployments is unlikely to succeed and will 
significantly reduce the relevance of the OAuth 2.1 effort.

In particular, authorization servers shouldn’t be required to support PKCE when 
they already support the OpenID Connect nonce.  And clients shouldn’t reject 
responses from servers that don’t support PKCE when they do contain the OpenID 
Connect nonce.  Doing so would unnecessarily break things and create confusion 
in the marketplace.

  -- Mike

From: OAuth  On Behalf Of Dick Hardt
Sent: Wednesday, May 6, 2020 10:48 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce 
solves some of the issues that PKCE protects against. We think that most OpenID 
Connect implementations also support OAuth 2.0, and hence have support for PKCE 
if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as 
they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier is 
sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client 
developers and AS can ensure the check is conducted

What are disadvantages besides the potential impact to OpenID Connect 
deployments? How significant is that impact?

Dick, Aaron, and Torsten

[https://mailfoogae..appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D=zerocontent=452438ba-d429-4656-ace9-b284744bc171]ᐧ
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] OAuth 2.1 - require PKCE?

2020-05-06 Thread Dick Hardt

Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
practice for OAuth 2.0. It is not common in OpenID Connect servers as the
nonce solves some of the issues that PKCE protects against. We think that
most OpenID Connect implementations also support OAuth 2.0, and hence have
support for PKCE if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as
they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier
is sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client
developers and AS can ensure the check is conducted

What are disadvantages besides the potential impact to OpenID Connect
deployments? How significant is that impact?

Dick, Aaron, and Torsten

ᐧ
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Aligning PKCE requirements within the OAuth Security BCP

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[OAUTH-WG] Aligning PKCE requirements within the OAuth Security BCP

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[OAUTH-WG] OAuth 2.1 - require PKCE?

20 matches

Site Navigation

Mail list logo

Footer information