Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

[Neil Madden]

> On 11 May 2020, at 07:41, Torsten Lodderstedt  wrote:
> 
>> On 11. May 2020, at 07:38, Neil Madden  wrote:
>> 
>> There is no attack that this prevents so your claim of improving security is 
>> unsubstantiated. I can’t see how we can ship a 2.1-compliant-by-default AS 
>> while this requirement remains so I don’t support it. 
> 
> Are you saying PKCE does not prevent any attack?

No, but servers and clients are already free to support PKCE. I’m saying that 
rejecting requests from non-PKCE clients doesn’t prevent any attack. It just 
denies service to legitimate clients. 

— Neil
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Torsten Lodderstedt]

> On 10. May 2020, at 21:02, Mike Jones  wrote:
> 
> > Did I got it right that nonce does not protect public clients from code 
> > theft/replay?
>  
> I believe that the OpenID Connect Code Hash (“c_hash”) claim protects against 
> this.  

c_hash is designed to prevent injection at a legit client and must be enforced 
by the client - just like nonce. 

That might work with a confidential client, but in case of a public client, the 
attacker does not need to inject the code in order to redeem it. The attacker 
can just directly redeem the code for an access token without checking c_hash 
or nonce.

> I’d be interested in hearing John Bradley’s take on this.
>  
>-- Mike
>  
> From: Torsten Lodderstedt  
> Sent: Sunday, May 10, 2020 3:17 AM
> To: Mike Jones 
> Cc: Aaron Parecki ; Dick Hardt ; 
> OAuth WG 
> Subject: Re: OAuth 2.1 - require PKCE?
>  
> Mike Jones  schrieb am Sa. 9. Mai 2020 um 20:46:
> There’s a huge ecosystem of successful, secure OAuth 2.0 and OpenID Connect 
> deployments that we have the responsibility to be stewards of.  This working 
> group should be proud of what it’s accomplished.  Part of good stewardship is 
> not unnecessarily bifurcating the ecosystem into non-interoperable segments.  
> OAuth 2.1 should facilitate the already secure OAuth 2.0 deployments 
> remaining part of the interoperable OAuth 2.1 set of deployments – not 
> intentionally doing the opposite.
>  
> If it ain’t broke, don’t fix it!
> Did I got it right that nonce does not protect public clients from code 
> theft/replay? I would consider this a security issue.
>  
>-- Mike
>  
> From: Aaron Parecki  
> Sent: Friday, May 8, 2020 8:34 PM
> To: OAuth WG 
> Cc: Dick Hardt ; Torsten Lodderstedt 
> ; Mike Jones 
> Subject: Re: OAuth 2.1 - require PKCE?
>  
> Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned 
> about “the amount of explanation this will take”.  That’s optimizing for spec 
> simplicity – a goal that I do understand.  However, by writing these few 
> sentences or paragraphs, we’ll make it clear to developers that hundreds or 
> thousands of deployed OpenID Connect RPs won’t have to change their 
> deployments.  That’s optimizing for interoperability and minimizing the 
> burden on developers, which are far more important.
>  
> I appreciate the concern about optimizing for spec simplicity. I also agree 
> that spec simplicity should not necessarily be the driving goal.
>  
> However, what you've described is the opposite of interoperability and 
> minimizing the burden on developers. Requiring PKCE in OAuth 2.1, without any 
> exceptions, will optimize for interoperability between OAuth 2.1 clients and 
> servers. Without the requirement of PKCE, there will always be the question 
> of "but does this OAuth 2.1 client work with this OAuth 2.1 server or not?", 
> which will only be able to be answered by investigating the docs to look for 
> PKCE support, or by checking the AS metadata document if it publishes one 
> (which it is not required to do).
>  
> Optimizing for interoperability and minimizing the burden on developers is 
> absolutely a good goal, and requiring PKCE is a great way to accomplish that. 
> OAuth 2.0 and OpenID Connect implementations that don't support PKCE will 
> continue to work as they currently do, they just won't be able to call 
> themselves OAuth 2.1 compliant, just as is the case as if they don't follow 
> the other recommendations that are in OAuth 2.1 and the Security BCP.
>  
> Aaron 
>  
>  
> On Thu, May 7, 2020 at 6:42 PM Mike Jones  wrote:
> Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned 
> about “the amount of explanation this will take”.  That’s optimizing for spec 
> simplicity – a goal that I do understand.  However, by writing these few 
> sentences or paragraphs, we’ll make it clear to developers that hundreds or 
> thousands of deployed OpenID Connect RPs won’t have to change their 
> deployments.  That’s optimizing for interoperability and minimizing the 
> burden on developers, which are far more important.
>  
> As Brian Campbell wrote, “They are not equivalent and have very different 
> ramifications on interoperability”.
>  
> Even if you’re optimizing for writing, taking a minimally invasive protocol 
> change approach will optimize that, overall.  If we proceed as you’re 
> suggesting, a huge amount of writing will occur on StackOverflow, Medium, 
> SlashDot, blogs, and other developer forums, where confused developers will 
> ask “Why do I have to change my deployed code?” with the answers being 
> “Despite what the 2.1 spec says, there’s no need to change your deployed 
> code.”
>  
> I’d gladly write a few sentences in our new specs now to prevent ongoing 
> confusion and interop problems that would otherwise result.  Let me know when 
> you’re ready to incorporate them into t

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

[Torsten Lodderstedt]

> On 11. May 2020, at 07:38, Neil Madden  wrote:
> 
> There is no attack that this prevents so your claim of improving security is 
> unsubstantiated. I can’t see how we can ship a 2.1-compliant-by-default AS 
> while this requirement remains so I don’t support it. 

Are you saying PKCE does not prevent any attack?

> 
> Neil
> 
>> On 11 May 2020, at 01:35, Dick Hardt  wrote:
>> 
>> 
>> It is a MUST to enforce consistency across all clients, and therefore to 
>> improve security for all clients. 
>> 
>> An AS can decide to be OAuth 2.1 for all new clients, and encourage existing 
>> clients to migrate to OAuth 2.1 (add support for PKCE).
>> 
>> If the client wants OAuth 2.1, the AS will enforce it.
>> 
>> I don't follow your logic below wrt. what an attacker will do.
>> 
>> 
>> On Sun, May 10, 2020 at 1:46 PM Neil Madden  
>> wrote:
>> Let’s go back to basics. Why is this clause a MUST in the 2.1 spec? What 
>> does that accomplish?
>> 
>> It doesn’t provide any security benefit - an attacker can just as easily 
>> send a code_challenge as a legitimate client, there’s no secret involved. So 
>> enforcing PKCE in this way doesn’t prevent any direct attacks. Presumably 
>> then making it a hard fail is designed to drive adoption of PKCE - turning 
>> the thumbscrews on clients that otherwise wouldn’t bother?
>> 
>> But if we are saying that an AS can happily support legacy 2.0 clients 
>> without PKCE then the pressure of the MUST clause evaporates and they are 
>> free to ignore it again. What’s the incentive for an AS deployment to ever 
>> enforce 2.1 compliance if all it adds is a potential incompatibility with no 
>> security gain? (Given that servers and clients can already support PKCE if 
>> they wish).
>> 
>> All I can see this doing is delaying adoption of 2.1 by ASes.
>> 
>> — Neil
>> 
>> 
>>> On 10 May 2020, at 21:35, Dick Hardt  wrote:
>>> 
>>> Sounds like your clients that have set PKCE to be mandatory will then be 
>>> OAuth 2.1 compliant with no extra work. 
>>> 
>>> A deployment can decide when they want to be compliant. That is not the 
>>> specifications decision. I'm unclear on what point you are wanting to make 
>>> below. 
>>> 
>>> 
>>> On Sun, May 10, 2020 at 1:28 PM Neil Madden  
>>> wrote:
>>> This is the same as having 2.1 compliance turned off by default. We already 
>>> have a per-client setting to make PKCE mandatory.
>>> 
>>> If you can turn it off, what’s the point of making it a MUST in the spec? 
>>> What does an optional MUST even mean for an AS to claim 2.1 compliance?
>>> 
 On 10 May 2020, at 21:19, Dick Hardt  wrote:
 
 Is there a reason why a server can not support both OAuth 2.0 and OAuth 
 2.1? The version supported could be dependent on the client id, ie older 
 clients could still be OAuth 2.0, and newer clients would be OAuth 2.1, 
 and PKCE would be enforced.
 ᐧ
 
 On Sun, May 10, 2020 at 1:05 PM Neil Madden  
 wrote:
 But if an AS upgrades to OAuth 2.1 then it MUST reject authorization 
 requests that don’t include a code_challenge (section 4.1.2.1), so this 
 will only be possible when all clients support PKCE.
 
 This makes it impossible for a 2.1-compliant AS to also support non-PKCE 
 2.0 clients (i.e., the vast majority of them).
 
 I think we can have a 2.1 spec that says clients and servers MUST support 
 PKCE without this hard-fail clause.. Otherwise I can’t see how we’d ever 
 ship with 2.1-compliance enabled out-of-the-box.
 
 — Neil
 
> On 10 May 2020, at 20:38, Dick Hardt  wrote:
> 
> Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as 
> the other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth 
> 2.0 was voluntary. 
> 
> Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?
> 
> 
> On Sun, May 10, 2020 at 12:02 PM Mike Jones 
>  wrote:
> I agree with actively maintaining and improving the OAuth 2.0 specs by 
> adding enhancements that are voluntary to use.  I’ve worked on many such 
> improvements, including Dynamic Client Registration, Authorization 
> Metadata, the Device Flow, Token Exchange, DPoP, and support PAR and RAR, 
> etc.  The issue that’s the subject is the current discussion is whether 
> to make use of another enhancement, PKCE, mandatory in cases where it’s 
> actually not needed, rather than making its use voluntary like the other 
> enhancements, which I certainly support.
> 
>  
> 
>-- Mike
> 
>  
> 
> From: Torsten Lodderstedt  
> Sent: Sunday, May 10, 2020 3:15 AM
> To: Mike Jones 
> Cc: Daniel Fett ; oauth@ietf.org
> Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
> 
>  
> 
> Hi Mike,
> 
>  
> 
> Mike Jones  schrieb am Fr. 
> 8. Mai 2020 um 18:55:
>

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

[Neil Madden]

There is no attack that this prevents so your claim of improving security is 
unsubstantiated. I can’t see how we can ship a 2.1-compliant-by-default AS 
while this requirement remains so I don’t support it. 

Neil

> On 11 May 2020, at 01:35, Dick Hardt  wrote:
> 
> 
> It is a MUST to enforce consistency across all clients, and therefore to 
> improve security for all clients. 
> 
> An AS can decide to be OAuth 2.1 for all new clients, and encourage existing 
> clients to migrate to OAuth 2.1 (add support for PKCE).
> 
> If the client wants OAuth 2.1, the AS will enforce it.
> 
> I don't follow your logic below wrt. what an attacker will do.
> 
> 
>> On Sun, May 10, 2020 at 1:46 PM Neil Madden  
>> wrote:
>> Let’s go back to basics. Why is this clause a MUST in the 2.1 spec? What 
>> does that accomplish?
>> 
>> It doesn’t provide any security benefit - an attacker can just as easily 
>> send a code_challenge as a legitimate client, there’s no secret involved. So 
>> enforcing PKCE in this way doesn’t prevent any direct attacks. Presumably 
>> then making it a hard fail is designed to drive adoption of PKCE - turning 
>> the thumbscrews on clients that otherwise wouldn’t bother?
>> 
>> But if we are saying that an AS can happily support legacy 2.0 clients 
>> without PKCE then the pressure of the MUST clause evaporates and they are 
>> free to ignore it again. What’s the incentive for an AS deployment to ever 
>> enforce 2.1 compliance if all it adds is a potential incompatibility with no 
>> security gain? (Given that servers and clients can already support PKCE if 
>> they wish).
>> 
>> All I can see this doing is delaying adoption of 2.1 by ASes.
>> 
>> — Neil
>> 
>> 
>>> On 10 May 2020, at 21:35, Dick Hardt  wrote:
>>> 
>>> Sounds like your clients that have set PKCE to be mandatory will then be 
>>> OAuth 2.1 compliant with no extra work. 
>>> 
>>> A deployment can decide when they want to be compliant. That is not the 
>>> specifications decision. I'm unclear on what point you are wanting to make 
>>> below. 
>>> 
>>> 
 On Sun, May 10, 2020 at 1:28 PM Neil Madden  
 wrote:
 This is the same as having 2.1 compliance turned off by default. We 
 already have a per-client setting to make PKCE mandatory.
 
 If you can turn it off, what’s the point of making it a MUST in the spec? 
 What does an optional MUST even mean for an AS to claim 2.1 compliance?
 
> On 10 May 2020, at 21:19, Dick Hardt  wrote:
> 
> Is there a reason why a server can not support both OAuth 2.0 and OAuth 
> 2.1? The version supported could be dependent on the client id, ie older 
> clients could still be OAuth 2.0, and newer clients would be OAuth 2.1, 
> and PKCE would be enforced.
> ᐧ
> 
>> On Sun, May 10, 2020 at 1:05 PM Neil Madden  
>> wrote:
>> But if an AS upgrades to OAuth 2.1 then it MUST reject authorization 
>> requests that don’t include a code_challenge (section 4.1.2.1), so this 
>> will only be possible when all clients support PKCE.
>> 
>> This makes it impossible for a 2.1-compliant AS to also support non-PKCE 
>> 2.0 clients (i.e., the vast majority of them).
>> 
>> I think we can have a 2.1 spec that says clients and servers MUST 
>> support PKCE without this hard-fail clause. Otherwise I can’t see how 
>> we’d ever ship with 2.1-compliance enabled out-of-the-box.
>> 
>> — Neil
>> 
>>> On 10 May 2020, at 20:38, Dick Hardt  wrote:
>>> 
>>> Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just 
>>> as the other extensions. Similarly, OAuth 1.0 deployments upgrading to 
>>> OAuth 2.0 was voluntary. 
>>> 
>>> Would you clarify why you think upgrading to OAuth 2.1 would be 
>>> mandatory?
>>> 
>>> 
 On Sun, May 10, 2020 at 12:02 PM Mike Jones 
  wrote:
 I agree with actively maintaining and improving the OAuth 2.0 specs by 
 adding enhancements that are voluntary to use.  I’ve worked on many 
 such improvements, including Dynamic Client Registration, 
 Authorization Metadata, the Device Flow, Token Exchange, DPoP, and 
 support PAR and RAR, etc..  The issue that’s the subject is the 
 current discussion is whether to make use of another enhancement, 
 PKCE, mandatory in cases where it’s actually not needed, rather than 
 making its use voluntary like the other enhancements, which I 
 certainly support.
 
  
 
-- Mike
 
  
 
 From: Torsten Lodderstedt  
 Sent: Sunday, May 10, 2020 3:15 AM
 To: Mike Jones 
 Cc: Daniel Fett ; oauth@ietf.org
 Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
 
  
 
 Hi Mike,
 
  
 
 Mike Jones  schrieb

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Benjamin Kaduk]

My apologies for a tangent on an already-long thread...

On Fri, May 08, 2020 at 08:50:16AM +0200, Daniel Fett wrote:
> 
> Yes, this will make a number of implementations non-spec-compliant, but
> I do not think that this is a huge problem. Software needs to adapt all
> the time and a software that has not been changed in a while is probably
> not one you would want to use anyway. We are setting a new goal for
> implementations to meet and eventually, maintained implementations will
> get there.

It's probably worth an occasional reminder that though this is true for the
web-facing software most of us work on, it's not actually universally true
for *all* software.  Things that are rated as safety-critical software, or
the SCADA systems running billion-dollar industrial processes that only
take downtime for hardware upgrades, are written in a rather different
ecosystem.  :)

-Ben

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

[Dick Hardt]

It is a MUST to enforce consistency across all clients, and therefore to
improve security for all clients.

An AS can decide to be OAuth 2.1 for all new clients, and encourage
existing clients to migrate to OAuth 2.1 (add support for PKCE).

If the client wants OAuth 2.1, the AS will enforce it.

I don't follow your logic below wrt. what an attacker will do.


On Sun, May 10, 2020 at 1:46 PM Neil Madden 
wrote:

> Let’s go back to basics. Why is this clause a MUST in the 2.1 spec? What
> does that accomplish?
>
> It doesn’t provide any security benefit - an attacker can just as easily
> send a code_challenge as a legitimate client, there’s no secret involved.
> So enforcing PKCE in this way doesn’t prevent any direct attacks.
> Presumably then making it a hard fail is designed to drive adoption of PKCE
> - turning the thumbscrews on clients that otherwise wouldn’t bother?
>
> But if we are saying that an AS can happily support legacy 2.0 clients
> without PKCE then the pressure of the MUST clause evaporates and they are
> free to ignore it again. What’s the incentive for an AS deployment to ever
> enforce 2.1 compliance if all it adds is a potential incompatibility with
> no security gain? (Given that servers and clients can already support PKCE
> if they wish).
>
> All I can see this doing is delaying adoption of 2.1 by ASes.
>
> — Neil
>
>
> On 10 May 2020, at 21:35, Dick Hardt  wrote:
>
> Sounds like your clients that have set PKCE to be mandatory will then be
> OAuth 2.1 compliant with no extra work.
>
> A deployment can decide when they want to be compliant. That is not the
> specifications decision. I'm unclear on what point you are wanting to make
> below.
>
>
> On Sun, May 10, 2020 at 1:28 PM Neil Madden 
> wrote:
>
>> This is the same as having 2.1 compliance turned off by default. We
>> already have a per-client setting to make PKCE mandatory.
>>
>> If you can turn it off, what’s the point of making it a MUST in the spec?
>> What does an optional MUST even mean for an AS to claim 2.1 compliance?
>>
>> On 10 May 2020, at 21:19, Dick Hardt  wrote:
>>
>> Is there a reason why a server can not support both OAuth 2.0 and OAuth
>> 2.1? The version supported could be dependent on the client id, ie older
>> clients could still be OAuth 2.0, and newer clients would be OAuth 2.1, and
>> PKCE would be enforced.
>> ᐧ
>>
>> On Sun, May 10, 2020 at 1:05 PM Neil Madden 
>> wrote:
>>
>>> But if an AS upgrades to OAuth 2.1 then it MUST reject authorization
>>> requests that don’t include a code_challenge (section 4.1.2.1), so this
>>> will only be possible when all clients support PKCE.
>>>
>>> This makes it impossible for a 2.1-compliant AS to also support non-PKCE
>>> 2.0 clients (i.e., the vast majority of them).
>>>
>>> I think we can have a 2.1 spec that says clients and servers MUST
>>> support PKCE without this hard-fail clause. Otherwise I can’t see how we’d
>>> ever ship with 2.1-compliance enabled out-of-the-box.
>>>
>>> — Neil
>>>
>>> On 10 May 2020, at 20:38, Dick Hardt  wrote:
>>>
>>> Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just
>>> as the other extensions. Similarly, OAuth 1.0 deployments upgrading to
>>> OAuth 2.0 was voluntary.
>>>
>>> Would you clarify why you think upgrading to OAuth 2.1 would be
>>> mandatory?
>>>
>>>
>>> On Sun, May 10, 2020 at 12:02 PM Mike Jones >> 40microsoft@dmarc.ietf.org> wrote:
>>>
 I agree with actively maintaining and improving the OAuth 2.0 specs by
 adding enhancements that are voluntary to use.  I’ve worked on many such
 improvements, including Dynamic Client Registration, Authorization
 Metadata, the Device Flow, Token Exchange, DPoP, and support PAR and RAR,
 etc.  The issue that’s the subject is the current discussion is whether to
 make use of another enhancement, PKCE, mandatory in cases where it’s
 actually not needed, rather than making its use voluntary like the other
 enhancements, which I certainly support.



-- Mike



 *From:* Torsten Lodderstedt 
 *Sent:* Sunday, May 10, 2020 3:15 AM
 *To:* Mike Jones 
 *Cc:* Daniel Fett ; oauth@ietf.org
 *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?



 Hi Mike,



 Mike Jones  schrieb am
 Fr. 8. Mai 2020 um 18:55:

 OAuth 2.1 was supposed to not introduce breaking changes.

 I cannot remember the WG met that decision. Can you please refer to the
 respective thread?



 Requiring exact redirect URI matching is already a breaking change. Do
 you oppose against this as well?





 If you want to do that, please do it in TxAuth instead.



 Interesting statement. Does it mean you want to conserve OAuth 2.0 and
 force any enhancements/improvements to go into TXAuth? This would cause
 huge migration efforts for existing 

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

[Neil Madden]

Let’s go back to basics. Why is this clause a MUST in the 2.1 spec? What does 
that accomplish?

It doesn’t provide any security benefit - an attacker can just as easily send a 
code_challenge as a legitimate client, there’s no secret involved. So enforcing 
PKCE in this way doesn’t prevent any direct attacks. Presumably then making it 
a hard fail is designed to drive adoption of PKCE - turning the thumbscrews on 
clients that otherwise wouldn’t bother?

But if we are saying that an AS can happily support legacy 2.0 clients without 
PKCE then the pressure of the MUST clause evaporates and they are free to 
ignore it again. What’s the incentive for an AS deployment to ever enforce 2.1 
compliance if all it adds is a potential incompatibility with no security gain? 
(Given that servers and clients can already support PKCE if they wish).

All I can see this doing is delaying adoption of 2.1 by ASes.

— Neil


> On 10 May 2020, at 21:35, Dick Hardt  wrote:
> 
> Sounds like your clients that have set PKCE to be mandatory will then be 
> OAuth 2.1 compliant with no extra work. 
> 
> A deployment can decide when they want to be compliant. That is not the 
> specifications decision. I'm unclear on what point you are wanting to make 
> below. 
> 
> 
> On Sun, May 10, 2020 at 1:28 PM Neil Madden  > wrote:
> This is the same as having 2.1 compliance turned off by default. We already 
> have a per-client setting to make PKCE mandatory.
> 
> If you can turn it off, what’s the point of making it a MUST in the spec? 
> What does an optional MUST even mean for an AS to claim 2.1 compliance?
> 
>> On 10 May 2020, at 21:19, Dick Hardt > > wrote:
>> 
>> Is there a reason why a server can not support both OAuth 2.0 and OAuth 2.1? 
>> The version supported could be dependent on the client id, ie older clients 
>> could still be OAuth 2.0, and newer clients would be OAuth 2.1, and PKCE 
>> would be enforced.
>> ᐧ
>> 
>> On Sun, May 10, 2020 at 1:05 PM Neil Madden > > wrote:
>> But if an AS upgrades to OAuth 2.1 then it MUST reject authorization 
>> requests that don’t include a code_challenge (section 4.1.2.1), so this will 
>> only be possible when all clients support PKCE.
>> 
>> This makes it impossible for a 2.1-compliant AS to also support non-PKCE 2.0 
>> clients (i.e., the vast majority of them).
>> 
>> I think we can have a 2.1 spec that says clients and servers MUST support 
>> PKCE without this hard-fail clause. Otherwise I can’t see how we’d ever ship 
>> with 2.1-compliance enabled out-of-the-box.
>> 
>> — Neil
>> 
>>> On 10 May 2020, at 20:38, Dick Hardt >> > wrote:
>>> 
>>> Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as 
>>> the other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth 
>>> 2.0 was voluntary. 
>>> 
>>> Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?
>>> 
>>> 
>>> On Sun, May 10, 2020 at 12:02 PM Mike Jones 
>>> >> > wrote:
>>> I agree with actively maintaining and improving the OAuth 2.0 specs by 
>>> adding enhancements that are voluntary to use.  I’ve worked on many such 
>>> improvements, including Dynamic Client Registration, Authorization 
>>> Metadata, the Device Flow, Token Exchange, DPoP, and support PAR and RAR, 
>>> etc.  The issue that’s the subject is the current discussion is whether to 
>>> make use of another enhancement, PKCE, mandatory in cases where it’s 
>>> actually not needed, rather than making its use voluntary like the other 
>>> enhancements, which I certainly support.
>>> 
>>>  
>>> 
>>>-- Mike
>>> 
>>>  
>>> 
>>> From: Torsten Lodderstedt >> > 
>>> Sent: Sunday, May 10, 2020 3:15 AM
>>> To: Mike Jones >> >
>>> Cc: Daniel Fett mailto:f...@danielfett.de>>; 
>>> oauth@ietf.org 
>>> Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>> 
>>>  
>>> 
>>> Hi Mike,
>>> 
>>>  
>>> 
>>> Mike Jones >> > schrieb am Fr. 8. Mai 2020 um 
>>> 18:55:
>>> 
>>> OAuth 2.1 was supposed to not introduce breaking changes. 
>>> 
>>> I cannot remember the WG met that decision. Can you please refer to the 
>>> respective thread? 
>>> 
>>>  
>>> 
>>> Requiring exact redirect URI matching is already a breaking change. Do you 
>>> oppose against this as well?
>>> 
>>>  
>>> 
>>>  
>>> 
>>> If you want to do that, please do it in TxAuth instead.
>>> 
>>>  
>>> 
>>> Interesting statement. Does it mean you want to conserve OAuth 2.0 and 
>>> force any enhancements/improvements to go into TXAuth? This would cause 
>>> huge migration efforts for existing deployments wanting to benefit from 
>>> those enhancements.
>>> 
>>>  
>>> 
>>> I think existing deployments are better se

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

[Dick Hardt]

Sounds like your clients that have set PKCE to be mandatory will then be
OAuth 2.1 compliant with no extra work.

A deployment can decide when they want to be compliant. That is not the
specifications decision. I'm unclear on what point you are wanting to make
below.


On Sun, May 10, 2020 at 1:28 PM Neil Madden 
wrote:

> This is the same as having 2.1 compliance turned off by default. We
> already have a per-client setting to make PKCE mandatory.
>
> If you can turn it off, what’s the point of making it a MUST in the spec?
> What does an optional MUST even mean for an AS to claim 2.1 compliance?
>
> On 10 May 2020, at 21:19, Dick Hardt  wrote:
>
> Is there a reason why a server can not support both OAuth 2.0 and OAuth
> 2.1? The version supported could be dependent on the client id, ie older
> clients could still be OAuth 2.0, and newer clients would be OAuth 2.1, and
> PKCE would be enforced.
> ᐧ
>
> On Sun, May 10, 2020 at 1:05 PM Neil Madden 
> wrote:
>
>> But if an AS upgrades to OAuth 2.1 then it MUST reject authorization
>> requests that don’t include a code_challenge (section 4.1.2.1), so this
>> will only be possible when all clients support PKCE.
>>
>> This makes it impossible for a 2.1-compliant AS to also support non-PKCE
>> 2.0 clients (i.e., the vast majority of them).
>>
>> I think we can have a 2.1 spec that says clients and servers MUST support
>> PKCE without this hard-fail clause. Otherwise I can’t see how we’d ever
>> ship with 2.1-compliance enabled out-of-the-box.
>>
>> — Neil
>>
>> On 10 May 2020, at 20:38, Dick Hardt  wrote:
>>
>> Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as
>> the other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth
>> 2.0 was voluntary.
>>
>> Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?
>>
>>
>> On Sun, May 10, 2020 at 12:02 PM Mike Jones > 40microsoft@dmarc.ietf.org> wrote:
>>
>>> I agree with actively maintaining and improving the OAuth 2.0 specs by
>>> adding enhancements that are voluntary to use.  I’ve worked on many such
>>> improvements, including Dynamic Client Registration, Authorization
>>> Metadata, the Device Flow, Token Exchange, DPoP, and support PAR and RAR,
>>> etc.  The issue that’s the subject is the current discussion is whether to
>>> make use of another enhancement, PKCE, mandatory in cases where it’s
>>> actually not needed, rather than making its use voluntary like the other
>>> enhancements, which I certainly support.
>>>
>>>
>>>
>>>-- Mike
>>>
>>>
>>>
>>> *From:* Torsten Lodderstedt 
>>> *Sent:* Sunday, May 10, 2020 3:15 AM
>>> *To:* Mike Jones 
>>> *Cc:* Daniel Fett ; oauth@ietf.org
>>> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>>
>>>
>>>
>>> Hi Mike,
>>>
>>>
>>>
>>> Mike Jones  schrieb am
>>> Fr. 8. Mai 2020 um 18:55:
>>>
>>> OAuth 2.1 was supposed to not introduce breaking changes.
>>>
>>> I cannot remember the WG met that decision. Can you please refer to the
>>> respective thread?
>>>
>>>
>>>
>>> Requiring exact redirect URI matching is already a breaking change. Do
>>> you oppose against this as well?
>>>
>>>
>>>
>>>
>>>
>>> If you want to do that, please do it in TxAuth instead.
>>>
>>>
>>>
>>> Interesting statement. Does it mean you want to conserve OAuth 2.0 and
>>> force any enhancements/improvements to go into TXAuth? This would cause
>>> huge migration efforts for existing deployments wanting to benefit from
>>> those enhancements.
>>>
>>>
>>>
>>> I think existing deployments are better served by actively maintaining
>>> and evolving the 2.x line. For example, PAR and RAR are attempts to improve
>>> OAuth 2.x and make it usable for new use cases. That’s better protection of
>>> existing investments than sending them of to TXAuth.
>>>
>>> Kind regards,
>>>
>>> Torsten.
>>>
>>>
>>>
>>>
>>>
>>>-- Mike
>>>
>>>
>>>
>>> *From:* OAuth  *On Behalf Of *Daniel Fett
>>> *Sent:* Thursday, May 7, 2020 11:50 PM
>>> *To:* oauth@ietf.org
>>> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>>
>>>
>>>
>>> +1 to all what Aaron said. Thanks for pointing this out!
>>>
>>>
>>>
>>> We need to address this in the security BCP and this will be a normative
>>> change that affects OpenID Connect Core (just as our current recommendation
>>> on the usage of nonce).
>>>
>>>
>>>
>>> We would then have:
>>>
>>>
>>>
>>> - use PKCE, except if you use OIDC with a nonce, then you don't need
>>> PKCE, except if you are a public client, then you still need PKCE.
>>>
>>> - use state, except if you use PKCE, then you don't need state.
>>>
>>>
>>>
>>> I think there are very good reasons to simplify this down to
>>>
>>>
>>>
>>> - use PKCE
>>>
>>> - you may or may not use state
>>>
>>>
>>>
>>> First and foremost, not many people will understand why there are cases
>>> when the BCP/OAuth 2.1 mandate PKCE and some where they don't. However,
>>> understandi

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Dick Hardt]

We are NOT saying that an OAuth 2.0 compatible server is OAuth 2.1
compatible. For example, an OAuth 2.0 compatible server does not have to
support PKCE, support the implicit grant, support the Resource Owner
Password Credentials grant, support bearer tokens in the query string of
the URI, etc.
https://tools.ietf.org/html/draft-parecki-oauth-v2-1-02#section-12

 We have stated the goal to be OAuth 2.0 with best practices. As noted
earlier, we are now discussing what is best practices.

Per my other email, no one is requiring a deployment to upgrade, and a
deployment may support both legacy OAuth 2.0 clients, and OAuth 2.1 clients
at the same time. We can add some non-normative text to explain that if you
like.

On Sun, May 10, 2020 at 1:24 PM Mike Jones 
wrote:

> The difference is that OAuth 2.1 is supposed to compatible with OAuth 2.0
> (which is my whole goal here), whereas OAuth 2.0 was incompatible with
> OAuth 1.0 by design.
>
>
>
> *From:* Dick Hardt 
> *Sent:* Sunday, May 10, 2020 12:58 PM
> *To:* Mike Jones 
> *Cc:* Torsten Lodderstedt ; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Just as upgrading to OAuth 2.0 from OAuth 1.0 was voluntary, why is
> upgrading to OAuth 2.1 not voluntary?
>
>
>
> OAuth 2.0 obsoleted OAuth 1.0, just as OAuth 2.1 is obsoleting OAuth 2.1.
> Our goal is for new deployments, that are reading the drafts, to use the
> best practices.
>
>
>
> If existing deployments don't want the advantages of a new version or
> extension, there is nobody forcing them to upgrade -- hence my confusion on
> your statement that it is "mandatory". Upgrading to OAuth 2.0 from OAuth
> 1.0 was not mandatory, and some deployments still use OAuth 1.0 today.
>
>
>
>
>
>
>
> ᐧ
>
>
>
> On Sun, May 10, 2020 at 12:51 PM Mike Jones 
> wrote:
>
> If I’m not mistaken, the OAuth 2.1 draft is intended to make OAuth 2.0
> (RFC 6749) obsolete, just like OAuth 2.0 (RFC 6749) made OAuth 1.0 (RFC
> 5849) obsolete.  That’s what makes me think developers would view updating
> as mandatory.  If you’re willing to remove the “replaces 6749” clause from
> the draft, then there would be no perception problem, as it would be clear
> that adoption of 2.1 would be voluntary, just like the other extension
> specs.
>
>
>
> *From:* Dick Hardt 
> *Sent:* Sunday, May 10, 2020 12:38 PM
> *To:* Mike Jones 
> *Cc:* Torsten Lodderstedt ; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as
> the other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth
> 2.0 was voluntary.
>
>
>
> Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?
>
>
>
>
>
> On Sun, May 10, 2020 at 12:02 PM Mike Jones  40microsoft@dmarc.ietf.org> wrote:
>
> I agree with actively maintaining and improving the OAuth 2.0 specs by
> adding enhancements that are voluntary to use.  I’ve worked on many such
> improvements, including Dynamic Client Registration, Authorization
> Metadata, the Device Flow, Token Exchange, DPoP, and support PAR and RAR,
> etc.  The issue that’s the subject is the current discussion is whether to
> make use of another enhancement, PKCE, mandatory in cases where it’s
> actually not needed, rather than making its use voluntary like the other
> enhancements, which I certainly support.
>
>
>
>-- Mike
>
>
>
> *From:* Torsten Lodderstedt 
> *Sent:* Sunday, May 10, 2020 3:15 AM
> *To:* Mike Jones 
> *Cc:* Daniel Fett ; oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hi Mike,
>
>
>
> Mike Jones  schrieb am Fr..
> 8. Mai 2020 um 18:55:
>
> OAuth 2.1 was supposed to not introduce breaking changes.
>
> I cannot remember the WG met that decision. Can you please refer to the
> respective thread?
>
>
>
> Requiring exact redirect URI matching is already a breaking change. Do you
> oppose against this as well?
>
>
>
>
>
> If you want to do that, please do it in TxAuth instead.
>
>
>
> Interesting statement. Does it mean you want to conserve OAuth 2.0 and
> force any enhancements/improvements to go into TXAuth? This would cause
> huge migration efforts for existing deployments wanting to benefit from
> those enhancements.
>
>
>
> I think existing deployments are better served by actively maintaining and
> evolving the 2.x line. For example, PAR and RAR are attempts to improve
> OAuth 2.x and make it usable for new use cases. That’s better protection of
> existing investments than sending them of to TXAuth.
>
> Kind regards,
>
> Torsten.
>
>
>
>
>
>-- Mike
>
>
>
> *From:* OAuth  *On Behalf Of *Daniel Fett
> *Sent:* Thursday, May 7, 2020 11:50 PM
> *To:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> +1 to all what Aaron said. Thanks for pointing this out!
>
>
>
> We need to address this in the security BCP and thi

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

[Neil Madden]

This is the same as having 2.1 compliance turned off by default. We already 
have a per-client setting to make PKCE mandatory.

If you can turn it off, what’s the point of making it a MUST in the spec? What 
does an optional MUST even mean for an AS to claim 2.1 compliance?

> On 10 May 2020, at 21:19, Dick Hardt  wrote:
> 
> Is there a reason why a server can not support both OAuth 2.0 and OAuth 2.1? 
> The version supported could be dependent on the client id, ie older clients 
> could still be OAuth 2.0, and newer clients would be OAuth 2.1, and PKCE 
> would be enforced.
> ᐧ
> 
> On Sun, May 10, 2020 at 1:05 PM Neil Madden  > wrote:
> But if an AS upgrades to OAuth 2.1 then it MUST reject authorization requests 
> that don’t include a code_challenge (section 4.1.2.1), so this will only be 
> possible when all clients support PKCE.
> 
> This makes it impossible for a 2.1-compliant AS to also support non-PKCE 2.0 
> clients (i.e., the vast majority of them).
> 
> I think we can have a 2.1 spec that says clients and servers MUST support 
> PKCE without this hard-fail clause. Otherwise I can’t see how we’d ever ship 
> with 2.1-compliance enabled out-of-the-box.
> 
> — Neil
> 
>> On 10 May 2020, at 20:38, Dick Hardt > > wrote:
>> 
>> Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as 
>> the other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth 
>> 2.0 was voluntary. 
>> 
>> Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?
>> 
>> 
>> On Sun, May 10, 2020 at 12:02 PM Mike Jones 
>> > > wrote:
>> I agree with actively maintaining and improving the OAuth 2.0 specs by 
>> adding enhancements that are voluntary to use.  I’ve worked on many such 
>> improvements, including Dynamic Client Registration, Authorization Metadata, 
>> the Device Flow, Token Exchange, DPoP, and support PAR and RAR, etc.  The 
>> issue that’s the subject is the current discussion is whether to make use of 
>> another enhancement, PKCE, mandatory in cases where it’s actually not 
>> needed, rather than making its use voluntary like the other enhancements, 
>> which I certainly support.
>> 
>>  
>> 
>>-- Mike
>> 
>>  
>> 
>> From: Torsten Lodderstedt > > 
>> Sent: Sunday, May 10, 2020 3:15 AM
>> To: Mike Jones > >
>> Cc: Daniel Fett mailto:f...@danielfett.de>>; 
>> oauth@ietf.org 
>> Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>> 
>>  
>> 
>> Hi Mike,
>> 
>>  
>> 
>> Mike Jones > > schrieb am Fr. 8. Mai 2020 um 18:55:
>> 
>> OAuth 2.1 was supposed to not introduce breaking changes. 
>> 
>> I cannot remember the WG met that decision. Can you please refer to the 
>> respective thread? 
>> 
>>  
>> 
>> Requiring exact redirect URI matching is already a breaking change. Do you 
>> oppose against this as well?
>> 
>>  
>> 
>>  
>> 
>> If you want to do that, please do it in TxAuth instead.
>> 
>>  
>> 
>> Interesting statement. Does it mean you want to conserve OAuth 2.0 and force 
>> any enhancements/improvements to go into TXAuth? This would cause huge 
>> migration efforts for existing deployments wanting to benefit from those 
>> enhancements.
>> 
>>  
>> 
>> I think existing deployments are better served by actively maintaining and 
>> evolving the 2.x line. For example, PAR and RAR are attempts to improve 
>> OAuth 2.x and make it usable for new use cases. That’s better protection of 
>> existing investments than sending them of to TXAuth.
>> 
>> Kind regards,
>> 
>> Torsten.
>> 
>>  
>> 
>>  
>> 
>>-- Mike
>> 
>>  
>> 
>> From: OAuth mailto:oauth-boun...@ietf.org>> On 
>> Behalf Of Daniel Fett
>> Sent: Thursday, May 7, 2020 11:50 PM
>> To: oauth@ietf.org 
>> Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>> 
>>  
>> 
>> +1 to all what Aaron said. Thanks for pointing this out!
>> 
>>  
>> 
>> We need to address this in the security BCP and this will be a normative 
>> change that affects OpenID Connect Core (just as our current recommendation 
>> on the usage of nonce).
>> 
>>  
>> 
>> We would then have:
>> 
>>  
>> 
>> - use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, 
>> except if you are a public client, then you still need PKCE.
>> 
>> - use state, except if you use PKCE, then you don't need state.
>> 
>>  
>> 
>> I think there are very good reasons to simplify this down to
>> 
>>  
>> 
>> - use PKCE
>> 
>> - you may or may not use state
>> 
>>  
>> 
>> First and foremost, not many people will understand why there are cases when 
>> the BCP/OAuth 2.1 mandate PKCE and some where they don't. However, 
>> understanding why you have to do something is key to c

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

The difference is that OAuth 2.1 is supposed to compatible with OAuth 2.0 
(which is my whole goal here), whereas OAuth 2.0 was incompatible with OAuth 
1.0 by design.

From: Dick Hardt 
Sent: Sunday, May 10, 2020 12:58 PM
To: Mike Jones 
Cc: Torsten Lodderstedt ; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Just as upgrading to OAuth 2.0 from OAuth 1.0 was voluntary, why is upgrading 
to OAuth 2.1 not voluntary?

OAuth 2.0 obsoleted OAuth 1.0, just as OAuth 2.1 is obsoleting OAuth 2.1. Our 
goal is for new deployments, that are reading the drafts, to use the best 
practices.

If existing deployments don't want the advantages of a new version or 
extension, there is nobody forcing them to upgrade -- hence my confusion on 
your statement that it is "mandatory". Upgrading to OAuth 2.0 from OAuth 1.0 
was not mandatory, and some deployments still use OAuth 1.0 today.



ᐧ

On Sun, May 10, 2020 at 12:51 PM Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:
If I’m not mistaken, the OAuth 2.1 draft is intended to make OAuth 2.0 (RFC 
6749) obsolete, just like OAuth 2.0 (RFC 6749) made OAuth 1.0 (RFC 5849) 
obsolete.  That’s what makes me think developers would view updating as 
mandatory.  If you’re willing to remove the “replaces 6749” clause from the 
draft, then there would be no perception problem, as it would be clear that 
adoption of 2.1 would be voluntary, just like the other extension specs.

From: Dick Hardt mailto:dick.ha...@gmail.com>>
Sent: Sunday, May 10, 2020 12:38 PM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Torsten Lodderstedt 
mailto:tors...@lodderstedt.net>>; 
oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as the 
other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth 2.0 was 
voluntary.

Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?


On Sun, May 10, 2020 at 12:02 PM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
I agree with actively maintaining and improving the OAuth 2.0 specs by adding 
enhancements that are voluntary to use.  I’ve worked on many such improvements, 
including Dynamic Client Registration, Authorization Metadata, the Device Flow, 
Token Exchange, DPoP, and support PAR and RAR, etc.  The issue that’s the 
subject is the current discussion is whether to make use of another 
enhancement, PKCE, mandatory in cases where it’s actually not needed, rather 
than making its use voluntary like the other enhancements, which I certainly 
support.

   -- Mike

From: Torsten Lodderstedt 
mailto:40lodderstedt@dmarc.ietf.org>>
Sent: Sunday, May 10, 2020 3:15 AM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Daniel Fett mailto:f...@danielfett.de>>; 
oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hi Mike,

Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 schrieb am Fr. 8. Mai 2020 um 18:55:
OAuth 2.1 was supposed to not introduce breaking changes.
I cannot remember the WG met that decision. Can you please refer to the 
respective thread?

Requiring exact redirect URI matching is already a breaking change. Do you 
oppose against this as well?


If you want to do that, please do it in TxAuth instead.

Interesting statement. Does it mean you want to conserve OAuth 2.0 and force 
any enhancements/improvements to go into TXAuth? This would cause huge 
migration efforts for existing deployments wanting to benefit from those 
enhancements.

I think existing deployments are better served by actively maintaining and 
evolving the 2.x line. For example, PAR and RAR are attempts to improve OAuth 
2.x and make it usable for new use cases. That’s better protection of existing 
investments than sending them of to TXAuth.
Kind regards,
Torsten.


   -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Daniel Fett
Sent: Thursday, May 7, 2020 11:50 PM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

+1 to all what Aaron said. Thanks for pointing this out!

We need to address this in the security BCP and this will be a normative change 
that affects OpenID Connect Core (just as our current recommendation on the 
usage of nonce).

We would then have:

- use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, 
except if you are a public client, then you still need PKCE.
- use state, except if you use PKCE, then you don't need state.

I think there are very good reasons to simplify this down to

- use PKCE
- you may or may not use state

First and foremost, not many people will understand why there are cases when 
the BCP/OAuth 2.1 mandate PKCE and some where they don't. However, 
understanding why you have to do something is key to compliance. The short 
version

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

Exactly!

I believe that this also the same point that Brian Campbell was making earlier 
about interoperability implications.

   -- Mike

From: Neil Madden 
Sent: Sunday, May 10, 2020 1:06 PM
To: Dick Hardt 
Cc: Mike Jones ; oauth@ietf.org; Torsten 
Lodderstedt 
Subject: Re: [OAUTH-WG] Re: OAuth 2.1 - require PKCE?

But if an AS upgrades to OAuth 2.1 then it MUST reject authorization requests 
that don’t include a code_challenge (section 4.1.2.1), so this will only be 
possible when all clients support PKCE.

This makes it impossible for a 2.1-compliant AS to also support non-PKCE 2.0 
clients (i.e., the vast majority of them).

I think we can have a 2.1 spec that says clients and servers MUST support PKCE 
without this hard-fail clause. Otherwise I can’t see how we’d ever ship with 
2.1-compliance enabled out-of-the-box.

— Neil

On 10 May 2020, at 20:38, Dick Hardt 
mailto:dick.ha...@gmail.com>> wrote:

Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as the 
other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth 2.0 was 
voluntary.

Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?


On Sun, May 10, 2020 at 12:02 PM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
I agree with actively maintaining and improving the OAuth 2.0 specs by adding 
enhancements that are voluntary to use.  I’ve worked on many such improvements, 
including Dynamic Client Registration, Authorization Metadata, the Device Flow, 
Token Exchange, DPoP, and support PAR and RAR, etc.  The issue that’s the 
subject is the current discussion is whether to make use of another 
enhancement, PKCE, mandatory in cases where it’s actually not needed, rather 
than making its use voluntary like the other enhancements, which I certainly 
support.

   -- Mike

From: Torsten Lodderstedt 
mailto:40lodderstedt@dmarc.ietf.org>>
Sent: Sunday, May 10, 2020 3:15 AM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Daniel Fett mailto:f...@danielfett.de>>; 
oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hi Mike,

Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 schrieb am Fr. 8. Mai 2020 um 18:55:
OAuth 2.1 was supposed to not introduce breaking changes.
I cannot remember the WG met that decision. Can you please refer to the 
respective thread?

Requiring exact redirect URI matching is already a breaking change. Do you 
oppose against this as well?


If you want to do that, please do it in TxAuth instead.

Interesting statement. Does it mean you want to conserve OAuth 2.0 and force 
any enhancements/improvements to go into TXAuth? This would cause huge 
migration efforts for existing deployments wanting to benefit from those 
enhancements.

I think existing deployments are better served by actively maintaining and 
evolving the 2.x line. For example, PAR and RAR are attempts to improve OAuth 
2.x and make it usable for new use cases. That’s better protection of existing 
investments than sending them of to TXAuth.
Kind regards,
Torsten.


   -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Daniel Fett
Sent: Thursday, May 7, 2020 11:50 PM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

+1 to all what Aaron said. Thanks for pointing this out!

We need to address this in the security BCP and this will be a normative change 
that affects OpenID Connect Core (just as our current recommendation on the 
usage of nonce).

We would then have:

- use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, 
except if you are a public client, then you still need PKCE.
- use state, except if you use PKCE, then you don't need state.

I think there are very good reasons to simplify this down to

- use PKCE
- you may or may not use state

First and foremost, not many people will understand why there are cases when 
the BCP/OAuth 2.1 mandate PKCE and some where they don't. However, 
understanding why you have to do something is key to compliance. The short 
version "PKCE protects the code; there is a specific case where it is not 
needed, but its better to use it all the time" is easy to understand. We will 
not see many implementations following the long version above correctly.

Second, we dramatically reduce technical complexity by reducing cases that need 
to be handled. We reduce correctness and compliance testing complexity in the 
same way. We reduce the cost of security analysis, which scales really badly to 
more cases.

And finally, using nonce to protect against code injection is less robust than 
PKCE. AS have a better track record than clients when it comes to correctly 
implementing security mechanisms.

Yes, this will make a number of implementations non-spec-compliant, but I do 
not think t

Re: [OAUTH-WG] Aligning PKCE requirements within the OAuth Security BCP

[Jared Jennings]

As a clarifying question, you are saying "Servers must support" and not
"Servers must require clients to use PKCE".

-Jared
Skype:jaredljennings
Signal:+1 816.730.9540
WhatsApp: +1 816.678.4152


On Wed, May 6, 2020 at 4:04 PM Mike Jones  wrote:

> As is being discussed in the thread “[OAUTH-WG] OAuth 2.1 - require
> PKCE?”,
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2..1..1
> 
> has inconsistent requirements for PKCE support between clients and
> servers.  Per the first paragraph, clients must either use PKCE or use the
> OpenID Connect nonce to prevent authorization code injection.  Whereas the
> fourth paragraph says “*Authorization servers MUST support PKCE [RFC7636]*.”.
> This imposes a requirement on servers that isn’t present for corresponding
> clients.  (I missed this internal discrepancy within the specification when
> I did my review.)
>
>
>
> I therefore request that the fourth paragraph by change to read: “*OAuth
> Servers MUST support PKCE [RFC7636] unless they are only used for OpenID
> Connect Authentication Requests*”, making the requirements on clients and
> servers parallel.  That way PKCE will still be there unless you don’t need
> it.  (And it still could be there if the server implementer chooses to have
> it in all cases, but that should be their call.)
>
>
>
>Thank you,
>
>-- Mike
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

[Dick Hardt]

Is there a reason why a server can not support both OAuth 2.0 and OAuth
2.1? The version supported could be dependent on the client id, ie older
clients could still be OAuth 2.0, and newer clients would be OAuth 2.1, and
PKCE would be enforced.
ᐧ

On Sun, May 10, 2020 at 1:05 PM Neil Madden 
wrote:

> But if an AS upgrades to OAuth 2.1 then it MUST reject authorization
> requests that don’t include a code_challenge (section 4.1.2.1), so this
> will only be possible when all clients support PKCE.
>
> This makes it impossible for a 2.1-compliant AS to also support non-PKCE
> 2.0 clients (i.e., the vast majority of them).
>
> I think we can have a 2.1 spec that says clients and servers MUST support
> PKCE without this hard-fail clause. Otherwise I can’t see how we’d ever
> ship with 2.1-compliance enabled out-of-the-box.
>
> — Neil
>
> On 10 May 2020, at 20:38, Dick Hardt  wrote:
>
> Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as
> the other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth
> 2.0 was voluntary.
>
> Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?
>
>
> On Sun, May 10, 2020 at 12:02 PM Mike Jones  40microsoft@dmarc.ietf.org> wrote:
>
>> I agree with actively maintaining and improving the OAuth 2.0 specs by
>> adding enhancements that are voluntary to use.  I’ve worked on many such
>> improvements, including Dynamic Client Registration, Authorization
>> Metadata, the Device Flow, Token Exchange, DPoP, and support PAR and RAR,
>> etc.  The issue that’s the subject is the current discussion is whether to
>> make use of another enhancement, PKCE, mandatory in cases where it’s
>> actually not needed, rather than making its use voluntary like the other
>> enhancements, which I certainly support.
>>
>>
>>
>>-- Mike
>>
>>
>>
>> *From:* Torsten Lodderstedt 
>> *Sent:* Sunday, May 10, 2020 3:15 AM
>> *To:* Mike Jones 
>> *Cc:* Daniel Fett ; oauth@ietf.org
>> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> Hi Mike,
>>
>>
>>
>> Mike Jones  schrieb am Fr.
>> 8. Mai 2020 um 18:55:
>>
>> OAuth 2.1 was supposed to not introduce breaking changes.
>>
>> I cannot remember the WG met that decision. Can you please refer to the
>> respective thread?
>>
>>
>>
>> Requiring exact redirect URI matching is already a breaking change. Do
>> you oppose against this as well?
>>
>>
>>
>>
>>
>> If you want to do that, please do it in TxAuth instead.
>>
>>
>>
>> Interesting statement. Does it mean you want to conserve OAuth 2.0 and
>> force any enhancements/improvements to go into TXAuth? This would cause
>> huge migration efforts for existing deployments wanting to benefit from
>> those enhancements.
>>
>>
>>
>> I think existing deployments are better served by actively maintaining
>> and evolving the 2.x line. For example, PAR and RAR are attempts to improve
>> OAuth 2.x and make it usable for new use cases. That’s better protection of
>> existing investments than sending them of to TXAuth.
>>
>> Kind regards,
>>
>> Torsten.
>>
>>
>>
>>
>>
>>-- Mike
>>
>>
>>
>> *From:* OAuth  *On Behalf Of *Daniel Fett
>> *Sent:* Thursday, May 7, 2020 11:50 PM
>> *To:* oauth@ietf.org
>> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> +1 to all what Aaron said. Thanks for pointing this out!
>>
>>
>>
>> We need to address this in the security BCP and this will be a normative
>> change that affects OpenID Connect Core (just as our current recommendation
>> on the usage of nonce).
>>
>>
>>
>> We would then have:
>>
>>
>>
>> - use PKCE, except if you use OIDC with a nonce, then you don't need
>> PKCE, except if you are a public client, then you still need PKCE.
>>
>> - use state, except if you use PKCE, then you don't need state.
>>
>>
>>
>> I think there are very good reasons to simplify this down to
>>
>>
>>
>> - use PKCE
>>
>> - you may or may not use state
>>
>>
>>
>> First and foremost, not many people will understand why there are cases
>> when the BCP/OAuth 2.1 mandate PKCE and some where they don't. However,
>> understanding *why* you have to do something is key to compliance. The
>> short version "PKCE protects the code; there is a specific case where it is
>> not needed, but its better to use it all the time" is easy to understand..
>> We will not see many implementations following the long version above
>> correctly.
>>
>>
>>
>> Second, we dramatically reduce technical complexity by reducing cases
>> that need to be handled. We reduce correctness and compliance testing
>> complexity in the same way. We reduce the cost of security analysis, which
>> scales really badly to more cases.
>>
>>
>>
>> And finally, using nonce to protect against code injection is less robust
>> than PKCE. AS have a better track record than clients when it comes to
>> correctly implementing security mechanisms.
>>
>>
>>
>> Yes, this will m

Re: [OAUTH-WG] Refreshing tokens on the RS

[Jared Jennings]

Not exactly the same, but seems similar to some of the proposed logic in
https://tools.ietf.org/wg/oauth/draft-ietf-oauth-incremental-authz/

-Jared
Skype:jaredljennings
Signal:+1 816.730.9540
WhatsApp: +1 816.678.4152


On Tue, May 5, 2020 at 10:19 AM Jim Schaad  wrote:

> Over in the ACE working group we are currently having a discussion about
> refreshing tokens on an RS.  I want to make sure that this is not something
> that this working group has already solved.  The basic scenario is:
>
> 1.  Client gets token T1 and posts it to the RS
> 2.  After some time the RS returns and error to the client about an access
> issue
> 3.  Client gets a new token from the AS T2, possibly using a refresh token.
> 4. Client posts the token T2 to the RS
> 5.  The RS somehow needs to associate token T1 and T2 for long term
> security
> sessions.
>
> I do not believe that OAuth has this issue because there is not currently
> any concept that a token is used for anything other than a single
> request/response between the client and the RS.  There is no idea of the RS
> storing tokens long term associated with a TLS session that might need to
> have the access rights for that TLS session changed.
>
> Please provide any feedback that you might have.
>
> Thanks
> Jim
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

[Neil Madden]

But if an AS upgrades to OAuth 2.1 then it MUST reject authorization requests 
that don’t include a code_challenge (section 4.1.2.1), so this will only be 
possible when all clients support PKCE.

This makes it impossible for a 2.1-compliant AS to also support non-PKCE 2.0 
clients (i.e., the vast majority of them).

I think we can have a 2.1 spec that says clients and servers MUST support PKCE 
without this hard-fail clause. Otherwise I can’t see how we’d ever ship with 
2.1-compliance enabled out-of-the-box.

— Neil

> On 10 May 2020, at 20:38, Dick Hardt  wrote:
> 
> Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as the 
> other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth 2.0 was 
> voluntary. 
> 
> Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?
> 
> 
> On Sun, May 10, 2020 at 12:02 PM Mike Jones 
>  > wrote:
> I agree with actively maintaining and improving the OAuth 2.0 specs by adding 
> enhancements that are voluntary to use.  I’ve worked on many such 
> improvements, including Dynamic Client Registration, Authorization Metadata, 
> the Device Flow, Token Exchange, DPoP, and support PAR and RAR, etc.  The 
> issue that’s the subject is the current discussion is whether to make use of 
> another enhancement, PKCE, mandatory in cases where it’s actually not needed, 
> rather than making its use voluntary like the other enhancements, which I 
> certainly support.
> 
>  
> 
>-- Mike
> 
>  
> 
> From: Torsten Lodderstedt  > 
> Sent: Sunday, May 10, 2020 3:15 AM
> To: Mike Jones  >
> Cc: Daniel Fett mailto:f...@danielfett.de>>; 
> oauth@ietf.org 
> Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
> 
>  
> 
> Hi Mike,
> 
>  
> 
> Mike Jones  > schrieb am Fr. 8. Mai 2020 um 18:55:
> 
> OAuth 2.1 was supposed to not introduce breaking changes. 
> 
> I cannot remember the WG met that decision. Can you please refer to the 
> respective thread? 
> 
>  
> 
> Requiring exact redirect URI matching is already a breaking change. Do you 
> oppose against this as well?
> 
>  
> 
>  
> 
> If you want to do that, please do it in TxAuth instead.
> 
>  
> 
> Interesting statement. Does it mean you want to conserve OAuth 2.0 and force 
> any enhancements/improvements to go into TXAuth? This would cause huge 
> migration efforts for existing deployments wanting to benefit from those 
> enhancements.
> 
>  
> 
> I think existing deployments are better served by actively maintaining and 
> evolving the 2.x line. For example, PAR and RAR are attempts to improve OAuth 
> 2.x and make it usable for new use cases. That’s better protection of 
> existing investments than sending them of to TXAuth.
> 
> Kind regards,
> 
> Torsten.
> 
>  
> 
>  
> 
>-- Mike
> 
>  
> 
> From: OAuth mailto:oauth-boun...@ietf.org>> On 
> Behalf Of Daniel Fett
> Sent: Thursday, May 7, 2020 11:50 PM
> To: oauth@ietf.org 
> Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
> 
>  
> 
> +1 to all what Aaron said. Thanks for pointing this out!
> 
>  
> 
> We need to address this in the security BCP and this will be a normative 
> change that affects OpenID Connect Core (just as our current recommendation 
> on the usage of nonce).
> 
>  
> 
> We would then have:
> 
>  
> 
> - use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, 
> except if you are a public client, then you still need PKCE.
> 
> - use state, except if you use PKCE, then you don't need state.
> 
>  
> 
> I think there are very good reasons to simplify this down to
> 
>  
> 
> - use PKCE
> 
> - you may or may not use state
> 
>  
> 
> First and foremost, not many people will understand why there are cases when 
> the BCP/OAuth 2.1 mandate PKCE and some where they don't. However, 
> understanding why you have to do something is key to compliance. The short 
> version "PKCE protects the code; there is a specific case where it is not 
> needed, but its better to use it all the time" is easy to understand. We will 
> not see many implementations following the long version above correctly.
> 
>  
> 
> Second, we dramatically reduce technical complexity by reducing cases that 
> need to be handled. We reduce correctness and compliance testing complexity 
> in the same way. We reduce the cost of security analysis, which scales really 
> badly to more cases.
> 
>  
> 
> And finally, using nonce to protect against code injection is less robust 
> than PKCE. AS have a better track record than clients when it comes to 
> correctly implementing security mechanisms.
> 
>  
> 
> Yes, this will make a number of implementations non-spec-compliant, but I do 
> not think that this is a huge problem. So

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Dick Hardt]

Just as upgrading to OAuth 2.0 from OAuth 1.0 was voluntary, why is
upgrading to OAuth 2.1 not voluntary?

OAuth 2.0 obsoleted OAuth 1.0, just as OAuth 2.1 is obsoleting OAuth 2.1.
Our goal is for new deployments, that are reading the drafts, to use the
best practices.

If existing deployments don't want the advantages of a new version or
extension, there is nobody forcing them to upgrade -- hence my confusion on
your statement that it is "mandatory". Upgrading to OAuth 2.0 from OAuth
1.0 was not mandatory, and some deployments still use OAuth 1.0 today.



ᐧ

On Sun, May 10, 2020 at 12:51 PM Mike Jones 
wrote:

> If I’m not mistaken, the OAuth 2.1 draft is intended to make OAuth 2.0
> (RFC 6749) obsolete, just like OAuth 2.0 (RFC 6749) made OAuth 1.0 (RFC
> 5849) obsolete.  That’s what makes me think developers would view updating
> as mandatory.  If you’re willing to remove the “replaces 6749” clause from
> the draft, then there would be no perception problem, as it would be clear
> that adoption of 2.1 would be voluntary, just like the other extension
> specs.
>
>
>
> *From:* Dick Hardt 
> *Sent:* Sunday, May 10, 2020 12:38 PM
> *To:* Mike Jones 
> *Cc:* Torsten Lodderstedt ; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as
> the other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth
> 2.0 was voluntary.
>
>
>
> Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?
>
>
>
>
>
> On Sun, May 10, 2020 at 12:02 PM Mike Jones  40microsoft@dmarc.ietf.org> wrote:
>
> I agree with actively maintaining and improving the OAuth 2.0 specs by
> adding enhancements that are voluntary to use.  I’ve worked on many such
> improvements, including Dynamic Client Registration, Authorization
> Metadata, the Device Flow, Token Exchange, DPoP, and support PAR and RAR,
> etc.  The issue that’s the subject is the current discussion is whether to
> make use of another enhancement, PKCE, mandatory in cases where it’s
> actually not needed, rather than making its use voluntary like the other
> enhancements, which I certainly support.
>
>
>
>-- Mike
>
>
>
> *From:* Torsten Lodderstedt 
> *Sent:* Sunday, May 10, 2020 3:15 AM
> *To:* Mike Jones 
> *Cc:* Daniel Fett ; oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hi Mike,
>
>
>
> Mike Jones  schrieb am Fr..
> 8. Mai 2020 um 18:55:
>
> OAuth 2.1 was supposed to not introduce breaking changes.
>
> I cannot remember the WG met that decision. Can you please refer to the
> respective thread?
>
>
>
> Requiring exact redirect URI matching is already a breaking change. Do you
> oppose against this as well?
>
>
>
>
>
> If you want to do that, please do it in TxAuth instead.
>
>
>
> Interesting statement. Does it mean you want to conserve OAuth 2.0 and
> force any enhancements/improvements to go into TXAuth? This would cause
> huge migration efforts for existing deployments wanting to benefit from
> those enhancements.
>
>
>
> I think existing deployments are better served by actively maintaining and
> evolving the 2.x line. For example, PAR and RAR are attempts to improve
> OAuth 2.x and make it usable for new use cases. That’s better protection of
> existing investments than sending them of to TXAuth.
>
> Kind regards,
>
> Torsten.
>
>
>
>
>
>-- Mike
>
>
>
> *From:* OAuth  *On Behalf Of *Daniel Fett
> *Sent:* Thursday, May 7, 2020 11:50 PM
> *To:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> +1 to all what Aaron said. Thanks for pointing this out!
>
>
>
> We need to address this in the security BCP and this will be a normative
> change that affects OpenID Connect Core (just as our current recommendation
> on the usage of nonce).
>
>
>
> We would then have:
>
>
>
> - use PKCE, except if you use OIDC with a nonce, then you don't need PKCE,
> except if you are a public client, then you still need PKCE.
>
> - use state, except if you use PKCE, then you don't need state.
>
>
>
> I think there are very good reasons to simplify this down to
>
>
>
> - use PKCE
>
> - you may or may not use state
>
>
>
> First and foremost, not many people will understand why there are cases
> when the BCP/OAuth 2.1 mandate PKCE and some where they don't. However,
> understanding *why* you have to do something is key to compliance. The
> short version "PKCE protects the code; there is a specific case where it is
> not needed, but its better to use it all the time" is easy to understand.
> We will not see many implementations following the long version above
> correctly.
>
>
>
> Second, we dramatically reduce technical complexity by reducing cases that
> need to be handled. We reduce correctness and compliance testing complexity
> in the same way. We reduce the cost of security analysis, which scale

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

If I’m not mistaken, the OAuth 2.1 draft is intended to make OAuth 2.0 (RFC 
6749) obsolete, just like OAuth 2.0 (RFC 6749) made OAuth 1.0 (RFC 5849) 
obsolete.  That’s what makes me think developers would view updating as 
mandatory.  If you’re willing to remove the “replaces 6749” clause from the 
draft, then there would be no perception problem, as it would be clear that 
adoption of 2.1 would be voluntary, just like the other extension specs.

From: Dick Hardt 
Sent: Sunday, May 10, 2020 12:38 PM
To: Mike Jones 
Cc: Torsten Lodderstedt ; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as the 
other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth 2.0 was 
voluntary.

Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?


On Sun, May 10, 2020 at 12:02 PM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
I agree with actively maintaining and improving the OAuth 2.0 specs by adding 
enhancements that are voluntary to use.  I’ve worked on many such improvements, 
including Dynamic Client Registration, Authorization Metadata, the Device Flow, 
Token Exchange, DPoP, and support PAR and RAR, etc.  The issue that’s the 
subject is the current discussion is whether to make use of another 
enhancement, PKCE, mandatory in cases where it’s actually not needed, rather 
than making its use voluntary like the other enhancements, which I certainly 
support.

   -- Mike

From: Torsten Lodderstedt 
mailto:40lodderstedt@dmarc.ietf.org>>
Sent: Sunday, May 10, 2020 3:15 AM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Daniel Fett mailto:f...@danielfett.de>>; 
oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hi Mike,

Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 schrieb am Fr. 8. Mai 2020 um 18:55:
OAuth 2.1 was supposed to not introduce breaking changes.
I cannot remember the WG met that decision. Can you please refer to the 
respective thread?

Requiring exact redirect URI matching is already a breaking change. Do you 
oppose against this as well?


If you want to do that, please do it in TxAuth instead.

Interesting statement. Does it mean you want to conserve OAuth 2.0 and force 
any enhancements/improvements to go into TXAuth? This would cause huge 
migration efforts for existing deployments wanting to benefit from those 
enhancements.

I think existing deployments are better served by actively maintaining and 
evolving the 2.x line. For example, PAR and RAR are attempts to improve OAuth 
2.x and make it usable for new use cases. That’s better protection of existing 
investments than sending them of to TXAuth.
Kind regards,
Torsten.


   -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Daniel Fett
Sent: Thursday, May 7, 2020 11:50 PM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

+1 to all what Aaron said. Thanks for pointing this out!

We need to address this in the security BCP and this will be a normative change 
that affects OpenID Connect Core (just as our current recommendation on the 
usage of nonce).

We would then have:

- use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, 
except if you are a public client, then you still need PKCE.
- use state, except if you use PKCE, then you don't need state.

I think there are very good reasons to simplify this down to

- use PKCE
- you may or may not use state

First and foremost, not many people will understand why there are cases when 
the BCP/OAuth 2.1 mandate PKCE and some where they don't. However, 
understanding why you have to do something is key to compliance. The short 
version "PKCE protects the code; there is a specific case where it is not 
needed, but its better to use it all the time" is easy to understand. We will 
not see many implementations following the long version above correctly.

Second, we dramatically reduce technical complexity by reducing cases that need 
to be handled. We reduce correctness and compliance testing complexity in the 
same way. We reduce the cost of security analysis, which scales really badly to 
more cases.

And finally, using nonce to protect against code injection is less robust than 
PKCE. AS have a better track record than clients when it comes to correctly 
implementing security mechanisms.

Yes, this will make a number of implementations non-spec-compliant, but I do 
not think that this is a huge problem. Software needs to adapt all the time and 
a software that has not been changed in a while is probably not one you would 
want to use anyway. We are setting a new goal for implementations to meet and 
eventually, maintained implementations will get there.

-Daniel


Am 08.05.20 um 01:38 schrieb Aaron Parecki:
Backing up a step or 

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

[Dick Hardt]

Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as
the other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth
2.0 was voluntary.

Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?


On Sun, May 10, 2020 at 12:02 PM Mike Jones  wrote:

> I agree with actively maintaining and improving the OAuth 2.0 specs by
> adding enhancements that are voluntary to use.  I’ve worked on many such
> improvements, including Dynamic Client Registration, Authorization
> Metadata, the Device Flow, Token Exchange, DPoP, and support PAR and RAR,
> etc.  The issue that’s the subject is the current discussion is whether to
> make use of another enhancement, PKCE, mandatory in cases where it’s
> actually not needed, rather than making its use voluntary like the other
> enhancements, which I certainly support.
>
>
>
>-- Mike
>
>
>
> *From:* Torsten Lodderstedt 
> *Sent:* Sunday, May 10, 2020 3:15 AM
> *To:* Mike Jones 
> *Cc:* Daniel Fett ; oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hi Mike,
>
>
>
> Mike Jones  schrieb am Fr..
> 8. Mai 2020 um 18:55:
>
> OAuth 2.1 was supposed to not introduce breaking changes.
>
> I cannot remember the WG met that decision. Can you please refer to the
> respective thread?
>
>
>
> Requiring exact redirect URI matching is already a breaking change. Do you
> oppose against this as well?
>
>
>
>
>
> If you want to do that, please do it in TxAuth instead.
>
>
>
> Interesting statement. Does it mean you want to conserve OAuth 2.0 and
> force any enhancements/improvements to go into TXAuth? This would cause
> huge migration efforts for existing deployments wanting to benefit from
> those enhancements.
>
>
>
> I think existing deployments are better served by actively maintaining and
> evolving the 2.x line. For example, PAR and RAR are attempts to improve
> OAuth 2.x and make it usable for new use cases. That’s better protection of
> existing investments than sending them of to TXAuth.
>
> Kind regards,
>
> Torsten.
>
>
>
>
>
>-- Mike
>
>
>
> *From:* OAuth  *On Behalf Of *Daniel Fett
> *Sent:* Thursday, May 7, 2020 11:50 PM
> *To:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> +1 to all what Aaron said. Thanks for pointing this out!
>
>
>
> We need to address this in the security BCP and this will be a normative
> change that affects OpenID Connect Core (just as our current recommendation
> on the usage of nonce).
>
>
>
> We would then have:
>
>
>
> - use PKCE, except if you use OIDC with a nonce, then you don't need PKCE,
> except if you are a public client, then you still need PKCE.
>
> - use state, except if you use PKCE, then you don't need state.
>
>
>
> I think there are very good reasons to simplify this down to
>
>
>
> - use PKCE
>
> - you may or may not use state
>
>
>
> First and foremost, not many people will understand why there are cases
> when the BCP/OAuth 2.1 mandate PKCE and some where they don't. However,
> understanding *why* you have to do something is key to compliance. The
> short version "PKCE protects the code; there is a specific case where it is
> not needed, but its better to use it all the time" is easy to understand.
> We will not see many implementations following the long version above
> correctly.
>
>
>
> Second, we dramatically reduce technical complexity by reducing cases that
> need to be handled. We reduce correctness and compliance testing complexity
> in the same way. We reduce the cost of security analysis, which scales
> really badly to more cases.
>
>
>
> And finally, using nonce to protect against code injection is less robust
> than PKCE. AS have a better track record than clients when it comes to
> correctly implementing security mechanisms.
>
>
>
> Yes, this will make a number of implementations non-spec-compliant, but I
> do not think that this is a huge problem. Software needs to adapt all the
> time and a software that has not been changed in a while is probably not
> one you would want to use anyway. We are setting a new goal for
> implementations to meet and eventually, maintained implementations will get
> there.
>
>
>
> -Daniel
>
>
>
>
>
> Am 08.05.20 um 01:38 schrieb Aaron Parecki:
>
> Backing up a step or two, there's another point here that I think has been
> missed in these discussions.
>
>
>
> PKCE solves two problems: stolen authorization codes for public clients,
> and authorization code injection for all clients. We've only been talking
> about authorization code injection on the list so far. The quoted section
> of the security BCP (4.5.3) which says clients can do PKCE or use the
> nonce, is only talking about preventing authorization code injection.
>
>
>
> The nonce parameter solves authorization code injection if the client
> requests an ID token. Public clients using the nonce parameter are stil

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

> Did I got it right that nonce does not protect public clients from code 
> theft/replay?

I believe that the OpenID Connect Code Hash (“c_hash”) claim protects against 
this.  I’d be interested in hearing John Bradley’s take on this.

   -- Mike

From: Torsten Lodderstedt 
Sent: Sunday, May 10, 2020 3:17 AM
To: Mike Jones 
Cc: Aaron Parecki ; Dick Hardt ; OAuth 
WG 
Subject: Re: OAuth 2.1 - require PKCE?

Mike Jones mailto:michael.jo...@microsoft.com>> 
schrieb am Sa. 9. Mai 2020 um 20:46:
There’s a huge ecosystem of successful, secure OAuth 2.0 and OpenID Connect 
deployments that we have the responsibility to be stewards of.  This working 
group should be proud of what it’s accomplished.  Part of good stewardship is 
not unnecessarily bifurcating the ecosystem into non-interoperable segments.  
OAuth 2.1 should facilitate the already secure OAuth 2.0 deployments remaining 
part of the interoperable OAuth 2.1 set of deployments – not intentionally 
doing the opposite.

If it ain’t broke, don’t fix it!
Did I got it right that nonce does not protect public clients from code 
theft/replay? I would consider this a security issue.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Friday, May 8, 2020 8:34 PM
To: OAuth WG mailto:oauth@ietf.org>>
Cc: Dick Hardt mailto:dick.ha...@gmail.com>>; Torsten 
Lodderstedt mailto:tors...@lodderstedt.net>>; Mike 
Jones mailto:michael.jo...@microsoft.com>>
Subject: Re: OAuth 2.1 - require PKCE?

Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned 
about “the amount of explanation this will take”.  That’s optimizing for spec 
simplicity – a goal that I do understand.  However, by writing these few 
sentences or paragraphs, we’ll make it clear to developers that hundreds or 
thousands of deployed OpenID Connect RPs won’t have to change their 
deployments.  That’s optimizing for interoperability and minimizing the burden 
on developers, which are far more important.

I appreciate the concern about optimizing for spec simplicity. I also agree 
that spec simplicity should not necessarily be the driving goal.

However, what you've described is the opposite of interoperability and 
minimizing the burden on developers. Requiring PKCE in OAuth 2.1, without any 
exceptions, will optimize for interoperability between OAuth 2.1 clients and 
servers. Without the requirement of PKCE, there will always be the question of 
"but does this OAuth 2.1 client work with this OAuth 2.1 server or not?", which 
will only be able to be answered by investigating the docs to look for PKCE 
support, or by checking the AS metadata document if it publishes one (which it 
is not required to do).

Optimizing for interoperability and minimizing the burden on developers is 
absolutely a good goal, and requiring PKCE is a great way to accomplish that. 
OAuth 2.0 and OpenID Connect implementations that don't support PKCE will 
continue to work as they currently do, they just won't be able to call 
themselves OAuth 2.1 compliant, just as is the case as if they don't follow the 
other recommendations that are in OAuth 2.1 and the Security BCP.

Aaron


On Thu, May 7, 2020 at 6:42 PM Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:
Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned 
about “the amount of explanation this will take”.  That’s optimizing for spec 
simplicity – a goal that I do understand.  However, by writing these few 
sentences or paragraphs, we’ll make it clear to developers that hundreds or 
thousands of deployed OpenID Connect RPs won’t have to change their 
deployments.  That’s optimizing for interoperability and minimizing the burden 
on developers, which are far more important.

As Brian Campbell wrote, “They are not equivalent and have very different 
ramifications on interoperability”.

Even if you’re optimizing for writing, taking a minimally invasive protocol 
change approach will optimize that, overall.  If we proceed as you’re 
suggesting, a huge amount of writing will occur on StackOverflow, Medium, 
SlashDot, blogs, and other developer forums, where confused developers will ask 
“Why do I have to change my deployed code?” with the answers being “Despite 
what the 2.1 spec says, there’s no need to change your deployed code.”

I’d gladly write a few sentences in our new specs now to prevent ongoing 
confusion and interop problems that would otherwise result.  Let me know when 
you’re ready to incorporate them into the spec text.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Thursday, May 7, 2020 4:39 PM
To: Dick Hardt mailto:dick.ha...@gmail.com>>
Cc: OAuth WG mailto:oauth@ietf.org>>; Torsten Lodderstedt 
mailto:tors...@lodderstedt.net>>; Mike Jones 
mailto:michael.jo...@microsoft.com>>
Subject: Re: OAuth 2.1 - require PKCE?

Backing up a 

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.1 - require PKCE?

[Mike Jones]

I agree with actively maintaining and improving the OAuth 2.0 specs by adding 
enhancements that are voluntary to use.  I’ve worked on many such improvements, 
including Dynamic Client Registration, Authorization Metadata, the Device Flow, 
Token Exchange, DPoP, and support PAR and RAR, etc.  The issue that’s the 
subject is the current discussion is whether to make use of another 
enhancement, PKCE, mandatory in cases where it’s actually not needed, rather 
than making its use voluntary like the other enhancements, which I certainly 
support.

   -- Mike

From: Torsten Lodderstedt 
Sent: Sunday, May 10, 2020 3:15 AM
To: Mike Jones 
Cc: Daniel Fett ; oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hi Mike,

Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 schrieb am Fr. 8. Mai 2020 um 18:55:
OAuth 2.1 was supposed to not introduce breaking changes.
I cannot remember the WG met that decision. Can you please refer to the 
respective thread?

Requiring exact redirect URI matching is already a breaking change. Do you 
oppose against this as well?


If you want to do that, please do it in TxAuth instead.

Interesting statement. Does it mean you want to conserve OAuth 2.0 and force 
any enhancements/improvements to go into TXAuth? This would cause huge 
migration efforts for existing deployments wanting to benefit from those 
enhancements.

I think existing deployments are better served by actively maintaining and 
evolving the 2.x line. For example, PAR and RAR are attempts to improve OAuth 
2.x and make it usable for new use cases. That’s better protection of existing 
investments than sending them of to TXAuth.
Kind regards,
Torsten.


   -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Daniel Fett
Sent: Thursday, May 7, 2020 11:50 PM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

+1 to all what Aaron said. Thanks for pointing this out!

We need to address this in the security BCP and this will be a normative change 
that affects OpenID Connect Core (just as our current recommendation on the 
usage of nonce).

We would then have:

- use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, 
except if you are a public client, then you still need PKCE.
- use state, except if you use PKCE, then you don't need state.

I think there are very good reasons to simplify this down to

- use PKCE
- you may or may not use state

First and foremost, not many people will understand why there are cases when 
the BCP/OAuth 2.1 mandate PKCE and some where they don't. However, 
understanding why you have to do something is key to compliance. The short 
version "PKCE protects the code; there is a specific case where it is not 
needed, but its better to use it all the time" is easy to understand. We will 
not see many implementations following the long version above correctly.

Second, we dramatically reduce technical complexity by reducing cases that need 
to be handled. We reduce correctness and compliance testing complexity in the 
same way. We reduce the cost of security analysis, which scales really badly to 
more cases.

And finally, using nonce to protect against code injection is less robust than 
PKCE. AS have a better track record than clients when it comes to correctly 
implementing security mechanisms.

Yes, this will make a number of implementations non-spec-compliant, but I do 
not think that this is a huge problem. Software needs to adapt all the time and 
a software that has not been changed in a while is probably not one you would 
want to use anyway. We are setting a new goal for implementations to meet and 
eventually, maintained implementations will get there.

-Daniel


Am 08.05.20 um 01:38 schrieb Aaron Parecki:
Backing up a step or two, there's another point here that I think has been 
missed in these discussions.

PKCE solves two problems: stolen authorization codes for public clients, and 
authorization code injection for all clients. We've only been talking about 
authorization code injection on the list so far. The quoted section of the 
security BCP (4.5.3) which says clients can do PKCE or use the nonce, is only 
talking about preventing authorization code injection.

The nonce parameter solves authorization code injection if the client requests 
an ID token. Public clients using the nonce parameter are still susceptible to 
stolen authorization codes so they still need to do PKCE as well.

The only case where OpenID Connect clients don't benefit from PKCE is if they 
are also confidential clients. Public client OIDC clients still need to do PKCE 
even if they check the nonce.

OpenID Connect servers working with confidential clients still benefit from 
PKCE because they can then enforce the authorization code injection protection 
server-side rather than cross their fingers that clients 

Re: [OAUTH-WG] Usage of Password Grant

[Aaron Parecki]

Hi Beena,

This sounds like a great use of the client credentials grant. The password
grant is being removed from OAuth 2.0 by the Security Best Current
Practice. Can you clarify what you've found useful about the password grant
that the client credentials grant doesn't solve?

Aaron Parecki


On Sun, May 10, 2020 at 3:18 AM Beena Santhosh 
wrote:

> Hi,
>
>
> We have a product with client server architecture where our server manages
> thousands of devices. Each device has a client-piece that talks to the
> server over SOAP/REST. The client currently uses a HTTP Basic
> Authentication (unique id and a secret string) for all the calls. The
> secret string is created when the device enrolls to the server. It is
> available at the server as well as stored securely on the device. For the
> rest calls it is the device that is getting authenticated.
>
>
>
>  Sending the credentials every time is less than ideal and we want to move
> to some tokenized device authentication. We evaluated OpendID Connect based
> on the general recommendation of SSO solution, but the issue is we do not
> have any user interaction and hence there is no Grant flow that is fitting.
> Hence we evaluated OAuth grant type of which we found Password Grant and
> Client Credentials Grant is matching our requirement.
>
>
>
>  In order to use Client Credentials in our use case, we need to do dynamic
> registration for the thousands of devices managed by the server, if IoT
> comes into picture the number is going to be even higher, which is highly
> cumbersome to manage.  Also, as per  RFC7591 on dynamic client
> registration, using access token for registering client is optional too.
> Even though the Password grant is highly discouraged by the spec, we found
> it to be highly matching with our requirements.
>
>
>
> But as per the Oauth 2.1 proposal, password grant is going to be removed. Can
> you suggest the way forward for us? I believe we are not a one-off case.
>
>
> Thank You,
>
> Beena
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-22.txt

[Torsten Lodderstedt]

I just read over the diff between -21 and -22 and realised the example in 
Section 5.2.2.

https://server.example.com/authorize?
   response_type=code%20id_token
   &client_id=s6BhdRkqt3
   &request_uri=https%3A%2F%2Ftfp.example.org%2Frequest.jwt
   %2FGkurKxf5T0Y-mnPFCHqWOMiZi4VS138cQO_V7PZHAdM

 still has the “response_type" parameter. I think this parameter should be 
removed. 



> On 10. May 2020, at 02:51, internet-dra...@ietf.org wrote:
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts 
> directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
> 
>Title   : The OAuth 2.0 Authorization Framework: JWT Secured 
> Authorization Request (JAR)
>Authors : Nat Sakimura
>  John Bradley
>   Filename: draft-ietf-oauth-jwsreq-22.txt
>   Pages   : 32
>   Date: 2020-05-07
> 
> Abstract:
>   The authorization request in OAuth 2.0 described in RFC 6749 utilizes
>   query parameter serialization, which means that Authorization Request
>   parameters are encoded in the URI of the request and sent through
>   user agents such as web browsers.  While it is easy to implement, it
>   means that (a) the communication through the user agents are not
>   integrity protected and thus the parameters can be tainted, and (b)
>   the source of the communication is not authenticated.  Because of
>   these weaknesses, several attacks to the protocol have now been put
>   forward.
> 
>   This document introduces the ability to send request parameters in a
>   JSON Web Token (JWT) instead, which allows the request to be signed
>   with JSON Web Signature (JWS) and encrypted with JSON Web Encryption
>   (JWE) so that the integrity, source authentication and
>   confidentiality property of the Authorization Request is attained.
>   The request can be sent by value or by reference.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-22
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-22
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-22
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Usage of Password Grant

[Beena Santhosh]

Hi,


We have a product with client server architecture where our server manages
thousands of devices. Each device has a client-piece that talks to the
server over SOAP/REST. The client currently uses a HTTP Basic
Authentication (unique id and a secret string) for all the calls. The
secret string is created when the device enrolls to the server. It is
available at the server as well as stored securely on the device. For the
rest calls it is the device that is getting authenticated.



 Sending the credentials every time is less than ideal and we want to move
to some tokenized device authentication. We evaluated OpendID Connect based
on the general recommendation of SSO solution, but the issue is we do not
have any user interaction and hence there is no Grant flow that is fitting.
Hence we evaluated OAuth grant type of which we found Password Grant and
Client Credentials Grant is matching our requirement.



 In order to use Client Credentials in our use case, we need to do dynamic
registration for the thousands of devices managed by the server, if IoT
comes into picture the number is going to be even higher, which is highly
cumbersome to manage.  Also, as per  RFC7591 on dynamic client
registration, using access token for registering client is optional too.
Even though the Password grant is highly discouraged by the spec, we found
it to be highly matching with our requirements.



But as per the Oauth 2.1 proposal, password grant is going to be removed. Can
you suggest the way forward for us? I believe we are not a one-off case.


Thank You,

Beena
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Torsten Lodderstedt]

Mike Jones  schrieb am Sa. 9. Mai 2020 um
20:46:

> There’s a huge ecosystem of successful, secure OAuth 2.0 and OpenID
> Connect deployments that we have the responsibility to be stewards of.
> This working group should be proud of what it’s accomplished.  Part of good
> stewardship is not unnecessarily bifurcating the ecosystem into
> non-interoperable segments.  OAuth 2.1 should facilitate the already secure
> OAuth 2.0 deployments remaining part of the interoperable OAuth 2.1 set of
> deployments – not intentionally doing the opposite.
>
>
>
> If it ain’t broke, don’t fix it!
>
Did I got it right that nonce does not protect public clients from code
theft/replay? I would consider this a security issue.

>
>
>-- Mike
>
>
>
> *From:* Aaron Parecki 
> *Sent:* Friday, May 8, 2020 8:34 PM
> *To:* OAuth WG 
> *Cc:* Dick Hardt ; Torsten Lodderstedt <
> tors...@lodderstedt.net>; Mike Jones 
> *Subject:* Re: OAuth 2.1 - require PKCE?
>
>
>
> Aaron, I believe you’re trying to optimize the wrong thing.  You’re
> concerned about “the amount of explanation this will take”.  That’s
> optimizing for spec simplicity – a goal that I do understand.  However, by
> writing these few sentences or paragraphs, we’ll make it clear to
> developers that hundreds or thousands of deployed OpenID Connect RPs won’t
> have to change their deployments.  That’s optimizing for interoperability
> and minimizing the burden on developers, which are far more important.
>
>
>
> I appreciate the concern about optimizing for spec simplicity. I also
> agree that spec simplicity should not necessarily be the driving goal.
>
>
>
> However, what you've described is the opposite of interoperability and
> minimizing the burden on developers. Requiring PKCE in OAuth 2.1, without
> any exceptions, will optimize for interoperability between OAuth 2.1
> clients and servers. Without the requirement of PKCE, there will always be
> the question of "but does this OAuth 2.1 client work with this OAuth 2.1
> server or not?", which will only be able to be answered by investigating
> the docs to look for PKCE support, or by checking the AS metadata document
> if it publishes one (which it is not required to do).
>
>
>
> Optimizing for interoperability and minimizing the burden on developers is
> absolutely a good goal, and requiring PKCE is a great way to accomplish
> that. OAuth 2.0 and OpenID Connect implementations that don't support PKCE
> will continue to work as they currently do, they just won't be able to call
> themselves OAuth 2.1 compliant, just as is the case as if they don't follow
> the other recommendations that are in OAuth 2.1 and the Security BCP.
>
>
>
> Aaron
>
>
>
>
>
> On Thu, May 7, 2020 at 6:42 PM Mike Jones 
> wrote:
>
> Aaron, I believe you’re trying to optimize the wrong thing.  You’re
> concerned about “the amount of explanation this will take”.  That’s
> optimizing for spec simplicity – a goal that I do understand.  However, by
> writing these few sentences or paragraphs, we’ll make it clear to
> developers that hundreds or thousands of deployed OpenID Connect RPs won’t
> have to change their deployments.  That’s optimizing for interoperability
> and minimizing the burden on developers, which are far more important.
>
>
>
> As Brian Campbell wrote, “They are not equivalent and have very different
> ramifications on interoperability”.
>
>
>
> Even if you’re optimizing for writing, taking a minimally invasive
> protocol change approach will optimize that, overall.  If we proceed as
> you’re suggesting, a huge amount of writing will occur on StackOverflow,
> Medium, SlashDot, blogs, and other developer forums, where confused
> developers will ask “Why do I have to change my deployed code?” with the
> answers being “Despite what the 2.1 spec says, there’s no need to change
> your deployed code.”
>
>
>
> I’d gladly write a few sentences in our new specs now to prevent ongoing
> confusion and interop problems that would otherwise result.  Let me know
> when you’re ready to incorporate them into the spec text.
>
>
>
>-- Mike
>
>
>
> *From:* Aaron Parecki 
> *Sent:* Thursday, May 7, 2020 4:39 PM
> *To:* Dick Hardt 
> *Cc:* OAuth WG ; Torsten Lodderstedt <
> tors...@lodderstedt.net>; Mike Jones 
> *Subject:* Re: OAuth 2.1 - require PKCE?
>
>
>
> Backing up a step or two, there's another point here that I think has been
> missed in these discussions.
>
>
>
> PKCE solves two problems: stolen authorization codes for public clients,
> and authorization code injection for all clients. We've only been talking
> about authorization code injection on the list so far. The quoted section
> of the security BCP (4.5.3) which says clients can do PKCE or use the
> nonce, is only talking about preventing authorization code injection.
>
>
>
> The nonce parameter solves authorization code injection if the client
> requests an ID token. Public clien

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Torsten Lodderstedt]

Hi Mike,

Mike Jones  schrieb am Fr. 8.
Mai 2020 um 18:55:

> OAuth 2.1 was supposed to not introduce breaking changes.
>
I cannot remember the WG met that decision. Can you please refer to the
respective thread?

Requiring exact redirect URI matching is already a breaking change. Do you
oppose against this as well?


If you want to do that, please do it in TxAuth instead.
>

Interesting statement. Does it mean you want to conserve OAuth 2.0 and
force any enhancements/improvements to go into TXAuth? This would cause
huge migration efforts for existing deployments wanting to benefit from
those enhancements.

I think existing deployments are better served by actively maintaining and
evolving the 2.x line. For example, PAR and RAR are attempts to improve
OAuth 2.x and make it usable for new use cases. That’s better protection of
existing investments than sending them of to TXAuth.

> Kind regards,
Torsten.


>
>-- Mike
>
>
>
> *From:* OAuth  *On Behalf Of * Daniel Fett
> *Sent:* Thursday, May 7, 2020 11:50 PM
> *To:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> +1 to all what Aaron said. Thanks for pointing this out!
>
>
>
> We need to address this in the security BCP and this will be a normative
> change that affects OpenID Connect Core (just as our current recommendation
> on the usage of nonce).
>
>
>
> We would then have:
>
>
>
> - use PKCE, except if you use OIDC with a nonce, then you don't need PKCE,
> except if you are a public client, then you still need PKCE.
>
> - use state, except if you use PKCE, then you don't need state.
>
>
>
> I think there are very good reasons to simplify this down to
>
>
>
> - use PKCE
>
> - you may or may not use state
>
>
>
> First and foremost, not many people will understand why there are cases
> when the BCP/OAuth 2.1 mandate PKCE and some where they don't. However,
> understanding *why* you have to do something is key to compliance. The
> short version "PKCE protects the code; there is a specific case where it is
> not needed, but its better to use it all the time" is easy to understand.
> We will not see many implementations following the long version above
> correctly.
>
>
>
> Second, we dramatically reduce technical complexity by reducing cases that
> need to be handled. We reduce correctness and compliance testing complexity
> in the same way. We reduce the cost of security analysis, which scales
> really badly to more cases.
>
>
>
> And finally, using nonce to protect against code injection is less robust
> than PKCE. AS have a better track record than clients when it comes to
> correctly implementing security mechanisms.
>
>
>
> Yes, this will make a number of implementations non-spec-compliant, but I
> do not think that this is a huge problem. Software needs to adapt all the
> time and a software that has not been changed in a while is probably not
> one you would want to use anyway. We are setting a new goal for
> implementations to meet and eventually, maintained implementations will get
> there.
>
>
>
> -Daniel
>
>
>
>
>
> Am 08.05.20 um 01:38 schrieb Aaron Parecki:
>
> Backing up a step or two, there's another point here that I think has been
> missed in these discussions.
>
>
>
> PKCE solves two problems: stolen authorization codes for public clients,
> and authorization code injection for all clients. We've only been talking
> about authorization code injection on the list so far. The quoted section
> of the security BCP (4.5.3) which says clients can do PKCE or use the
> nonce, is only talking about preventing authorization code injection.
>
>
>
> The nonce parameter solves authorization code injection if the client
> requests an ID token. Public clients using the nonce parameter are still
> susceptible to stolen authorization codes so they still need to do PKCE as
> well.
>
>
>
> The only case where OpenID Connect clients don't benefit from PKCE is if
> they are also confidential clients. Public client OIDC clients still need
> to do PKCE even if they check the nonce.
>
>
>
> OpenID Connect servers working with confidential clients still benefit
> from PKCE because they can then enforce the authorization code injection
> protection server-side rather than cross their fingers that clients
> implemented the nonce check properly.
>
>
>
> I really don't think it's worth the amount of explanation this will take
> in the future to write an exception into OAuth 2.1 or the Security BCP for
> only some types of OpenID Connect clients when all clients would benefit
> from PKCE anyway.
>
>
>
> Aaron
>
>
>
>
>
>
>
> On Wed, May 6, 2020 at 10:48 AM Dick Hardt  wrote:
>
> Hello!
>
>
>
> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
> practice for OAuth 2.0. It is not common in OpenID Connect servers as the
> nonce solves some of the issues that PKCE protects against. We think that
> most OpenID Connect implementations also support OAuth 2.0, and hence