Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Dominick Baier]

In IdentityServer, the PKCE requirement is per client.

We started with a default of false - and now switched to true.

FWIW
———
Dominick Baier

On 10. May 2020 at 22:22:35, Mike Jones (
michael.jones=40microsoft@dmarc.ietf.org) wrote:

Exactly!



I believe that this also the same point that Brian Campbell was making
earlier about interoperability implications.



   -- Mike



*From:* Neil Madden 
*Sent:* Sunday, May 10, 2020 1:06 PM
*To:* Dick Hardt 
*Cc:* Mike Jones ; oauth@ietf.org; Torsten
Lodderstedt 
*Subject:* Re: [OAUTH-WG] Re: OAuth 2.1 - require PKCE?



But if an AS upgrades to OAuth 2.1 then it MUST reject authorization
requests that don’t include a code_challenge (section 4.1.2.1), so this
will only be possible when all clients support PKCE.



This makes it impossible for a 2.1-compliant AS to also support non-PKCE
2.0 clients (i.e., the vast majority of them).



I think we can have a 2.1 spec that says clients and servers MUST support
PKCE without this hard-fail clause. Otherwise I can’t see how we’d ever
ship with 2.1-compliance enabled out-of-the-box.



— Neil



On 10 May 2020, at 20:38, Dick Hardt  wrote:



Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as
the other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth
2.0 was voluntary.



Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?





On Sun, May 10, 2020 at 12:02 PM Mike Jones  wrote:

I agree with actively maintaining and improving the OAuth 2.0 specs by
adding enhancements that are voluntary to use.  I’ve worked on many such
improvements, including Dynamic Client Registration, Authorization
Metadata, the Device Flow, Token Exchange, DPoP, and support PAR and RAR,
etc.  The issue that’s the subject is the current discussion is whether to
make use of another enhancement, PKCE, mandatory in cases where it’s
actually not needed, rather than making its use voluntary like the other
enhancements, which I certainly support.



   -- Mike



*From:* Torsten Lodderstedt 
*Sent:* Sunday, May 10, 2020 3:15 AM
*To:* Mike Jones 
*Cc:* Daniel Fett ; oauth@ietf.org
*Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?



Hi Mike,



Mike Jones  schrieb am Fr. 8.
Mai 2020 um 18:55:

OAuth 2.1 was supposed to not introduce breaking changes.

I cannot remember the WG met that decision. Can you please refer to the
respective thread?



Requiring exact redirect URI matching is already a breaking change. Do you
oppose against this as well?





If you want to do that, please do it in TxAuth instead.



Interesting statement. Does it mean you want to conserve OAuth 2.0 and
force any enhancements/improvements to go into TXAuth? This would cause
huge migration efforts for existing deployments wanting to benefit from
those enhancements.



I think existing deployments are better served by actively maintaining and
evolving the 2.x line. For example, PAR and RAR are attempts to improve
OAuth 2.x and make it usable for new use cases. That’s better protection of
existing investments than sending them of to TXAuth.

Kind regards,

Torsten.





   -- Mike



*From:* OAuth  *On Behalf Of *Daniel Fett
*Sent:* Thursday, May 7, 2020 11:50 PM
*To:* oauth@ietf.org
*Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?



+1 to all what Aaron said. Thanks for pointing this out!



We need to address this in the security BCP and this will be a normative
change that affects OpenID Connect Core (just as our current recommendation
on the usage of nonce).



We would then have:



- use PKCE, except if you use OIDC with a nonce, then you don't need PKCE,
except if you are a public client, then you still need PKCE.

- use state, except if you use PKCE, then you don't need state.



I think there are very good reasons to simplify this down to



- use PKCE

- you may or may not use state



First and foremost, not many people will understand why there are cases
when the BCP/OAuth 2.1 mandate PKCE and some where they don't. However,
understanding *why* you have to do something is key to compliance. The
short version "PKCE protects the code; there is a specific case where it is
not needed, but its better to use it all the time" is easy to understand.
We will not see many implementations following the long version above
correctly.



Second, we dramatically reduce technical complexity by reducing cases that
need to be handled. We reduce correctness and compliance testing complexity
in the same way. We reduce the cost of security analysis, which scales
really badly to more cases.



And finally, using nonce to protect against code injection is less robust
than PKCE. AS have a better track record than clients when it comes to
correctly implementing security mechanisms.



Yes, this will make a number of implementations non-spec-compliant

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Torsten Lodderstedt]

> On 10. May 2020, at 21:02, Mike Jones  wrote:
> 
> > Did I got it right that nonce does not protect public clients from code 
> > theft/replay?
>  
> I believe that the OpenID Connect Code Hash (“c_hash”) claim protects against 
> this.  

c_hash is designed to prevent injection at a legit client and must be enforced 
by the client - just like nonce. 

That might work with a confidential client, but in case of a public client, the 
attacker does not need to inject the code in order to redeem it. The attacker 
can just directly redeem the code for an access token without checking c_hash 
or nonce.

> I’d be interested in hearing John Bradley’s take on this.
>  
>-- Mike
>  
> From: Torsten Lodderstedt  
> Sent: Sunday, May 10, 2020 3:17 AM
> To: Mike Jones 
> Cc: Aaron Parecki ; Dick Hardt ; 
> OAuth WG 
> Subject: Re: OAuth 2.1 - require PKCE?
>  
> Mike Jones  schrieb am Sa. 9. Mai 2020 um 20:46:
> There’s a huge ecosystem of successful, secure OAuth 2.0 and OpenID Connect 
> deployments that we have the responsibility to be stewards of.  This working 
> group should be proud of what it’s accomplished.  Part of good stewardship is 
> not unnecessarily bifurcating the ecosystem into non-interoperable segments.  
> OAuth 2.1 should facilitate the already secure OAuth 2.0 deployments 
> remaining part of the interoperable OAuth 2.1 set of deployments – not 
> intentionally doing the opposite.
>  
> If it ain’t broke, don’t fix it!
> Did I got it right that nonce does not protect public clients from code 
> theft/replay? I would consider this a security issue.
>  
>-- Mike
>  
> From: Aaron Parecki  
> Sent: Friday, May 8, 2020 8:34 PM
> To: OAuth WG 
> Cc: Dick Hardt ; Torsten Lodderstedt 
> ; Mike Jones 
> Subject: Re: OAuth 2.1 - require PKCE?
>  
> Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned 
> about “the amount of explanation this will take”.  That’s optimizing for spec 
> simplicity – a goal that I do understand.  However, by writing these few 
> sentences or paragraphs, we’ll make it clear to developers that hundreds or 
> thousands of deployed OpenID Connect RPs won’t have to change their 
> deployments.  That’s optimizing for interoperability and minimizing the 
> burden on developers, which are far more important.
>  
> I appreciate the concern about optimizing for spec simplicity. I also agree 
> that spec simplicity should not necessarily be the driving goal.
>  
> However, what you've described is the opposite of interoperability and 
> minimizing the burden on developers. Requiring PKCE in OAuth 2.1, without any 
> exceptions, will optimize for interoperability between OAuth 2.1 clients and 
> servers. Without the requirement of PKCE, there will always be the question 
> of "but does this OAuth 2.1 client work with this OAuth 2.1 server or not?", 
> which will only be able to be answered by investigating the docs to look for 
> PKCE support, or by checking the AS metadata document if it publishes one 
> (which it is not required to do).
>  
> Optimizing for interoperability and minimizing the burden on developers is 
> absolutely a good goal, and requiring PKCE is a great way to accomplish that. 
> OAuth 2.0 and OpenID Connect implementations that don't support PKCE will 
> continue to work as they currently do, they just won't be able to call 
> themselves OAuth 2.1 compliant, just as is the case as if they don't follow 
> the other recommendations that are in OAuth 2.1 and the Security BCP.
>  
> Aaron 
>  
>  
> On Thu, May 7, 2020 at 6:42 PM Mike Jones  wrote:
> Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned 
> about “the amount of explanation this will take”.  That’s optimizing for spec 
> simplicity – a goal that I do understand.  However, by writing these few 
> sentences or paragraphs, we’ll make it clear to developers that hundreds or 
> thousands of deployed OpenID Connect RPs won’t have to change their 
> deployments.  That’s optimizing for interoperability and minimizing the 
> burden on developers, which are far more important.
>  
> As Brian Campbell wrote, “They are not equivalent and have very different 
> ramifications on interoperability”.
>  
> Even if you’re optimizing for writing, taking a minimally invasive protocol 
> change approach will optimize that, overall.  If we proceed as you’re 
> suggesting, a huge amount of writing will occur on StackOverflow, Medium, 
> SlashDot, blogs, and other developer forums, where confused developers will 
> ask “Why do I have to change my deployed code?” with the answers being 
> “Despite what the 2.1 spec says, there’s no need to change your deployed 
> code.”
>  
> I’d gladly write a few sentences in our new specs now to prevent ongoing 
> confusion and interop problems that would otherwise result.  Let me know when 
> you’re ready to incorporate them into 

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Benjamin Kaduk]

My apologies for a tangent on an already-long thread...

On Fri, May 08, 2020 at 08:50:16AM +0200, Daniel Fett wrote:
> 
> Yes, this will make a number of implementations non-spec-compliant, but
> I do not think that this is a huge problem. Software needs to adapt all
> the time and a software that has not been changed in a while is probably
> not one you would want to use anyway. We are setting a new goal for
> implementations to meet and eventually, maintained implementations will
> get there.

It's probably worth an occasional reminder that though this is true for the
web-facing software most of us work on, it's not actually universally true
for *all* software.  Things that are rated as safety-critical software, or
the SCADA systems running billion-dollar industrial processes that only
take downtime for hardware upgrades, are written in a rather different
ecosystem.  :)

-Ben

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Dick Hardt]

We are NOT saying that an OAuth 2.0 compatible server is OAuth 2.1
compatible. For example, an OAuth 2.0 compatible server does not have to
support PKCE, support the implicit grant, support the Resource Owner
Password Credentials grant, support bearer tokens in the query string of
the URI, etc.
https://tools.ietf.org/html/draft-parecki-oauth-v2-1-02#section-12

 We have stated the goal to be OAuth 2.0 with best practices. As noted
earlier, we are now discussing what is best practices.

Per my other email, no one is requiring a deployment to upgrade, and a
deployment may support both legacy OAuth 2.0 clients, and OAuth 2.1 clients
at the same time. We can add some non-normative text to explain that if you
like.

On Sun, May 10, 2020 at 1:24 PM Mike Jones 
wrote:

> The difference is that OAuth 2.1 is supposed to compatible with OAuth 2.0
> (which is my whole goal here), whereas OAuth 2.0 was incompatible with
> OAuth 1.0 by design.
>
>
>
> *From:* Dick Hardt 
> *Sent:* Sunday, May 10, 2020 12:58 PM
> *To:* Mike Jones 
> *Cc:* Torsten Lodderstedt ; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Just as upgrading to OAuth 2.0 from OAuth 1.0 was voluntary, why is
> upgrading to OAuth 2.1 not voluntary?
>
>
>
> OAuth 2.0 obsoleted OAuth 1.0, just as OAuth 2.1 is obsoleting OAuth 2.1.
> Our goal is for new deployments, that are reading the drafts, to use the
> best practices.
>
>
>
> If existing deployments don't want the advantages of a new version or
> extension, there is nobody forcing them to upgrade -- hence my confusion on
> your statement that it is "mandatory". Upgrading to OAuth 2.0 from OAuth
> 1.0 was not mandatory, and some deployments still use OAuth 1.0 today.
>
>
>
>
>
>
>
> ᐧ
>
>
>
> On Sun, May 10, 2020 at 12:51 PM Mike Jones 
> wrote:
>
> If I’m not mistaken, the OAuth 2.1 draft is intended to make OAuth 2.0
> (RFC 6749) obsolete, just like OAuth 2.0 (RFC 6749) made OAuth 1.0 (RFC
> 5849) obsolete.  That’s what makes me think developers would view updating
> as mandatory.  If you’re willing to remove the “replaces 6749” clause from
> the draft, then there would be no perception problem, as it would be clear
> that adoption of 2.1 would be voluntary, just like the other extension
> specs.
>
>
>
> *From:* Dick Hardt 
> *Sent:* Sunday, May 10, 2020 12:38 PM
> *To:* Mike Jones 
> *Cc:* Torsten Lodderstedt ; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as
> the other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth
> 2.0 was voluntary.
>
>
>
> Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?
>
>
>
>
>
> On Sun, May 10, 2020 at 12:02 PM Mike Jones  40microsoft@dmarc.ietf.org> wrote:
>
> I agree with actively maintaining and improving the OAuth 2.0 specs by
> adding enhancements that are voluntary to use.  I’ve worked on many such
> improvements, including Dynamic Client Registration, Authorization
> Metadata, the Device Flow, Token Exchange, DPoP, and support PAR and RAR,
> etc.  The issue that’s the subject is the current discussion is whether to
> make use of another enhancement, PKCE, mandatory in cases where it’s
> actually not needed, rather than making its use voluntary like the other
> enhancements, which I certainly support.
>
>
>
>-- Mike
>
>
>
> *From:* Torsten Lodderstedt 
> *Sent:* Sunday, May 10, 2020 3:15 AM
> *To:* Mike Jones 
> *Cc:* Daniel Fett ; oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hi Mike,
>
>
>
> Mike Jones  schrieb am Fr..
> 8. Mai 2020 um 18:55:
>
> OAuth 2.1 was supposed to not introduce breaking changes.
>
> I cannot remember the WG met that decision. Can you please refer to the
> respective thread?
>
>
>
> Requiring exact redirect URI matching is already a breaking change. Do you
> oppose against this as well?
>
>
>
>
>
> If you want to do that, please do it in TxAuth instead.
>
>
>
> Interesting statement. Does it mean you want to conserve OAuth 2.0 and
> force any enhancements/improvements to go into TXAuth? This would cause
> huge migration efforts for existing deployments wanting to benefit from
> those enhancements.
>
>
>
> I think existing deployments are better served by actively maintaining and
> evolving the 2.x line. For example, PAR and RAR are attempts to improve
> OAuth 2.x and make it usable for new use cases. That’s better protection of
> existing investments than se

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

The difference is that OAuth 2.1 is supposed to compatible with OAuth 2.0 
(which is my whole goal here), whereas OAuth 2.0 was incompatible with OAuth 
1.0 by design.

From: Dick Hardt 
Sent: Sunday, May 10, 2020 12:58 PM
To: Mike Jones 
Cc: Torsten Lodderstedt ; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Just as upgrading to OAuth 2.0 from OAuth 1.0 was voluntary, why is upgrading 
to OAuth 2.1 not voluntary?

OAuth 2.0 obsoleted OAuth 1.0, just as OAuth 2.1 is obsoleting OAuth 2.1. Our 
goal is for new deployments, that are reading the drafts, to use the best 
practices.

If existing deployments don't want the advantages of a new version or 
extension, there is nobody forcing them to upgrade -- hence my confusion on 
your statement that it is "mandatory". Upgrading to OAuth 2.0 from OAuth 1.0 
was not mandatory, and some deployments still use OAuth 1.0 today.



ᐧ

On Sun, May 10, 2020 at 12:51 PM Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:
If I’m not mistaken, the OAuth 2.1 draft is intended to make OAuth 2.0 (RFC 
6749) obsolete, just like OAuth 2.0 (RFC 6749) made OAuth 1.0 (RFC 5849) 
obsolete.  That’s what makes me think developers would view updating as 
mandatory.  If you’re willing to remove the “replaces 6749” clause from the 
draft, then there would be no perception problem, as it would be clear that 
adoption of 2.1 would be voluntary, just like the other extension specs.

From: Dick Hardt mailto:dick.ha...@gmail.com>>
Sent: Sunday, May 10, 2020 12:38 PM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Torsten Lodderstedt 
mailto:tors...@lodderstedt.net>>; 
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as the 
other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth 2.0 was 
voluntary.

Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?


On Sun, May 10, 2020 at 12:02 PM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
I agree with actively maintaining and improving the OAuth 2.0 specs by adding 
enhancements that are voluntary to use.  I’ve worked on many such improvements, 
including Dynamic Client Registration, Authorization Metadata, the Device Flow, 
Token Exchange, DPoP, and support PAR and RAR, etc.  The issue that’s the 
subject is the current discussion is whether to make use of another 
enhancement, PKCE, mandatory in cases where it’s actually not needed, rather 
than making its use voluntary like the other enhancements, which I certainly 
support.

   -- Mike

From: Torsten Lodderstedt 
mailto:40lodderstedt@dmarc.ietf.org>>
Sent: Sunday, May 10, 2020 3:15 AM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Daniel Fett mailto:f...@danielfett.de>>; 
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hi Mike,

Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 schrieb am Fr. 8. Mai 2020 um 18:55:
OAuth 2.1 was supposed to not introduce breaking changes.
I cannot remember the WG met that decision. Can you please refer to the 
respective thread?

Requiring exact redirect URI matching is already a breaking change. Do you 
oppose against this as well?


If you want to do that, please do it in TxAuth instead.

Interesting statement. Does it mean you want to conserve OAuth 2.0 and force 
any enhancements/improvements to go into TXAuth? This would cause huge 
migration efforts for existing deployments wanting to benefit from those 
enhancements.

I think existing deployments are better served by actively maintaining and 
evolving the 2.x line. For example, PAR and RAR are attempts to improve OAuth 
2.x and make it usable for new use cases. That’s better protection of existing 
investments than sending them of to TXAuth.
Kind regards,
Torsten.


   -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Daniel Fett
Sent: Thursday, May 7, 2020 11:50 PM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

+1 to all what Aaron said. Thanks for pointing this out!

We need to address this in the security BCP and this will be a normative change 
that affects OpenID Connect Core (just as our current recommendation on the 
usage of nonce).

We would then have:

- use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, 
except if you are a public client, then you still need PKCE.
- use state, except if you use PKCE, then you don't need state.

I think there are very good reasons to simplify this down to

- use PKCE
- you may or may not use state

First and foremost, not many people will understand why there are cases when 
the BCP/OAuth 2.1 mandate PKCE and some where they don

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

Exactly!

I believe that this also the same point that Brian Campbell was making earlier 
about interoperability implications.

   -- Mike

From: Neil Madden 
Sent: Sunday, May 10, 2020 1:06 PM
To: Dick Hardt 
Cc: Mike Jones ; oauth@ietf.org; Torsten 
Lodderstedt 
Subject: Re: [OAUTH-WG] Re: OAuth 2.1 - require PKCE?

But if an AS upgrades to OAuth 2.1 then it MUST reject authorization requests 
that don’t include a code_challenge (section 4.1.2.1), so this will only be 
possible when all clients support PKCE.

This makes it impossible for a 2.1-compliant AS to also support non-PKCE 2.0 
clients (i.e., the vast majority of them).

I think we can have a 2.1 spec that says clients and servers MUST support PKCE 
without this hard-fail clause. Otherwise I can’t see how we’d ever ship with 
2.1-compliance enabled out-of-the-box.

— Neil

On 10 May 2020, at 20:38, Dick Hardt 
mailto:dick.ha...@gmail.com>> wrote:

Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as the 
other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth 2.0 was 
voluntary.

Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?


On Sun, May 10, 2020 at 12:02 PM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
I agree with actively maintaining and improving the OAuth 2.0 specs by adding 
enhancements that are voluntary to use.  I’ve worked on many such improvements, 
including Dynamic Client Registration, Authorization Metadata, the Device Flow, 
Token Exchange, DPoP, and support PAR and RAR, etc.  The issue that’s the 
subject is the current discussion is whether to make use of another 
enhancement, PKCE, mandatory in cases where it’s actually not needed, rather 
than making its use voluntary like the other enhancements, which I certainly 
support.

   -- Mike

From: Torsten Lodderstedt 
mailto:40lodderstedt@dmarc.ietf.org>>
Sent: Sunday, May 10, 2020 3:15 AM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Daniel Fett mailto:f...@danielfett.de>>; 
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hi Mike,

Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 schrieb am Fr. 8. Mai 2020 um 18:55:
OAuth 2.1 was supposed to not introduce breaking changes.
I cannot remember the WG met that decision. Can you please refer to the 
respective thread?

Requiring exact redirect URI matching is already a breaking change. Do you 
oppose against this as well?


If you want to do that, please do it in TxAuth instead.

Interesting statement. Does it mean you want to conserve OAuth 2.0 and force 
any enhancements/improvements to go into TXAuth? This would cause huge 
migration efforts for existing deployments wanting to benefit from those 
enhancements.

I think existing deployments are better served by actively maintaining and 
evolving the 2.x line. For example, PAR and RAR are attempts to improve OAuth 
2.x and make it usable for new use cases. That’s better protection of existing 
investments than sending them of to TXAuth.
Kind regards,
Torsten.


   -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Daniel Fett
Sent: Thursday, May 7, 2020 11:50 PM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

+1 to all what Aaron said. Thanks for pointing this out!

We need to address this in the security BCP and this will be a normative change 
that affects OpenID Connect Core (just as our current recommendation on the 
usage of nonce).

We would then have:

- use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, 
except if you are a public client, then you still need PKCE.
- use state, except if you use PKCE, then you don't need state.

I think there are very good reasons to simplify this down to

- use PKCE
- you may or may not use state

First and foremost, not many people will understand why there are cases when 
the BCP/OAuth 2.1 mandate PKCE and some where they don't. However, 
understanding why you have to do something is key to compliance. The short 
version "PKCE protects the code; there is a specific case where it is not 
needed, but its better to use it all the time" is easy to understand. We will 
not see many implementations following the long version above correctly.

Second, we dramatically reduce technical complexity by reducing cases that need 
to be handled. We reduce correctness and compliance testing complexity in the 
same way. We reduce the cost of security analysis, which scales really badly to 
more cases.

And finally, using nonce to protect against code injection is less robust than 
PKCE. AS have a better track record than clients when it comes to correctly 
implementing security mechanisms.

Yes, this will make a n

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Dick Hardt]

Just as upgrading to OAuth 2.0 from OAuth 1.0 was voluntary, why is
upgrading to OAuth 2.1 not voluntary?

OAuth 2.0 obsoleted OAuth 1.0, just as OAuth 2.1 is obsoleting OAuth 2.1.
Our goal is for new deployments, that are reading the drafts, to use the
best practices.

If existing deployments don't want the advantages of a new version or
extension, there is nobody forcing them to upgrade -- hence my confusion on
your statement that it is "mandatory". Upgrading to OAuth 2.0 from OAuth
1.0 was not mandatory, and some deployments still use OAuth 1.0 today.



ᐧ

On Sun, May 10, 2020 at 12:51 PM Mike Jones 
wrote:

> If I’m not mistaken, the OAuth 2.1 draft is intended to make OAuth 2.0
> (RFC 6749) obsolete, just like OAuth 2.0 (RFC 6749) made OAuth 1.0 (RFC
> 5849) obsolete.  That’s what makes me think developers would view updating
> as mandatory.  If you’re willing to remove the “replaces 6749” clause from
> the draft, then there would be no perception problem, as it would be clear
> that adoption of 2.1 would be voluntary, just like the other extension
> specs.
>
>
>
> *From:* Dick Hardt 
> *Sent:* Sunday, May 10, 2020 12:38 PM
> *To:* Mike Jones 
> *Cc:* Torsten Lodderstedt ; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as
> the other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth
> 2.0 was voluntary.
>
>
>
> Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?
>
>
>
>
>
> On Sun, May 10, 2020 at 12:02 PM Mike Jones  40microsoft@dmarc.ietf.org> wrote:
>
> I agree with actively maintaining and improving the OAuth 2.0 specs by
> adding enhancements that are voluntary to use.  I’ve worked on many such
> improvements, including Dynamic Client Registration, Authorization
> Metadata, the Device Flow, Token Exchange, DPoP, and support PAR and RAR,
> etc.  The issue that’s the subject is the current discussion is whether to
> make use of another enhancement, PKCE, mandatory in cases where it’s
> actually not needed, rather than making its use voluntary like the other
> enhancements, which I certainly support.
>
>
>
>-- Mike
>
>
>
> *From:* Torsten Lodderstedt 
> *Sent:* Sunday, May 10, 2020 3:15 AM
> *To:* Mike Jones 
> *Cc:* Daniel Fett ; oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hi Mike,
>
>
>
> Mike Jones  schrieb am Fr..
> 8. Mai 2020 um 18:55:
>
> OAuth 2.1 was supposed to not introduce breaking changes.
>
> I cannot remember the WG met that decision. Can you please refer to the
> respective thread?
>
>
>
> Requiring exact redirect URI matching is already a breaking change. Do you
> oppose against this as well?
>
>
>
>
>
> If you want to do that, please do it in TxAuth instead.
>
>
>
> Interesting statement. Does it mean you want to conserve OAuth 2.0 and
> force any enhancements/improvements to go into TXAuth? This would cause
> huge migration efforts for existing deployments wanting to benefit from
> those enhancements.
>
>
>
> I think existing deployments are better served by actively maintaining and
> evolving the 2.x line. For example, PAR and RAR are attempts to improve
> OAuth 2.x and make it usable for new use cases. That’s better protection of
> existing investments than sending them of to TXAuth.
>
> Kind regards,
>
> Torsten.
>
>
>
>
>
>-- Mike
>
>
>
> *From:* OAuth  *On Behalf Of *Daniel Fett
> *Sent:* Thursday, May 7, 2020 11:50 PM
> *To:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> +1 to all what Aaron said. Thanks for pointing this out!
>
>
>
> We need to address this in the security BCP and this will be a normative
> change that affects OpenID Connect Core (just as our current recommendation
> on the usage of nonce).
>
>
>
> We would then have:
>
>
>
> - use PKCE, except if you use OIDC with a nonce, then you don't need PKCE,
> except if you are a public client, then you still need PKCE.
>
> - use state, except if you use PKCE, then you don't need state.
>
>
>
> I think there are very good reasons to simplify this down to
>
>
>
> - use PKCE
>
> - you may or may not use state
>
>
>
> First and foremost, not many people will understand why there are cases
> when the BCP/OAuth 2.1 mandate PKCE and some where they don't. However,
> understanding *why* you have to do something is key to compliance. The
> short versio

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

If I’m not mistaken, the OAuth 2.1 draft is intended to make OAuth 2.0 (RFC 
6749) obsolete, just like OAuth 2.0 (RFC 6749) made OAuth 1.0 (RFC 5849) 
obsolete.  That’s what makes me think developers would view updating as 
mandatory.  If you’re willing to remove the “replaces 6749” clause from the 
draft, then there would be no perception problem, as it would be clear that 
adoption of 2.1 would be voluntary, just like the other extension specs.

From: Dick Hardt 
Sent: Sunday, May 10, 2020 12:38 PM
To: Mike Jones 
Cc: Torsten Lodderstedt ; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hi Mike, I would consider upgrading to OAuth 2.1 to be voluntary, just as the 
other extensions. Similarly, OAuth 1.0 deployments upgrading to OAuth 2.0 was 
voluntary.

Would you clarify why you think upgrading to OAuth 2.1 would be mandatory?


On Sun, May 10, 2020 at 12:02 PM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
I agree with actively maintaining and improving the OAuth 2.0 specs by adding 
enhancements that are voluntary to use.  I’ve worked on many such improvements, 
including Dynamic Client Registration, Authorization Metadata, the Device Flow, 
Token Exchange, DPoP, and support PAR and RAR, etc.  The issue that’s the 
subject is the current discussion is whether to make use of another 
enhancement, PKCE, mandatory in cases where it’s actually not needed, rather 
than making its use voluntary like the other enhancements, which I certainly 
support.

   -- Mike

From: Torsten Lodderstedt 
mailto:40lodderstedt@dmarc.ietf.org>>
Sent: Sunday, May 10, 2020 3:15 AM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Daniel Fett mailto:f...@danielfett.de>>; 
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hi Mike,

Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 schrieb am Fr. 8. Mai 2020 um 18:55:
OAuth 2.1 was supposed to not introduce breaking changes.
I cannot remember the WG met that decision. Can you please refer to the 
respective thread?

Requiring exact redirect URI matching is already a breaking change. Do you 
oppose against this as well?


If you want to do that, please do it in TxAuth instead.

Interesting statement. Does it mean you want to conserve OAuth 2.0 and force 
any enhancements/improvements to go into TXAuth? This would cause huge 
migration efforts for existing deployments wanting to benefit from those 
enhancements.

I think existing deployments are better served by actively maintaining and 
evolving the 2.x line. For example, PAR and RAR are attempts to improve OAuth 
2.x and make it usable for new use cases. That’s better protection of existing 
investments than sending them of to TXAuth.
Kind regards,
Torsten.


   -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Daniel Fett
Sent: Thursday, May 7, 2020 11:50 PM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

+1 to all what Aaron said. Thanks for pointing this out!

We need to address this in the security BCP and this will be a normative change 
that affects OpenID Connect Core (just as our current recommendation on the 
usage of nonce).

We would then have:

- use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, 
except if you are a public client, then you still need PKCE.
- use state, except if you use PKCE, then you don't need state.

I think there are very good reasons to simplify this down to

- use PKCE
- you may or may not use state

First and foremost, not many people will understand why there are cases when 
the BCP/OAuth 2.1 mandate PKCE and some where they don't. However, 
understanding why you have to do something is key to compliance. The short 
version "PKCE protects the code; there is a specific case where it is not 
needed, but its better to use it all the time" is easy to understand. We will 
not see many implementations following the long version above correctly.

Second, we dramatically reduce technical complexity by reducing cases that need 
to be handled. We reduce correctness and compliance testing complexity in the 
same way. We reduce the cost of security analysis, which scales really badly to 
more cases.

And finally, using nonce to protect against code injection is less robust than 
PKCE. AS have a better track record than clients when it comes to correctly 
implementing security mechanisms.

Yes, this will make a number of implementations non-spec-compliant, but I do 
not think that this is a huge problem. Software needs to adapt all the time and 
a software that has not been changed in a while is probably not one you would 
want to use anyway. We are setting a new goal for implementations to meet and 
eventually, maintained implementations will get there.

-Daniel


Am 

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

> Did I got it right that nonce does not protect public clients from code 
> theft/replay?

I believe that the OpenID Connect Code Hash (“c_hash”) claim protects against 
this.  I’d be interested in hearing John Bradley’s take on this.

   -- Mike

From: Torsten Lodderstedt 
Sent: Sunday, May 10, 2020 3:17 AM
To: Mike Jones 
Cc: Aaron Parecki ; Dick Hardt ; OAuth 
WG 
Subject: Re: OAuth 2.1 - require PKCE?

Mike Jones mailto:michael.jo...@microsoft.com>> 
schrieb am Sa. 9. Mai 2020 um 20:46:
There’s a huge ecosystem of successful, secure OAuth 2.0 and OpenID Connect 
deployments that we have the responsibility to be stewards of.  This working 
group should be proud of what it’s accomplished.  Part of good stewardship is 
not unnecessarily bifurcating the ecosystem into non-interoperable segments.  
OAuth 2.1 should facilitate the already secure OAuth 2.0 deployments remaining 
part of the interoperable OAuth 2.1 set of deployments – not intentionally 
doing the opposite.

If it ain’t broke, don’t fix it!
Did I got it right that nonce does not protect public clients from code 
theft/replay? I would consider this a security issue.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Friday, May 8, 2020 8:34 PM
To: OAuth WG mailto:oauth@ietf.org>>
Cc: Dick Hardt mailto:dick.ha...@gmail.com>>; Torsten 
Lodderstedt mailto:tors...@lodderstedt.net>>; Mike 
Jones mailto:michael.jo...@microsoft.com>>
Subject: Re: OAuth 2.1 - require PKCE?

Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned 
about “the amount of explanation this will take”.  That’s optimizing for spec 
simplicity – a goal that I do understand.  However, by writing these few 
sentences or paragraphs, we’ll make it clear to developers that hundreds or 
thousands of deployed OpenID Connect RPs won’t have to change their 
deployments.  That’s optimizing for interoperability and minimizing the burden 
on developers, which are far more important.

I appreciate the concern about optimizing for spec simplicity. I also agree 
that spec simplicity should not necessarily be the driving goal.

However, what you've described is the opposite of interoperability and 
minimizing the burden on developers. Requiring PKCE in OAuth 2.1, without any 
exceptions, will optimize for interoperability between OAuth 2.1 clients and 
servers. Without the requirement of PKCE, there will always be the question of 
"but does this OAuth 2.1 client work with this OAuth 2.1 server or not?", which 
will only be able to be answered by investigating the docs to look for PKCE 
support, or by checking the AS metadata document if it publishes one (which it 
is not required to do).

Optimizing for interoperability and minimizing the burden on developers is 
absolutely a good goal, and requiring PKCE is a great way to accomplish that. 
OAuth 2.0 and OpenID Connect implementations that don't support PKCE will 
continue to work as they currently do, they just won't be able to call 
themselves OAuth 2.1 compliant, just as is the case as if they don't follow the 
other recommendations that are in OAuth 2.1 and the Security BCP.

Aaron


On Thu, May 7, 2020 at 6:42 PM Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:
Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned 
about “the amount of explanation this will take”.  That’s optimizing for spec 
simplicity – a goal that I do understand.  However, by writing these few 
sentences or paragraphs, we’ll make it clear to developers that hundreds or 
thousands of deployed OpenID Connect RPs won’t have to change their 
deployments.  That’s optimizing for interoperability and minimizing the burden 
on developers, which are far more important.

As Brian Campbell wrote, “They are not equivalent and have very different 
ramifications on interoperability”.

Even if you’re optimizing for writing, taking a minimally invasive protocol 
change approach will optimize that, overall.  If we proceed as you’re 
suggesting, a huge amount of writing will occur on StackOverflow, Medium, 
SlashDot, blogs, and other developer forums, where confused developers will ask 
“Why do I have to change my deployed code?” with the answers being “Despite 
what the 2.1 spec says, there’s no need to change your deployed code.”

I’d gladly write a few sentences in our new specs now to prevent ongoing 
confusion and interop problems that would otherwise result.  Let me know when 
you’re ready to incorporate them into the spec text.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Thursday, May 7, 2020 4:39 PM
To: Dick Hardt mailto:dick.ha...@gmail.com>>
Cc: OAuth WG mailto:oauth@ietf.org>>; Torsten Lodderstedt 
mailto:tors...@lodderstedt.net>>; Mike Jones 
mailto:michael.jo...@microsoft.com>>
Subject: Re: OAuth 2.1 - require PKCE?

Backing up a 

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Torsten Lodderstedt]

Mike Jones  schrieb am Sa. 9. Mai 2020 um
20:46:

> There’s a huge ecosystem of successful, secure OAuth 2.0 and OpenID
> Connect deployments that we have the responsibility to be stewards of.
> This working group should be proud of what it’s accomplished.  Part of good
> stewardship is not unnecessarily bifurcating the ecosystem into
> non-interoperable segments.  OAuth 2.1 should facilitate the already secure
> OAuth 2.0 deployments remaining part of the interoperable OAuth 2.1 set of
> deployments – not intentionally doing the opposite.
>
>
>
> If it ain’t broke, don’t fix it!
>
Did I got it right that nonce does not protect public clients from code
theft/replay? I would consider this a security issue.

>
>
>-- Mike
>
>
>
> *From:* Aaron Parecki 
> *Sent:* Friday, May 8, 2020 8:34 PM
> *To:* OAuth WG 
> *Cc:* Dick Hardt ; Torsten Lodderstedt <
> tors...@lodderstedt.net>; Mike Jones 
> *Subject:* Re: OAuth 2.1 - require PKCE?
>
>
>
> Aaron, I believe you’re trying to optimize the wrong thing.  You’re
> concerned about “the amount of explanation this will take”.  That’s
> optimizing for spec simplicity – a goal that I do understand.  However, by
> writing these few sentences or paragraphs, we’ll make it clear to
> developers that hundreds or thousands of deployed OpenID Connect RPs won’t
> have to change their deployments.  That’s optimizing for interoperability
> and minimizing the burden on developers, which are far more important.
>
>
>
> I appreciate the concern about optimizing for spec simplicity. I also
> agree that spec simplicity should not necessarily be the driving goal.
>
>
>
> However, what you've described is the opposite of interoperability and
> minimizing the burden on developers. Requiring PKCE in OAuth 2.1, without
> any exceptions, will optimize for interoperability between OAuth 2.1
> clients and servers. Without the requirement of PKCE, there will always be
> the question of "but does this OAuth 2.1 client work with this OAuth 2.1
> server or not?", which will only be able to be answered by investigating
> the docs to look for PKCE support, or by checking the AS metadata document
> if it publishes one (which it is not required to do).
>
>
>
> Optimizing for interoperability and minimizing the burden on developers is
> absolutely a good goal, and requiring PKCE is a great way to accomplish
> that. OAuth 2.0 and OpenID Connect implementations that don't support PKCE
> will continue to work as they currently do, they just won't be able to call
> themselves OAuth 2.1 compliant, just as is the case as if they don't follow
> the other recommendations that are in OAuth 2.1 and the Security BCP.
>
>
>
> Aaron
>
>
>
>
>
> On Thu, May 7, 2020 at 6:42 PM Mike Jones 
> wrote:
>
> Aaron, I believe you’re trying to optimize the wrong thing.  You’re
> concerned about “the amount of explanation this will take”.  That’s
> optimizing for spec simplicity – a goal that I do understand.  However, by
> writing these few sentences or paragraphs, we’ll make it clear to
> developers that hundreds or thousands of deployed OpenID Connect RPs won’t
> have to change their deployments.  That’s optimizing for interoperability
> and minimizing the burden on developers, which are far more important.
>
>
>
> As Brian Campbell wrote, “They are not equivalent and have very different
> ramifications on interoperability”.
>
>
>
> Even if you’re optimizing for writing, taking a minimally invasive
> protocol change approach will optimize that, overall.  If we proceed as
> you’re suggesting, a huge amount of writing will occur on StackOverflow,
> Medium, SlashDot, blogs, and other developer forums, where confused
> developers will ask “Why do I have to change my deployed code?” with the
> answers being “Despite what the 2.1 spec says, there’s no need to change
> your deployed code.”
>
>
>
> I’d gladly write a few sentences in our new specs now to prevent ongoing
> confusion and interop problems that would otherwise result.  Let me know
> when you’re ready to incorporate them into the spec text.
>
>
>
>-- Mike
>
>
>
> *From:* Aaron Parecki 
> *Sent:* Thursday, May 7, 2020 4:39 PM
> *To:* Dick Hardt 
> *Cc:* OAuth WG ; Torsten Lodderstedt <
> tors...@lodderstedt.net>; Mike Jones 
> *Subject:* Re: OAuth 2.1 - require PKCE?
>
>
>
> Backing up a step or two, there's another point here that I think has been
> missed in these discussions.
>
>
>
> PKCE solves two problems: stolen authorization codes for public clients,
> and authorization code injection for all clients. We've only been talking
> about authorization code injection on the list so far. The quoted section
> of the security BCP (4.5.3) which says clients can do PKCE or use the
> nonce, is only talking about preventing authorization code injection.
>
>
>
> The nonce parameter solves authorization code injection if the client
> requests an ID token. Public 

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Torsten Lodderstedt]

Hi Mike,

Mike Jones  schrieb am Fr. 8.
Mai 2020 um 18:55:

> OAuth 2.1 was supposed to not introduce breaking changes.
>
I cannot remember the WG met that decision. Can you please refer to the
respective thread?

Requiring exact redirect URI matching is already a breaking change. Do you
oppose against this as well?


If you want to do that, please do it in TxAuth instead.
>

Interesting statement. Does it mean you want to conserve OAuth 2.0 and
force any enhancements/improvements to go into TXAuth? This would cause
huge migration efforts for existing deployments wanting to benefit from
those enhancements.

I think existing deployments are better served by actively maintaining and
evolving the 2.x line. For example, PAR and RAR are attempts to improve
OAuth 2.x and make it usable for new use cases. That’s better protection of
existing investments than sending them of to TXAuth.

> Kind regards,
Torsten.


>
>-- Mike
>
>
>
> *From:* OAuth  *On Behalf Of * Daniel Fett
> *Sent:* Thursday, May 7, 2020 11:50 PM
> *To:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> +1 to all what Aaron said. Thanks for pointing this out!
>
>
>
> We need to address this in the security BCP and this will be a normative
> change that affects OpenID Connect Core (just as our current recommendation
> on the usage of nonce).
>
>
>
> We would then have:
>
>
>
> - use PKCE, except if you use OIDC with a nonce, then you don't need PKCE,
> except if you are a public client, then you still need PKCE.
>
> - use state, except if you use PKCE, then you don't need state.
>
>
>
> I think there are very good reasons to simplify this down to
>
>
>
> - use PKCE
>
> - you may or may not use state
>
>
>
> First and foremost, not many people will understand why there are cases
> when the BCP/OAuth 2.1 mandate PKCE and some where they don't. However,
> understanding *why* you have to do something is key to compliance. The
> short version "PKCE protects the code; there is a specific case where it is
> not needed, but its better to use it all the time" is easy to understand.
> We will not see many implementations following the long version above
> correctly.
>
>
>
> Second, we dramatically reduce technical complexity by reducing cases that
> need to be handled. We reduce correctness and compliance testing complexity
> in the same way. We reduce the cost of security analysis, which scales
> really badly to more cases.
>
>
>
> And finally, using nonce to protect against code injection is less robust
> than PKCE. AS have a better track record than clients when it comes to
> correctly implementing security mechanisms.
>
>
>
> Yes, this will make a number of implementations non-spec-compliant, but I
> do not think that this is a huge problem. Software needs to adapt all the
> time and a software that has not been changed in a while is probably not
> one you would want to use anyway. We are setting a new goal for
> implementations to meet and eventually, maintained implementations will get
> there.
>
>
>
> -Daniel
>
>
>
>
>
> Am 08.05.20 um 01:38 schrieb Aaron Parecki:
>
> Backing up a step or two, there's another point here that I think has been
> missed in these discussions.
>
>
>
> PKCE solves two problems: stolen authorization codes for public clients,
> and authorization code injection for all clients. We've only been talking
> about authorization code injection on the list so far. The quoted section
> of the security BCP (4.5.3) which says clients can do PKCE or use the
> nonce, is only talking about preventing authorization code injection.
>
>
>
> The nonce parameter solves authorization code injection if the client
> requests an ID token. Public clients using the nonce parameter are still
> susceptible to stolen authorization codes so they still need to do PKCE as
> well.
>
>
>
> The only case where OpenID Connect clients don't benefit from PKCE is if
> they are also confidential clients. Public client OIDC clients still need
> to do PKCE even if they check the nonce.
>
>
>
> OpenID Connect servers working with confidential clients still benefit
> from PKCE because they can then enforce the authorization code injection
> protection server-side rather than cross their fingers that clients
> implemented the nonce check properly.
>
>
>
> I really don't think it's worth the amount of explanation this will take
> in the future to write an exception into OAuth 2.1 or the Security BCP for
> only some types of OpenID Connect clients when all clients would benefit
> from PKCE anyway.
>

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

There’s a huge ecosystem of successful, secure OAuth 2.0 and OpenID Connect 
deployments that we have the responsibility to be stewards of.  This working 
group should be proud of what it’s accomplished.  Part of good stewardship is 
not unnecessarily bifurcating the ecosystem into non-interoperable segments.  
OAuth 2.1 should facilitate the already secure OAuth 2.0 deployments remaining 
part of the interoperable OAuth 2.1 set of deployments – not intentionally 
doing the opposite.

If it ain’t broke, don’t fix it!

   -- Mike

From: Aaron Parecki 
Sent: Friday, May 8, 2020 8:34 PM
To: OAuth WG 
Cc: Dick Hardt ; Torsten Lodderstedt 
; Mike Jones 
Subject: Re: OAuth 2.1 - require PKCE?

Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned 
about “the amount of explanation this will take”.  That’s optimizing for spec 
simplicity – a goal that I do understand.  However, by writing these few 
sentences or paragraphs, we’ll make it clear to developers that hundreds or 
thousands of deployed OpenID Connect RPs won’t have to change their 
deployments.  That’s optimizing for interoperability and minimizing the burden 
on developers, which are far more important.

I appreciate the concern about optimizing for spec simplicity. I also agree 
that spec simplicity should not necessarily be the driving goal.

However, what you've described is the opposite of interoperability and 
minimizing the burden on developers. Requiring PKCE in OAuth 2.1, without any 
exceptions, will optimize for interoperability between OAuth 2.1 clients and 
servers. Without the requirement of PKCE, there will always be the question of 
"but does this OAuth 2.1 client work with this OAuth 2.1 server or not?", which 
will only be able to be answered by investigating the docs to look for PKCE 
support, or by checking the AS metadata document if it publishes one (which it 
is not required to do).

Optimizing for interoperability and minimizing the burden on developers is 
absolutely a good goal, and requiring PKCE is a great way to accomplish that. 
OAuth 2.0 and OpenID Connect implementations that don't support PKCE will 
continue to work as they currently do, they just won't be able to call 
themselves OAuth 2.1 compliant, just as is the case as if they don't follow the 
other recommendations that are in OAuth 2.1 and the Security BCP.

Aaron


On Thu, May 7, 2020 at 6:42 PM Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:
Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned 
about “the amount of explanation this will take”.  That’s optimizing for spec 
simplicity – a goal that I do understand.  However, by writing these few 
sentences or paragraphs, we’ll make it clear to developers that hundreds or 
thousands of deployed OpenID Connect RPs won’t have to change their 
deployments.  That’s optimizing for interoperability and minimizing the burden 
on developers, which are far more important.

As Brian Campbell wrote, “They are not equivalent and have very different 
ramifications on interoperability”.

Even if you’re optimizing for writing, taking a minimally invasive protocol 
change approach will optimize that, overall.  If we proceed as you’re 
suggesting, a huge amount of writing will occur on StackOverflow, Medium, 
SlashDot, blogs, and other developer forums, where confused developers will ask 
“Why do I have to change my deployed code?” with the answers being “Despite 
what the 2.1 spec says, there’s no need to change your deployed code.”

I’d gladly write a few sentences in our new specs now to prevent ongoing 
confusion and interop problems that would otherwise result.  Let me know when 
you’re ready to incorporate them into the spec text.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Thursday, May 7, 2020 4:39 PM
To: Dick Hardt mailto:dick.ha...@gmail.com>>
Cc: OAuth WG mailto:oauth@ietf.org>>; Torsten Lodderstedt 
mailto:tors...@lodderstedt.net>>; Mike Jones 
mailto:michael.jo...@microsoft.com>>
Subject: Re: OAuth 2.1 - require PKCE?

Backing up a step or two, there's another point here that I think has been 
missed in these discussions.

PKCE solves two problems: stolen authorization codes for public clients, and 
authorization code injection for all clients. We've only been talking about 
authorization code injection on the list so far. The quoted section of the 
security BCP (4.5.3) which says clients can do PKCE or use the nonce, is only 
talking about preventing authorization code injection.

The nonce parameter solves authorization code injection if the client requests 
an ID token. Public clients using the nonce parameter are still susceptible to 
stolen authorization codes so they still need to do PKCE as well.

The only case where OpenID Connect clients don't benefit from PKCE is if they 
are also confidential clients. Public client OIDC clients 

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Aaron Parecki]

>
> Aaron, I believe you’re trying to optimize the wrong thing.  You’re
> concerned about “the amount of explanation this will take”.  That’s
> optimizing for spec simplicity – a goal that I do understand.  However, by
> writing these few sentences or paragraphs, we’ll make it clear to
> developers that hundreds or thousands of deployed OpenID Connect RPs won’t
> have to change their deployments.  That’s optimizing for interoperability
> and minimizing the burden on developers, which are far more important.


I appreciate the concern about optimizing for spec simplicity. I also agree
that spec simplicity should not necessarily be the driving goal.

However, what you've described is the opposite of interoperability and
minimizing the burden on developers. Requiring PKCE in OAuth 2.1, without
any exceptions, will optimize for interoperability between OAuth 2.1
clients and servers. Without the requirement of PKCE, there will always be
the question of "but does this OAuth 2.1 client work with this OAuth 2.1
server or not?", which will only be able to be answered by investigating
the docs to look for PKCE support, or by checking the AS metadata document
if it publishes one (which it is not required to do).

Optimizing for interoperability and minimizing the burden on developers is
absolutely a good goal, and requiring PKCE is a great way to accomplish
that. OAuth 2.0 and OpenID Connect implementations that don't support PKCE
will continue to work as they currently do, they just won't be able to call
themselves OAuth 2.1 compliant, just as is the case as if they don't follow
the other recommendations that are in OAuth 2.1 and the Security BCP.

Aaron


On Thu, May 7, 2020 at 6:42 PM Mike Jones 
wrote:

> Aaron, I believe you’re trying to optimize the wrong thing.  You’re
> concerned about “the amount of explanation this will take”.  That’s
> optimizing for spec simplicity – a goal that I do understand.  However, by
> writing these few sentences or paragraphs, we’ll make it clear to
> developers that hundreds or thousands of deployed OpenID Connect RPs won’t
> have to change their deployments.  That’s optimizing for interoperability
> and minimizing the burden on developers, which are far more important.
>
>
>
> As Brian Campbell wrote, “They are not equivalent and have very different
> ramifications on interoperability”.
>
>
>
> Even if you’re optimizing for writing, taking a minimally invasive
> protocol change approach will optimize that, overall.  If we proceed as
> you’re suggesting, a huge amount of writing will occur on StackOverflow,
> Medium, SlashDot, blogs, and other developer forums, where confused
> developers will ask “Why do I have to change my deployed code?” with the
> answers being “Despite what the 2.1 spec says, there’s no need to change
> your deployed code.”
>
>
>
> I’d gladly write a few sentences in our new specs now to prevent ongoing
> confusion and interop problems that would otherwise result.  Let me know
> when you’re ready to incorporate them into the spec text.
>
>
>
>-- Mike
>
>
>
> *From:* Aaron Parecki 
> *Sent:* Thursday, May 7, 2020 4:39 PM
> *To:* Dick Hardt 
> *Cc:* OAuth WG ; Torsten Lodderstedt <
> tors...@lodderstedt.net>; Mike Jones 
> *Subject:* Re: OAuth 2.1 - require PKCE?
>
>
>
> Backing up a step or two, there's another point here that I think has been
> missed in these discussions.
>
>
>
> PKCE solves two problems: stolen authorization codes for public clients,
> and authorization code injection for all clients. We've only been talking
> about authorization code injection on the list so far. The quoted section
> of the security BCP (4.5.3) which says clients can do PKCE or use the
> nonce, is only talking about preventing authorization code injection.
>
>
>
> The nonce parameter solves authorization code injection if the client
> requests an ID token. Public clients using the nonce parameter are still
> susceptible to stolen authorization codes so they still need to do PKCE as
> well.
>
>
>
> The only case where OpenID Connect clients don't benefit from PKCE is if
> they are also confidential clients. Public client OIDC clients still need
> to do PKCE even if they check the nonce.
>
>
>
> OpenID Connect servers working with confidential clients still benefit
> from PKCE because they can then enforce the authorization code injection
> protection server-side rather than cross their fingers that clients
> implemented the nonce check properly.
>
>
>
> I really don't think it's worth the amount of explanation this will take
> in the future to write an exception into OAuth 2.1 or the Security BCP for
> only some types of OpenID Connect clients when all clients would benefit
> from PKCE anyway.
>
>
>
> Aaron
>
>
>
>
>
>
>
> On Wed, May 6, 2020 at 10:48 AM Dick Hardt  wrote:
>
> Hello!
>
>
>
> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
> practice for OAuth 2.0. It is not common in 

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

Actually, the first paragraph of the Security BCP section at 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1, 
which has gone through WGLC, includes the use of “nonce” to prevent 
authorization code injection as a best practice.  That’s already a pretty 
strong stamp of approval by the OAuth working group.

   -- Mike

From: Phillip Hunt 
Sent: Friday, May 8, 2020 12:45 PM
To: Dick Hardt 
Cc: Philippe De Ryck ; Mike Jones 
; OAuth WG 
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

We are not discussing anything new here. We are discussing adoption of best 
practice.

The disconnect appears to be that one dependent standard’s “typical” use 
(nonces) does not have the ietf consensus as best practice.

This lack of consensus needs to be resolved.

Phil


On May 8, 2020, at 12:37 PM, Dick Hardt 
mailto:dick.ha...@gmail.com>> wrote:

FYI: An objective of OAuth 2.1 is not to introduce anything new -- it is OAuth 
2.0 with best practices.

On Thu, May 7, 2020 at 10:36 PM Philippe De Ryck 
mailto:phili...@pragmaticwebsecurity.com>> 
wrote:
From working with a lot of developers on understanding OAuth 2.0 and OIDC, I 
definitely vote for simplicity. Understanding the subtle nuances of when a 
nonce is fine and when PKCE should be used is impossible without in-depth 
knowledge of the flows and their properties. Misunderstandings will cause 
security vulnerabilities, which can easily be avoided.

Since OAuth 2.1 is a separate spec, I don’t really see a problem with existing 
code not being compliant. They support OAuth 2.0, and if they want to be OAuth 
2.1 compliant, they add PKCE. If I’m not mistaken, other requirements of OAuth 
2.1 would also clash with existing deployments (e.g., using non-exact redirect 
URIs).

I believe that optimizing for making OAuth 2.1 easier to understand will yield 
the highest return.

Philippe



On 8 May 2020, at 03:42, Mike Jones 
mailto:Michael.Jones=40microsoft@dmarc.ietf.org>>
 wrote:

Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned 
about “the amount of explanation this will take”.  That’s optimizing for spec 
simplicity – a goal that I do understand.  However, by writing these few 
sentences or paragraphs, we’ll make it clear to developers that hundreds or 
thousands of deployed OpenID Connect RPs won’t have to change their 
deployments.  That’s optimizing for interoperability and minimizing the burden 
on developers, which are far more important.

As Brian Campbell wrote, “They are not equivalent and have very different 
ramifications on interoperability”.

Even if you’re optimizing for writing, taking a minimally invasive protocol 
change approach will optimize that, overall.  If we proceed as you’re 
suggesting, a huge amount of writing will occur on StackOverflow, Medium, 
SlashDot, blogs, and other developer forums, where confused developers will ask 
“Why do I have to change my deployed code?” with the answers being “Despite 
what the 2.1 spec says, there’s no need to change your deployed code.”

I’d gladly write a few sentences in our new specs now to prevent ongoing 
confusion and interop problems that would otherwise result.  Let me know when 
you’re ready to incorporate them into the spec text.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Thursday, May 7, 2020 4:39 PM
To: Dick Hardt mailto:dick.ha...@gmail.com>>
Cc: OAuth WG mailto:oauth@ietf.org>>; Torsten Lodderstedt 
mailto:tors...@lodderstedt..net>>; Mike Jones 
mailto:michael.jo...@microsoft.com>>
Subject: Re: OAuth 2.1 - require PKCE?

Backing up a step or two, there's another point here that I think has been 
missed in these discussions.

PKCE solves two problems: stolen authorization codes for public clients, and 
authorization code injection for all clients. We've only been talking about 
authorization code injection on the list so far. The quoted section of the 
security BCP (4.5.3) which says clients can do PKCE or use the nonce, is only 
talking about preventing authorization code injection.

The nonce parameter solves authorization code injection if the client requests 
an ID token. Public clients using the nonce parameter are still susceptible to 
stolen authorization codes so they still need to do PKCE as well.

The only case where OpenID Connect clients don't benefit from PKCE is if they 
are also confidential clients. Public client OIDC clients still need to do PKCE 
even if they check the nonce.

OpenID Connect servers working with confidential clients still benefit from 
PKCE because they can then enforce the authorization code injection protection 
server-side rather than cross their fingers that clients implemented the nonce 
check properly.

I really don't think it's worth the amount of explanation this will take in the 
future to write an exception into OA

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Dick Hardt]

On Fri, May 8, 2020 at 12:42 PM Aaron Parecki  wrote:

> > FYI: An objective of OAuth 2.1 is not to introduce anything new -- it is
> OAuth 2.0 with best practices.
>
> The line there is kind of fuzzy. The objective is not to introduce new
> concepts, however there are some changes defined that are "breaking
> changes" from plain OAuth 2.0, because those things being removed were not
> best practices for example.
>

I was clarifying that OAuth 2.1 is not introducing new features, for eg.
the WebSocket support question.

I think we can say that:

An OAuth 2.0 compliant deployment following "best practices" is also an
OAuth 2.1 compliant deployment.

This thread is a discussion of what "best practices" is.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Phillip Hunt]

We are not discussing anything new here. We are discussing adoption of best 
practice. 

The disconnect appears to be that one dependent standard’s “typical” use 
(nonces) does not have the ietf consensus as best practice. 

This lack of consensus needs to be resolved. 

Phil

> On May 8, 2020, at 12:37 PM, Dick Hardt  wrote:
> 
> 
> FYI: An objective of OAuth 2.1 is not to introduce anything new -- it is 
> OAuth 2.0 with best practices. 
> 
>> On Thu, May 7, 2020 at 10:36 PM Philippe De Ryck 
>>  wrote:
>> From working with a lot of developers on understanding OAuth 2.0 and OIDC, I 
>> definitely vote for simplicity. Understanding the subtle nuances of when a 
>> nonce is fine and when PKCE should be used is impossible without in-depth 
>> knowledge of the flows and their properties. Misunderstandings will cause 
>> security vulnerabilities, which can easily be avoided.
>> 
>> Since OAuth 2.1 is a separate spec, I don’t really see a problem with 
>> existing code not being compliant. They support OAuth 2.0, and if they want 
>> to be OAuth 2.1 compliant, they add PKCE. If I’m not mistaken, other 
>> requirements of OAuth 2.1 would also clash with existing deployments (e..g., 
>> using non-exact redirect URIs).
>> 
>> I believe that optimizing for making OAuth 2.1 easier to understand will 
>> yield the highest return.
>> 
>> Philippe
>> 
>> 
>>> On 8 May 2020, at 03:42, Mike Jones 
>>>  wrote:
>>> 
>>> Aaron, I believe you’re trying to optimize the wrong thing.  You’re 
>>> concerned about “the amount of explanation this will take”.  That’s 
>>> optimizing for spec simplicity – a goal that I do understand.  However, by 
>>> writing these few sentences or paragraphs, we’ll make it clear to 
>>> developers that hundreds or thousands of deployed OpenID Connect RPs won’t 
>>> have to change their deployments.  That’s optimizing for interoperability 
>>> and minimizing the burden on developers, which are far more important.
>>>  
>>> As Brian Campbell wrote, “They are not equivalent and have very different 
>>> ramifications on interoperability”.
>>>  
>>> Even if you’re optimizing for writing, taking a minimally invasive protocol 
>>> change approach will optimize that, overall.  If we proceed as you’re 
>>> suggesting, a huge amount of writing will occur on StackOverflow, Medium, 
>>> SlashDot, blogs, and other developer forums, where confused developers will 
>>> ask “Why do I have to change my deployed code?” with the answers being 
>>> “Despite what the 2.1 spec says, there’s no need to change your deployed 
>>> code.”
>>>  
>>> I’d gladly write a few sentences in our new specs now to prevent ongoing 
>>> confusion and interop problems that would otherwise result.  Let me know 
>>> when you’re ready to incorporate them into the spec text.
>>>  
>>>-- Mike
>>>  
>>> From: Aaron Parecki  
>>> Sent: Thursday, May 7, 2020 4:39 PM
>>> To: Dick Hardt 
>>> Cc: OAuth WG ; Torsten Lodderstedt 
>>> ; Mike Jones 
>>> Subject: Re: OAuth 2.1 - require PKCE?
>>>  
>>> Backing up a step or two, there's another point here that I think has been 
>>> missed in these discussions.
>>>  
>>> PKCE solves two problems: stolen authorization codes for public clients, 
>>> and authorization code injection for all clients. We've only been talking 
>>> about authorization code injection on the list so far. The quoted section 
>>> of the security BCP (4.5.3) which says clients can do PKCE or use the 
>>> nonce, is only talking about preventing authorization code injection.
>>>  
>>> The nonce parameter solves authorization code injection if the client 
>>> requests an ID token. Public clients using the nonce parameter are still 
>>> susceptible to stolen authorization codes so they still need to do PKCE as 
>>> well.
>>>  
>>> The only case where OpenID Connect clients don't benefit from PKCE is if 
>>> they are also confidential clients. Public client OIDC clients still need 
>>> to do PKCE even if they check the nonce.
>>>  
>>> OpenID Connect servers working with confidential clients still benefit from 
>>> PKCE because they can then enforce the authorization code injection 
>>> protection server-side rather than cross their fingers that clients 
>>> implemented the nonce check properly.
>>>  
>>> I really don't think it's worth the amount of explanation this will take in 
>>> the future to write an exception into OAuth 2.1 or the Security BCP for 
>>> only some types of OpenID Connect clients when all clients would benefit 
>>> from PKCE anyway.
>>>  
>>> Aaron
>>>  
>>>  
>>>  
>>> On Wed, May 6, 2020 at 10:48 AM Dick Hardt  wrote:
>>> Hello!
>>>  
>>> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
>>> practice for OAuth 2.0. It is not common in OpenID Connect servers as the 
>>> nonce solves some of the issues that PKCE protects against. We think that 
>>> most OpenID Connect implementations also support OAuth 2.0, and hence have 
>>> 

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Aaron Parecki]

> FYI: An objective of OAuth 2.1 is not to introduce anything new -- it is
OAuth 2.0 with best practices.

The line there is kind of fuzzy. The objective is not to introduce new
concepts, however there are some changes defined that are "breaking
changes" from plain OAuth 2.0, because those things being removed were not
best practices for example.

> Understanding the subtle nuances of when a nonce is fine and when PKCE
should be used is impossible without in-depth knowledge of the flows and
their properties. Misunderstandings will cause security vulnerabilities,
which can easily be avoided.

Thank you Philippe. And yes, many existing OAuth 2.0 deployments would
already need to change in order to be compliant with OAuth 2.1, just like
they would need to change to update to the latest recommendations of the
Security BCP.


On Fri, May 8, 2020 at 12:36 PM Dick Hardt  wrote:

> FYI: An objective of OAuth 2.1 is not to introduce anything new -- it is
> OAuth 2.0 with best practices.
>
> On Thu, May 7, 2020 at 10:36 PM Philippe De Ryck <
> phili...@pragmaticwebsecurity.com> wrote:
>
>> From working with a lot of developers on understanding OAuth 2.0 and
>> OIDC, I definitely vote for simplicity. Understanding the subtle nuances of
>> when a nonce is fine and when PKCE should be used is impossible without
>> in-depth knowledge of the flows and their properties. Misunderstandings
>> will cause security vulnerabilities, which can easily be avoided.
>>
>> Since OAuth 2.1 is a separate spec, I don’t really see a problem with
>> existing code not being compliant. They support OAuth 2.0, and if they want
>> to be OAuth 2.1 compliant, they add PKCE. If I’m not mistaken, other
>> requirements of OAuth 2.1 would also clash with existing deployments (e.g.,
>> using non-exact redirect URIs).
>>
>> I believe that optimizing for making OAuth 2.1 easier to understand will
>> yield the highest return.
>>
>> Philippe
>>
>>
>> On 8 May 2020, at 03:42, Mike Jones <
>> Michael.Jones=40microsoft@dmarc.ietf.org> wrote:
>>
>> Aaron, I believe you’re trying to optimize the wrong thing.  You’re
>> concerned about “the amount of explanation this will take”.  That’s
>> optimizing for spec simplicity – a goal that I do understand.  However, by
>> writing these few sentences or paragraphs, we’ll make it clear to
>> developers that hundreds or thousands of deployed OpenID Connect RPs won’t
>> have to change their deployments.  That’s optimizing for interoperability
>> and minimizing the burden on developers, which are far more important.
>>
>> As Brian Campbell wrote, “They are not equivalent and have very
>> different ramifications on interoperability”.
>>
>> Even if you’re optimizing for writing, taking a minimally invasive
>> protocol change approach will optimize that, overall.  If we proceed as
>> you’re suggesting, a huge amount of writing will occur on StackOverflow,
>> Medium, SlashDot, blogs, and other developer forums, where confused
>> developers will ask “Why do I have to change my deployed code?” with the
>> answers being “Despite what the 2.1 spec says, there’s no need to change
>> your deployed code.”
>>
>> I’d gladly write a few sentences in our new specs now to prevent ongoing
>> confusion and interop problems that would otherwise result.  Let me know
>> when you’re ready to incorporate them into the spec text.
>>
>>-- Mike
>>
>> *From:* Aaron Parecki 
>> *Sent:* Thursday, May 7, 2020 4:39 PM
>> *To:* Dick Hardt 
>> *Cc:* OAuth WG ; Torsten Lodderstedt <
>> tors...@lodderstedt.net>; Mike Jones 
>> *Subject:* Re: OAuth 2.1 - require PKCE?
>>
>> Backing up a step or two, there's another point here that I think has
>> been missed in these discussions.
>>
>> PKCE solves two problems: stolen authorization codes for public clients,
>> and authorization code injection for all clients. We've only been talking
>> about authorization code injection on the list so far. The quoted section
>> of the security BCP (4.5.3) which says clients can do PKCE or use the
>> nonce, is only talking about preventing authorization code injection.
>>
>> The nonce parameter solves authorization code injection if the client
>> requests an ID token. Public clients using the nonce parameter are still
>> susceptible to stolen authorization codes so they still need to do PKCE as
>> well.
>>
>> The only case where OpenID Connect clients don't benefit from PKCE is if
>> they are also confidential clients. Public client OIDC clients still need
>> to do PKCE even if they check the nonce.
>>
>> OpenID Connect servers working with confidential clients still benefit
>> from PKCE because they can then enforce the authorization code injection
>> protection server-side rather than cross their fingers that clients
>> implemented the nonce check properly.
>>
>> I really don't think it's worth the amount of explanation this will take
>> in the future to write an exception into OAuth 2.1 or the Security BCP for

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Dick Hardt]

FYI: An objective of OAuth 2.1 is not to introduce anything new -- it is
OAuth 2.0 with best practices.

On Thu, May 7, 2020 at 10:36 PM Philippe De Ryck <
phili...@pragmaticwebsecurity.com> wrote:

> From working with a lot of developers on understanding OAuth 2.0 and OIDC,
> I definitely vote for simplicity. Understanding the subtle nuances of when
> a nonce is fine and when PKCE should be used is impossible without in-depth
> knowledge of the flows and their properties. Misunderstandings will cause
> security vulnerabilities, which can easily be avoided.
>
> Since OAuth 2.1 is a separate spec, I don’t really see a problem with
> existing code not being compliant. They support OAuth 2.0, and if they want
> to be OAuth 2.1 compliant, they add PKCE. If I’m not mistaken, other
> requirements of OAuth 2.1 would also clash with existing deployments (e.g..,
> using non-exact redirect URIs).
>
> I believe that optimizing for making OAuth 2.1 easier to understand will
> yield the highest return.
>
> Philippe
>
>
> On 8 May 2020, at 03:42, Mike Jones <
> Michael.Jones=40microsoft@dmarc.ietf.org> wrote:
>
> Aaron, I believe you’re trying to optimize the wrong thing.  You’re
> concerned about “the amount of explanation this will take”.  That’s
> optimizing for spec simplicity – a goal that I do understand.  However, by
> writing these few sentences or paragraphs, we’ll make it clear to
> developers that hundreds or thousands of deployed OpenID Connect RPs won’t
> have to change their deployments.  That’s optimizing for interoperability
> and minimizing the burden on developers, which are far more important.
>
> As Brian Campbell wrote, “They are not equivalent and have very different
> ramifications on interoperability”.
>
> Even if you’re optimizing for writing, taking a minimally invasive
> protocol change approach will optimize that, overall.  If we proceed as
> you’re suggesting, a huge amount of writing will occur on StackOverflow,
> Medium, SlashDot, blogs, and other developer forums, where confused
> developers will ask “Why do I have to change my deployed code?” with the
> answers being “Despite what the 2.1 spec says, there’s no need to change
> your deployed code.”
>
> I’d gladly write a few sentences in our new specs now to prevent ongoing
> confusion and interop problems that would otherwise result.  Let me know
> when you’re ready to incorporate them into the spec text.
>
>-- Mike
>
> *From:* Aaron Parecki 
> *Sent:* Thursday, May 7, 2020 4:39 PM
> *To:* Dick Hardt 
> *Cc:* OAuth WG ; Torsten Lodderstedt <
> tors...@lodderstedt.net>; Mike Jones 
> *Subject:* Re: OAuth 2.1 - require PKCE?
>
> Backing up a step or two, there's another point here that I think has been
> missed in these discussions.
>
> PKCE solves two problems: stolen authorization codes for public clients,
> and authorization code injection for all clients. We've only been talking
> about authorization code injection on the list so far. The quoted section
> of the security BCP (4.5.3) which says clients can do PKCE or use the
> nonce, is only talking about preventing authorization code injection.
>
> The nonce parameter solves authorization code injection if the client
> requests an ID token. Public clients using the nonce parameter are still
> susceptible to stolen authorization codes so they still need to do PKCE as
> well.
>
> The only case where OpenID Connect clients don't benefit from PKCE is if
> they are also confidential clients. Public client OIDC clients still need
> to do PKCE even if they check the nonce.
>
> OpenID Connect servers working with confidential clients still benefit
> from PKCE because they can then enforce the authorization code injection
> protection server-side rather than cross their fingers that clients
> implemented the nonce check properly.
>
> I really don't think it's worth the amount of explanation this will take
> in the future to write an exception into OAuth 2.1 or the Security BCP for
> only some types of OpenID Connect clients when all clients would benefit
> from PKCE anyway.
>
> Aaron
>
>
>
> On Wed, May 6, 2020 at 10:48 AM Dick Hardt  wrote:
>
> Hello!
>
> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
> practice for OAuth 2.0. It is not common in OpenID Connect servers as the
> nonce solves some of the issues that PKCE protects against. We think that
> most OpenID Connect implementations also support OAuth 2.0, and hence have
> support for PKCE if following best practices.
>
> The advantages or requiring PKCE are:
>
> - a simpler programming model across all OAuth applications and profiles
> as they all use PKCE
>
> - reduced attack surface when using  S256 as a fingerprint of the verifier
> is sent through the browser instead of the clear text value
>
> - enforcement by AS not client - makes it easier to handle for client
> developers and AS can ensure the check is conducted
>
> What are disadvantages 

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

Daniel, you wrote:
> We would then have:
> - use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, 
> except if you are a public client, then you still need PKCE.
> - use state, except if you use PKCE, then you don't need state.

I believe that this is an accurate statement of the facts, balancing 
interoperability and simplicity.  That’s what we should therefore say in the 
spec (possibly rewording it to make it easier to parse and understand).

I would be OK going so far as also saying something along the lines of:
  - Alternatively, new implementations may choose to always use PKCE, provided 
that the client somehow can determine that the server it is communicating with 
also supports PKCE.
That seems like a viable compromise, giving developers accurate information 
that is actionable.

But mandating PKCE in all cases, even when unnecessary, would be an interop 
disaster and would cause many to simply ignore the new spec.

OAuth 2.1 was supposed to not introduce breaking changes.  If you want to do 
that, please do it in TxAuth instead.

   -- Mike

From: OAuth  On Behalf Of Daniel Fett
Sent: Thursday, May 7, 2020 11:50 PM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

+1 to all what Aaron said. Thanks for pointing this out!

We need to address this in the security BCP and this will be a normative change 
that affects OpenID Connect Core (just as our current recommendation on the 
usage of nonce).

We would then have:

- use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, 
except if you are a public client, then you still need PKCE.
- use state, except if you use PKCE, then you don't need state.

I think there are very good reasons to simplify this down to

- use PKCE
- you may or may not use state

First and foremost, not many people will understand why there are cases when 
the BCP/OAuth 2.1 mandate PKCE and some where they don't. However, 
understanding why you have to do something is key to compliance. The short 
version "PKCE protects the code; there is a specific case where it is not 
needed, but its better to use it all the time" is easy to understand. We will 
not see many implementations following the long version above correctly.

Second, we dramatically reduce technical complexity by reducing cases that need 
to be handled. We reduce correctness and compliance testing complexity in the 
same way. We reduce the cost of security analysis, which scales really badly to 
more cases.

And finally, using nonce to protect against code injection is less robust than 
PKCE. AS have a better track record than clients when it comes to correctly 
implementing security mechanisms.

Yes, this will make a number of implementations non-spec-compliant, but I do 
not think that this is a huge problem. Software needs to adapt all the time and 
a software that has not been changed in a while is probably not one you would 
want to use anyway. We are setting a new goal for implementations to meet and 
eventually, maintained implementations will get there.

-Daniel


Am 08.05.20 um 01:38 schrieb Aaron Parecki:
Backing up a step or two, there's another point here that I think has been 
missed in these discussions.

PKCE solves two problems: stolen authorization codes for public clients, and 
authorization code injection for all clients. We've only been talking about 
authorization code injection on the list so far. The quoted section of the 
security BCP (4.5.3) which says clients can do PKCE or use the nonce, is only 
talking about preventing authorization code injection.

The nonce parameter solves authorization code injection if the client requests 
an ID token. Public clients using the nonce parameter are still susceptible to 
stolen authorization codes so they still need to do PKCE as well.

The only case where OpenID Connect clients don't benefit from PKCE is if they 
are also confidential clients. Public client OIDC clients still need to do PKCE 
even if they check the nonce.

OpenID Connect servers working with confidential clients still benefit from 
PKCE because they can then enforce the authorization code injection protection 
server-side rather than cross their fingers that clients implemented the nonce 
check properly.

I really don't think it's worth the amount of explanation this will take in the 
future to write an exception into OAuth 2.1 or the Security BCP for only some 
types of OpenID Connect clients when all clients would benefit from PKCE anyway.

Aaron



On Wed, May 6, 2020 at 10:48 AM Dick Hardt 
mailto:dick.ha...@gmail.com>> wrote:
Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce 
solves some of the issues that PKCE protects against. We think that most OpenID 
Connect implementations also support OAuth 2.0, and hence have support

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Phillip Hunt]

+1 

Phil

> On May 7, 2020, at 11:50 PM, Daniel Fett  wrote:
> 
> 
> +1 to all what Aaron said. Thanks for pointing this out!
> 
> We need to address this in the security BCP and this will be a normative 
> change that affects OpenID Connect Core (just as our current recommendation 
> on the usage of nonce).
> 
> We would then have:
> 
> - use PKCE, except if you use OIDC with a nonce, then you don't need PKCE, 
> except if you are a public client, then you still need PKCE.
> - use state, except if you use PKCE, then you don't need state.
> 
> I think there are very good reasons to simplify this down to 
> 
> - use PKCE
> - you may or may not use state
> 
> First and foremost, not many people will understand why there are cases when 
> the BCP/OAuth 2.1 mandate PKCE and some where they don't. However, 
> understanding why you have to do something is key to compliance. The short 
> version "PKCE protects the code; there is a specific case where it is not 
> needed, but its better to use it all the time" is easy to understand. We will 
> not see many implementations following the long version above correctly.
> 
> Second, we dramatically reduce technical complexity by reducing cases that 
> need to be handled. We reduce correctness and compliance testing complexity 
> in the same way. We reduce the cost of security analysis, which scales really 
> badly to more cases.
> 
> And finally, using nonce to protect against code injection is less robust 
> than PKCE. AS have a better track record than clients when it comes to 
> correctly implementing security mechanisms. 
> 
> Yes, this will make a number of implementations non-spec-compliant, but I do 
> not think that this is a huge problem. Software needs to adapt all the time 
> and a software that has not been changed in a while is probably not one you 
> would want to use anyway. We are setting a new goal for implementations to 
> meet and eventually, maintained implementations will get there.
> 
> -Daniel
> 
> 
> Am 08.05.20 um 01:38 schrieb Aaron Parecki:
>> Backing up a step or two, there's another point here that I think has been 
>> missed in these discussions.
>> 
>> PKCE solves two problems: stolen authorization codes for public clients, and 
>> authorization code injection for all clients. We've only been talking about 
>> authorization code injection on the list so far. The quoted section of the 
>> security BCP (4.5.3) which says clients can do PKCE or use the nonce, is 
>> only talking about preventing authorization code injection.
>> 
>> The nonce parameter solves authorization code injection if the client 
>> requests an ID token. Public clients using the nonce parameter are still 
>> susceptible to stolen authorization codes so they still need to do PKCE as 
>> well.
>> 
>> The only case where OpenID Connect clients don't benefit from PKCE is if 
>> they are also confidential clients. Public client OIDC clients still need to 
>> do PKCE even if they check the nonce.
>> 
>> OpenID Connect servers working with confidential clients still benefit from 
>> PKCE because they can then enforce the authorization code injection 
>> protection server-side rather than cross their fingers that clients 
>> implemented the nonce check properly.
>> 
>> I really don't think it's worth the amount of explanation this will take in 
>> the future to write an exception into OAuth 2.1 or the Security BCP for only 
>> some types of OpenID Connect clients when all clients would benefit from 
>> PKCE anyway.
>> 
>> Aaron
>> 
>> 
>> 
>> On Wed, May 6, 2020 at 10:48 AM Dick Hardt  wrote:
>>> Hello!
>>> 
>>> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
>>> practice for OAuth 2.0. It is not common in OpenID Connect servers as the 
>>> nonce solves some of the issues that PKCE protects against. We think that 
>>> most OpenID Connect implementations also support OAuth 2.0, and hence have 
>>> support for PKCE if following best practices.
>>> 
>>> The advantages or requiring PKCE are:
>>> 
>>> - a simpler programming model across all OAuth applications and profiles as 
>>> they all use PKCE
>>> 
>>> - reduced attack surface when using  S256 as a fingerprint of the verifier 
>>> is sent through the browser instead of the clear text value
>>> 
>>> - enforcement by AS not client - makes it easier to handle for client 
>>> developers and AS can ensure the check is conducted
>>> 
>>> What are disadvantages besides the potential impact to OpenID Connect 
>>> deployments? How significant is that impact?
>>> 
>>> Dick, Aaron, and Torsten
>>> 
>>> ᐧ
>> 
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Daniel Fett]

+1 to all what Aaron said. Thanks for pointing this out!

We need to address this in the security BCP and this will be a normative
change that affects OpenID Connect Core (just as our current
recommendation on the usage of nonce).

We would then have:

- use PKCE, except if you use OIDC with a nonce, then you don't need
PKCE, except if you are a public client, then you still need PKCE.
- use state, except if you use PKCE, then you don't need state.

I think there are very good reasons to simplify this down to

- use PKCE
- you may or may not use state

First and foremost, not many people will understand why there are cases
when the BCP/OAuth 2.1 mandate PKCE and some where they don't. However,
understanding /why/ you have to do something is key to compliance. The
short version "PKCE protects the code; there is a specific case where it
is not needed, but its better to use it all the time" is easy to
understand. We will not see many implementations following the long
version above correctly.

Second, we dramatically reduce technical complexity by reducing cases
that need to be handled. We reduce correctness and compliance testing
complexity in the same way. We reduce the cost of security analysis,
which scales really badly to more cases.

And finally, using nonce to protect against code injection is less
robust than PKCE. AS have a better track record than clients when it
comes to correctly implementing security mechanisms.

Yes, this will make a number of implementations non-spec-compliant, but
I do not think that this is a huge problem. Software needs to adapt all
the time and a software that has not been changed in a while is probably
not one you would want to use anyway. We are setting a new goal for
implementations to meet and eventually, maintained implementations will
get there.

-Daniel


Am 08.05.20 um 01:38 schrieb Aaron Parecki:
> Backing up a step or two, there's another point here that I think has
> been missed in these discussions.
>
> PKCE solves two problems: stolen authorization codes for public
> clients, and authorization code injection for all clients. We've only
> been talking about authorization code injection on the list so far.
> The quoted section of the security BCP (4.5.3) which says clients can
> do PKCE or use the nonce, is only talking about preventing
> authorization code injection.
>
> The nonce parameter solves authorization code injection if the client
> requests an ID token. Public clients using the nonce parameter are
> still susceptible to stolen authorization codes so they still need to
> do PKCE as well.
>
> The only case where OpenID Connect clients don't benefit from PKCE is
> if they are also confidential clients. Public client OIDC clients
> still need to do PKCE even if they check the nonce.
>
> OpenID Connect servers working with confidential clients still benefit
> from PKCE because they can then enforce the authorization code
> injection protection server-side rather than cross their fingers that
> clients implemented the nonce check properly.
>
> I really don't think it's worth the amount of explanation this will
> take in the future to write an exception into OAuth 2.1 or the
> Security BCP for only some types of OpenID Connect clients when all
> clients would benefit from PKCE anyway.
>
> Aaron
>
>
>
> On Wed, May 6, 2020 at 10:48 AM Dick Hardt  > wrote:
>
> Hello!
>
> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This
> is best practice for OAuth 2.0. It is not common in OpenID Connect
> servers as the nonce solves some of the issues that PKCE protects
> against. We think that most OpenID Connect implementations also
> support OAuth 2.0, and hence have support for PKCE if following
> best practices.
>
> The advantages or requiring PKCE are:
>
> - a simpler programming model across all OAuth applications and
> profiles as they all use PKCE
>
> - reduced attack surface when using  S256 as a fingerprint of the
> verifier is sent through the browser instead of the clear text value
>
> - enforcement by AS not client - makes it easier to handle for
> client developers and AS can ensure the check is conducted
>
> What are disadvantages besides the potential impact to OpenID
> Connect deployments? How significant is that impact?
>
> Dick, Aaron, and Torsten
>
> ᐧ
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Philippe De Ryck]

From working with a lot of developers on understanding OAuth 2.0 and OIDC, I 
definitely vote for simplicity. Understanding the subtle nuances of when a 
nonce is fine and when PKCE should be used is impossible without in-depth 
knowledge of the flows and their properties. Misunderstandings will cause 
security vulnerabilities, which can easily be avoided.

Since OAuth 2.1 is a separate spec, I don’t really see a problem with existing 
code not being compliant. They support OAuth 2.0, and if they want to be OAuth 
2.1 compliant, they add PKCE. If I’m not mistaken, other requirements of OAuth 
2.1 would also clash with existing deployments (e.g., using non-exact redirect 
URIs).

I believe that optimizing for making OAuth 2.1 easier to understand will yield 
the highest return.

Philippe


> On 8 May 2020, at 03:42, Mike Jones 
>  wrote:
> 
> Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned 
> about “the amount of explanation this will take”.  That’s optimizing for spec 
> simplicity – a goal that I do understand.  However, by writing these few 
> sentences or paragraphs, we’ll make it clear to developers that hundreds or 
> thousands of deployed OpenID Connect RPs won’t have to change their 
> deployments.  That’s optimizing for interoperability and minimizing the 
> burden on developers, which are far more important.
>  
> As Brian Campbell wrote, “They are not equivalent and have very different 
> ramifications on interoperability”.
>  
> Even if you’re optimizing for writing, taking a minimally invasive protocol 
> change approach will optimize that, overall.  If we proceed as you’re 
> suggesting, a huge amount of writing will occur on StackOverflow, Medium, 
> SlashDot, blogs, and other developer forums, where confused developers will 
> ask “Why do I have to change my deployed code?” with the answers being 
> “Despite what the 2.1 spec says, there’s no need to change your deployed 
> code.”
>  
> I’d gladly write a few sentences in our new specs now to prevent ongoing 
> confusion and interop problems that would otherwise result.  Let me know when 
> you’re ready to incorporate them into the spec text.
>  
>-- Mike
>  
> From: Aaron Parecki mailto:aa...@parecki.com>> 
> Sent: Thursday, May 7, 2020 4:39 PM
> To: Dick Hardt mailto:dick.ha...@gmail.com>>
> Cc: OAuth WG mailto:oauth@ietf.org>>; Torsten Lodderstedt 
> mailto:tors...@lodderstedt.net>>; Mike Jones 
> mailto:michael.jo...@microsoft.com>>
> Subject: Re: OAuth 2.1 - require PKCE?
>  
> Backing up a step or two, there's another point here that I think has been 
> missed in these discussions.
>  
> PKCE solves two problems: stolen authorization codes for public clients, and 
> authorization code injection for all clients. We've only been talking about 
> authorization code injection on the list so far. The quoted section of the 
> security BCP (4.5.3) which says clients can do PKCE or use the nonce, is only 
> talking about preventing authorization code injection.
>  
> The nonce parameter solves authorization code injection if the client 
> requests an ID token. Public clients using the nonce parameter are still 
> susceptible to stolen authorization codes so they still need to do PKCE as 
> well.
>  
> The only case where OpenID Connect clients don't benefit from PKCE is if they 
> are also confidential clients. Public client OIDC clients still need to do 
> PKCE even if they check the nonce.
>  
> OpenID Connect servers working with confidential clients still benefit from 
> PKCE because they can then enforce the authorization code injection 
> protection server-side rather than cross their fingers that clients 
> implemented the nonce check properly.
>  
> I really don't think it's worth the amount of explanation this will take in 
> the future to write an exception into OAuth 2.1 or the Security BCP for only 
> some types of OpenID Connect clients when all clients would benefit from PKCE 
> anyway.
>  
> Aaron
>  
>  
>  
> On Wed, May 6, 2020 at 10:48 AM Dick Hardt  > wrote:
> Hello!
>  
> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
> practice for OAuth 2.0. It is not common in OpenID Connect servers as the 
> nonce solves some of the issues that PKCE protects against. We think that 
> most OpenID Connect implementations also support OAuth 2.0, and hence have 
> support for PKCE if following best practices.
>  
> The advantages or requiring PKCE are:
>  
> - a simpler programming model across all OAuth applications and profiles as 
> they all use PKCE
>  
> - reduced attack surface when using  S256 as a fingerprint of the verifier is 
> sent through the browser instead of the clear text value
>  
> - enforcement by AS not client - makes it easier to handle for client 
> developers and AS can ensure the check is conducted
>  
> What are disadvantages besides the potential impact to OpenID Connect 

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

Aaron, I believe you’re trying to optimize the wrong thing.  You’re concerned 
about “the amount of explanation this will take”.  That’s optimizing for spec 
simplicity – a goal that I do understand.  However, by writing these few 
sentences or paragraphs, we’ll make it clear to developers that hundreds or 
thousands of deployed OpenID Connect RPs won’t have to change their 
deployments.  That’s optimizing for interoperability and minimizing the burden 
on developers, which are far more important.

As Brian Campbell wrote, “They are not equivalent and have very different 
ramifications on interoperability”.

Even if you’re optimizing for writing, taking a minimally invasive protocol 
change approach will optimize that, overall.  If we proceed as you’re 
suggesting, a huge amount of writing will occur on StackOverflow, Medium, 
SlashDot, blogs, and other developer forums, where confused developers will ask 
“Why do I have to change my deployed code?” with the answers being “Despite 
what the 2.1 spec says, there’s no need to change your deployed code.”

I’d gladly write a few sentences in our new specs now to prevent ongoing 
confusion and interop problems that would otherwise result.  Let me know when 
you’re ready to incorporate them into the spec text.

   -- Mike

From: Aaron Parecki 
Sent: Thursday, May 7, 2020 4:39 PM
To: Dick Hardt 
Cc: OAuth WG ; Torsten Lodderstedt ; 
Mike Jones 
Subject: Re: OAuth 2.1 - require PKCE?

Backing up a step or two, there's another point here that I think has been 
missed in these discussions.

PKCE solves two problems: stolen authorization codes for public clients, and 
authorization code injection for all clients. We've only been talking about 
authorization code injection on the list so far. The quoted section of the 
security BCP (4.5.3) which says clients can do PKCE or use the nonce, is only 
talking about preventing authorization code injection.

The nonce parameter solves authorization code injection if the client requests 
an ID token. Public clients using the nonce parameter are still susceptible to 
stolen authorization codes so they still need to do PKCE as well.

The only case where OpenID Connect clients don't benefit from PKCE is if they 
are also confidential clients. Public client OIDC clients still need to do PKCE 
even if they check the nonce.

OpenID Connect servers working with confidential clients still benefit from 
PKCE because they can then enforce the authorization code injection protection 
server-side rather than cross their fingers that clients implemented the nonce 
check properly.

I really don't think it's worth the amount of explanation this will take in the 
future to write an exception into OAuth 2.1 or the Security BCP for only some 
types of OpenID Connect clients when all clients would benefit from PKCE anyway.

Aaron



On Wed, May 6, 2020 at 10:48 AM Dick Hardt 
mailto:dick.ha...@gmail.com>> wrote:
Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce 
solves some of the issues that PKCE protects against. We think that most OpenID 
Connect implementations also support OAuth 2.0, and hence have support for PKCE 
if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as 
they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier is 
sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client 
developers and AS can ensure the check is conducted

What are disadvantages besides the potential impact to OpenID Connect 
deployments? How significant is that impact?

Dick, Aaron, and Torsten

ᐧ
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Aaron Parecki]

Backing up a step or two, there's another point here that I think has been
missed in these discussions.

PKCE solves two problems: stolen authorization codes for public clients,
and authorization code injection for all clients. We've only been talking
about authorization code injection on the list so far. The quoted section
of the security BCP (4.5.3) which says clients can do PKCE or use the
nonce, is only talking about preventing authorization code injection.

The nonce parameter solves authorization code injection if the client
requests an ID token. Public clients using the nonce parameter are still
susceptible to stolen authorization codes so they still need to do PKCE as
well.

The only case where OpenID Connect clients don't benefit from PKCE is if
they are also confidential clients. Public client OIDC clients still need
to do PKCE even if they check the nonce.

OpenID Connect servers working with confidential clients still benefit from
PKCE because they can then enforce the authorization code injection
protection server-side rather than cross their fingers that clients
implemented the nonce check properly.

I really don't think it's worth the amount of explanation this will take in
the future to write an exception into OAuth 2.1 or the Security BCP for
only some types of OpenID Connect clients when all clients would benefit
from PKCE anyway.

Aaron



On Wed, May 6, 2020 at 10:48 AM Dick Hardt  wrote:

> Hello!
>
> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
> practice for OAuth 2.0. It is not common in OpenID Connect servers as the
> nonce solves some of the issues that PKCE protects against. We think that
> most OpenID Connect implementations also support OAuth 2.0, and hence have
> support for PKCE if following best practices.
>
> The advantages or requiring PKCE are:
>
> - a simpler programming model across all OAuth applications and profiles
> as they all use PKCE
>
> - reduced attack surface when using  S256 as a fingerprint of the verifier
> is sent through the browser instead of the clear text value
>
> - enforcement by AS not client - makes it easier to handle for client
> developers and AS can ensure the check is conducted
>
> What are disadvantages besides the potential impact to OpenID Connect
> deployments? How significant is that impact?
>
> Dick, Aaron, and Torsten
>
> ᐧ
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Brian Campbell]

I think the point is that the Security BCP in
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1..1
requires that the authz request has either the PKCE "code_challenge" or the
OIDC "nonce". Whereas 2.1 in
https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-4.1.1.3
flat out requires PKCE "code_challenge" in the authz request. They are not
equivalent and have very different ramifications on interoperability etc..


On Wed, May 6, 2020 at 2:43 PM Aaron Parecki  wrote:

> Going back to this point about server vs client requirements, since both
> the Security BCP and OAuth 2.1 currently say that ASs MUST support PKCE,
> isn't that already imposing additional requirements on OpenID Connect
> providers that don't currently exist in OpenID Connect alone?
>
> OPs that want to be compliant with the Security BCP will need to add PKCE
> support if they don't already have it (many of them already support it so
> for many of them this will not be any change), so it seems like a very
> small leap to also require clients implement PKCE as well.
>
> On Wed, May 6, 2020 at 12:31 PM Mike Jones 
> wrote:
>
>> I realize what it says about servers.  My point is that OAuth 2.1’s
>> requirements on *clients* should match those in the security BCP and not
>> try to go beyond them.
>>
>>
>>
>>-- Mike
>>
>>
>>
>> *From:* Aaron Parecki 
>> *Sent:* Wednesday, May 6, 2020 12:24 PM
>> *To:* Mike Jones 
>> *Cc:* Dick Hardt ; oauth@ietf.org
>> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> Yes, the BCP says *clients* may use either PKCE or nonce to prevent
>> authorization code injection. Shortly after that quoted segment is the
>> below:
>>
>>
>>
>> > Authorization servers MUST support PKCE [RFC7636].
>>
>>
>>
>> On Wed, May 6, 2020 at 12:22 PM Mike Jones 
>> wrote:
>>
>> Aaron, the section you cited at
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>> makes it clear that clients can support EITHER PKCE or the OpenID Connect
>> nonce.   The text is:
>>
>>
>>
>>Clients MUST prevent injection (replay) of authorization codes into
>>
>>the authorization response by attackers.  The use of PKCE [RFC7636
>> <https://tools.ietf.org/html/rfc7636>]
>>
>>is RECOMMENDED to this end.  The OpenID Connect "nonce" parameter and
>>
>>ID Token Claim [OpenID
>> <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#ref-OpenID>]
>> MAY be used as well.  The PKCE challenge or
>>
>>OpenID Connect "nonce" MUST be transaction-specific and securely
>>
>>bound to the client and the user agent in which the transaction was
>>
>>started.
>>
>>
>>
>> We should not attempt to change that in OAuth 2.1, as doing so would
>> needlessly break already working and secure clients.
>>
>>
>>
>>-- Mike
>>
>>
>>
>> *From:* Aaron Parecki 
>> *Sent:* Wednesday, May 6, 2020 11:56 AM
>> *To:* Mike Jones 
>> *Cc:* Dick Hardt ; oauth@ietf.org
>> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> > In particular, authorization servers shouldn’t be required to support
>> PKCE when they already support the OpenID Connect nonce.
>>
>>
>>
>> The Security BCP already requires that ASs support PKCE:
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>>  Are
>> you suggesting that the Security BCP change that requirement as well? If
>> so, that's a discussion that needs to be had ASAP. If not, then that's an
>> implicit statement that it's okay for OpenID Connect implementations to not
>> be best-practice OAuth implementations. And if that's the case, then I also
>> think it's acceptable that they are not complete OAuth 2.1 implementations
>> either.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, May 6, 2020 at 11:21 AM Mike Jones > 40microsoft@dmarc.ietf.org> wrote:
>>
>> The disadvantage of requiring PKCE for OpenID Connect implementations is
>> that you’re trying to add a normative requirement that’s not required of
>> OpenID Connect deployments today, which would bifurcate the ecosystem.
>> There are hundreds of implementations (including the 141 ce

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

Requiring a change to every deployed RP is not “a very small leap”.  It’s an 
invasive big deal, introducing a breaking change and bifurcating a 
well-functioning ecosystem without sufficient cause.

What this actually points out to me is that we should modify the language in 
the Security BCP to say something like “OAuth Servers MUST support PKCE unless 
they are only used for OpenID Connect Authentication Requests”.  I’d thought 
that that was already the case, as that mirrors the client requirements and I 
apparently failed to read it closely enough.  I’ll submit a separate request 
for the change to the Security BCP to make it self-consistent.

   -- Mike

From: Aaron Parecki 
Sent: Wednesday, May 6, 2020 1:43 PM
To: Mike Jones 
Cc: Dick Hardt ; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Going back to this point about server vs client requirements, since both the 
Security BCP and OAuth 2.1 currently say that ASs MUST support PKCE, isn't that 
already imposing additional requirements on OpenID Connect providers that don't 
currently exist in OpenID Connect alone?

OPs that want to be compliant with the Security BCP will need to add PKCE 
support if they don't already have it (many of them already support it so for 
many of them this will not be any change), so it seems like a very small leap 
to also require clients implement PKCE as well.

On Wed, May 6, 2020 at 12:31 PM Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:
I realize what it says about servers.  My point is that OAuth 2.1’s 
requirements on clients should match those in the security BCP and not try to 
go beyond them.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Wednesday, May 6, 2020 12:24 PM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Dick Hardt mailto:dick.ha...@gmail.com>>; 
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Yes, the BCP says *clients* may use either PKCE or nonce to prevent 
authorization code injection. Shortly after that quoted segment is the below:

> Authorization servers MUST support PKCE [RFC7636].

On Wed, May 6, 2020 at 12:22 PM Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:
Aaron, the section you cited at 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
makes it clear that clients can support EITHER PKCE or the OpenID Connect 
nonce.   The text is:

   Clients MUST prevent injection (replay) of authorization codes into
   the authorization response by attackers.  The use of PKCE 
[RFC7636<https://tools.ietf.org/html/rfc7636>]
   is RECOMMENDED to this end.  The OpenID Connect "nonce" parameter and
   ID Token Claim 
[OpenID<https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#ref-OpenID>]
 MAY be used as well.  The PKCE challenge or
   OpenID Connect "nonce" MUST be transaction-specific and securely
   bound to the client and the user agent in which the transaction was
   started.

We should not attempt to change that in OAuth 2.1, as doing so would needlessly 
break already working and secure clients.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Wednesday, May 6, 2020 11:56 AM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Dick Hardt mailto:dick.ha...@gmail.com>>; 
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

> In particular, authorization servers shouldn’t be required to support PKCE 
> when they already support the OpenID Connect nonce.

The Security BCP already requires that ASs support PKCE: 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
Are you suggesting that the Security BCP change that requirement as well? If 
so, that's a discussion that needs to be had ASAP. If not, then that's an 
implicit statement that it's okay for OpenID Connect implementations to not be 
best-practice OAuth implementations. And if that's the case, then I also think 
it's acceptable that they are not complete OAuth 2.1 implementations either.






On Wed, May 6, 2020 at 11:21 AM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
The disadvantage of requiring PKCE for OpenID Connect implementations is that 
you’re trying to add a normative requirement that’s not required of OpenID 
Connect deployments today, which would bifurcate the ecosystem.  There are 
hundreds of implementations (including the 141 certified ones at 
https://openid.net/certification/), none of which have ever been required to 
support PKCE.  Therefore, most don’t.

Per feedback already provided, I believe that OAuth 2.1 should align with the 
guidance already in the draft Security BCP, requiring EITHER the use of PKCE or 

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Dick Hardt]

I hear Mike's point on breaking existing RPs. There are alot of them out
there.

For discussion purposes, let's call the current version OIDC 1.0 and the
version running OAuth 2.1, OIDC 1.1

Is there a reason a server can't be running both versions at the same time,
and support clients running both versions at the same time? The AS could
then enforce new and migrated clients running OIDC 1.1 to use PKCE.









ᐧ

On Wed, May 6, 2020 at 1:43 PM Aaron Parecki  wrote:

> Going back to this point about server vs client requirements, since both
> the Security BCP and OAuth 2.1 currently say that ASs MUST support PKCE,
> isn't that already imposing additional requirements on OpenID Connect
> providers that don't currently exist in OpenID Connect alone?
>
> OPs that want to be compliant with the Security BCP will need to add PKCE
> support if they don't already have it (many of them already support it so
> for many of them this will not be any change), so it seems like a very
> small leap to also require clients implement PKCE as well.
>
> On Wed, May 6, 2020 at 12:31 PM Mike Jones 
> wrote:
>
>> I realize what it says about servers.  My point is that OAuth 2.1’s
>> requirements on *clients* should match those in the security BCP and not
>> try to go beyond them.
>>
>>
>>
>>-- Mike
>>
>>
>>
>> *From:* Aaron Parecki 
>> *Sent:* Wednesday, May 6, 2020 12:24 PM
>> *To:* Mike Jones 
>> *Cc:* Dick Hardt ; oauth@ietf.org
>> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> Yes, the BCP says *clients* may use either PKCE or nonce to prevent
>> authorization code injection. Shortly after that quoted segment is the
>> below:
>>
>>
>>
>> > Authorization servers MUST support PKCE [RFC7636].
>>
>>
>>
>> On Wed, May 6, 2020 at 12:22 PM Mike Jones 
>> wrote:
>>
>> Aaron, the section you cited at
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>> makes it clear that clients can support EITHER PKCE or the OpenID Connect
>> nonce.   The text is:
>>
>>
>>
>>Clients MUST prevent injection (replay) of authorization codes into
>>
>>the authorization response by attackers.  The use of PKCE [RFC7636
>> <https://tools.ietf.org/html/rfc7636>]
>>
>>is RECOMMENDED to this end.  The OpenID Connect "nonce" parameter and
>>
>>ID Token Claim [OpenID
>> <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#ref-OpenID>]
>> MAY be used as well.  The PKCE challenge or
>>
>>OpenID Connect "nonce" MUST be transaction-specific and securely
>>
>>bound to the client and the user agent in which the transaction was
>>
>>    started.
>>
>>
>>
>> We should not attempt to change that in OAuth 2.1, as doing so would
>> needlessly break already working and secure clients.
>>
>>
>>
>>-- Mike
>>
>>
>>
>> *From:* Aaron Parecki 
>> *Sent:* Wednesday, May 6, 2020 11:56 AM
>> *To:* Mike Jones 
>> *Cc:* Dick Hardt ; oauth@ietf.org
>> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> > In particular, authorization servers shouldn’t be required to support
>> PKCE when they already support the OpenID Connect nonce.
>>
>>
>>
>> The Security BCP already requires that ASs support PKCE:
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>>  Are
>> you suggesting that the Security BCP change that requirement as well? If
>> so, that's a discussion that needs to be had ASAP. If not, then that's an
>> implicit statement that it's okay for OpenID Connect implementations to not
>> be best-practice OAuth implementations. And if that's the case, then I also
>> think it's acceptable that they are not complete OAuth 2.1 implementations
>> either.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, May 6, 2020 at 11:21 AM Mike Jones > 40microsoft@dmarc.ietf.org> wrote:
>>
>> The disadvantage of requiring PKCE for OpenID Connect implementations is
>> that you’re trying to add a normative requirement that’s not required of
>> OpenID Connect deployments today, which would bifurcate the ecosystem.
>> There are hundreds of implementations (including the 141 certified ones at
>> https://openid.net/certification/), no

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Aaron Parecki]

Going back to this point about server vs client requirements, since both
the Security BCP and OAuth 2.1 currently say that ASs MUST support PKCE,
isn't that already imposing additional requirements on OpenID Connect
providers that don't currently exist in OpenID Connect alone?

OPs that want to be compliant with the Security BCP will need to add PKCE
support if they don't already have it (many of them already support it so
for many of them this will not be any change), so it seems like a very
small leap to also require clients implement PKCE as well.

On Wed, May 6, 2020 at 12:31 PM Mike Jones 
wrote:

> I realize what it says about servers.  My point is that OAuth 2.1’s
> requirements on *clients* should match those in the security BCP and not
> try to go beyond them.
>
>
>
>-- Mike
>
>
>
> *From:* Aaron Parecki 
> *Sent:* Wednesday, May 6, 2020 12:24 PM
> *To:* Mike Jones 
> *Cc:* Dick Hardt ; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Yes, the BCP says *clients* may use either PKCE or nonce to prevent
> authorization code injection. Shortly after that quoted segment is the
> below:
>
>
>
> > Authorization servers MUST support PKCE [RFC7636].
>
>
>
> On Wed, May 6, 2020 at 12:22 PM Mike Jones 
> wrote:
>
> Aaron, the section you cited at
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2..1.1
> makes it clear that clients can support EITHER PKCE or the OpenID Connect
> nonce.   The text is:
>
>
>
>Clients MUST prevent injection (replay) of authorization codes into
>
>the authorization response by attackers.  The use of PKCE [RFC7636
> <https://tools.ietf.org/html/rfc7636>]
>
>is RECOMMENDED to this end.  The OpenID Connect "nonce" parameter and
>
>ID Token Claim [OpenID
> <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#ref-OpenID>]
> MAY be used as well.  The PKCE challenge or
>
>OpenID Connect "nonce" MUST be transaction-specific and securely
>
>bound to the client and the user agent in which the transaction was
>
>started.
>
>
>
> We should not attempt to change that in OAuth 2.1, as doing so would
> needlessly break already working and secure clients.
>
>
>
>                    -- Mike
>
>
>
> *From:* Aaron Parecki 
> *Sent:* Wednesday, May 6, 2020 11:56 AM
> *To:* Mike Jones 
> *Cc:* Dick Hardt ; oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> > In particular, authorization servers shouldn’t be required to support
> PKCE when they already support the OpenID Connect nonce.
>
>
>
> The Security BCP already requires that ASs support PKCE:
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2..1.1
>  Are
> you suggesting that the Security BCP change that requirement as well? If
> so, that's a discussion that needs to be had ASAP. If not, then that's an
> implicit statement that it's okay for OpenID Connect implementations to not
> be best-practice OAuth implementations. And if that's the case, then I also
> think it's acceptable that they are not complete OAuth 2.1 implementations
> either.
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Wed, May 6, 2020 at 11:21 AM Mike Jones  40microsoft@dmarc.ietf.org> wrote:
>
> The disadvantage of requiring PKCE for OpenID Connect implementations is
> that you’re trying to add a normative requirement that’s not required of
> OpenID Connect deployments today, which would bifurcate the ecosystem.
> There are hundreds of implementations (including the 141 certified ones at
> https://openid.net/certification/), none of which have ever been required
> to support PKCE.  Therefore, most don’t.
>
>
>
> Per feedback already provided, I believe that OAuth 2.1 should align with
> the guidance already in the draft Security BCP, requiring EITHER the use of
> PKCE or the OpenID Connect nonce.  Trying to retroactively impose
> unnecessary requirements on existing deployments is unlikely to succeed and
> will significantly reduce the relevance of the OAuth 2.1 effort.
>
>
>
> In particular, authorization servers shouldn’t be required to support PKCE
> when they already support the OpenID Connect nonce.  And clients shouldn’t
> reject responses from servers that don’t support PKCE when they do contain
> the OpenID Connect nonce.  Doing so would unnecessarily break things and
> create confusion in the marketplace.
>
>
>
>   -- Mike
>
>
>
> *From:* OAuth  *

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

It could, but that would require an explicit decision by the OpenID Connect 
working group to make existing RPs incompatible with new OPs, breaking 
interoperability.  That’s not a decision we should make lightly or without a 
compelling reason to do so.

   -- Mike

From: Phillip Hunt 
Sent: Wednesday, May 6, 2020 1:16 PM
To: Mike Jones 
Cc: Aaron Parecki ; Steinar Noem ; 
oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Why couldn’t OIDC evolve as a spec to conform and match FAPI and 2.1?
Phil


On May 6, 2020, at 12:34 PM, Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:

Yes, FAPI requires PKCE, which is great.  Many of its requirements come from 
OpenID Connect but some of them are intentionally incompatible – such as 
requiring that Basic authentication not be supported, whereas Connect requires 
that it be supported.  It’s a different ecosystem with different requirements.

Don’t get me wrong, I support PKCE where it makes sense, such as when you’re 
doing bare OAuth without OpenID Connect.  But trying to impose an unnecessary 
requirement on a working and secure ecosystem will just create grief for us and 
our customers and lessen our credibility as stewards of the OAuth ecosystem.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Wednesday, May 6, 2020 12:29 PM
To: Steinar Noem mailto:stei...@udelt.no>>
Cc: Phillip Hunt 
mailto:phil.h...@independentid.com>>; Mike Jones 
mailto:michael.jo...@microsoft.com>>; 
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

I should add that even some OpenID Connect profiles require PKCE, such as FAPI:

https://openid.net/specs/openid-financial-api-part-1.html#authorization-server

So the precedent for requiring PKCE already exists within some OpenID Connect 
profiles.

On Wed, May 6, 2020 at 12:23 PM Aaron Parecki 
mailto:aa...@parecki.com>> wrote:
Yes, and also, many of those providers very likely already support PKCE 
already. Skimming through that list of certified OPs, I recognize many names 
there from providers that I know support PKCE.

On Wed, May 6, 2020 at 12:18 PM Steinar Noem 
mailto:stei...@udelt.no>> wrote:
So, wouldn't a MUST just mean that we would have some OPs that are 2.1 
compliant and some that aren't?

ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt 
mailto:phil.h...@independentid.com>>:
Mike,

The point of 2.1 is to raise the security bar..

Yes it adds new MUST requirements.

But what about OIDC would break other than required implementation of PKCE to 
support 2.1?

Eg Would additional signaling be required to facilitate interoperability and 
migration between versions? Would that be an oauth issue or an OIDC one?

Phil



On May 6, 2020, at 11:56 AM, Aaron Parecki 
mailto:aa...@parecki.com>> wrote:

> In particular, authorization servers shouldn’t be required to support PKCE 
> when they already support the OpenID Connect nonce.

The Security BCP already requires that ASs support PKCE: 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
Are you suggesting that the Security BCP change that requirement as well? If 
so, that's a discussion that needs to be had ASAP. If not, then that's an 
implicit statement that it's okay for OpenID Connect implementations to not be 
best-practice OAuth implementations. And if that's the case, then I also think 
it's acceptable that they are not complete OAuth 2.1 implementations either.






On Wed, May 6, 2020 at 11:21 AM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
The disadvantage of requiring PKCE for OpenID Connect implementations is that 
you’re trying to add a normative requirement that’s not required of OpenID 
Connect deployments today, which would bifurcate the ecosystem.  There are 
hundreds of implementations (including the 141 certified ones at 
https://openid.net/certification/), none of which have ever been required to 
support PKCE.  Therefore, most don’t.

Per feedback already provided, I believe that OAuth 2.1 should align with the 
guidance already in the draft Security BCP, requiring EITHER the use of PKCE or 
the OpenID Connect nonce.  Trying to retroactively impose unnecessary 
requirements on existing deployments is unlikely to succeed and will 
significantly reduce the relevance of the OAuth 2.1 effort.

In particular, authorization servers shouldn’t be required to support PKCE when 
they already support the OpenID Connect nonce.  And clients shouldn’t reject 
responses from servers that don’t support PKCE when they do contain the OpenID 
Connect nonce.  Doing so would unnecessarily break things and create confusion 
in the marketplace.

  -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Dick Hardt
Sent: Wed

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Phillip Hunt]

Why couldn’t OIDC evolve as a spec to conform and match FAPI and 2.1?  

Phil

> On May 6, 2020, at 12:34 PM, Mike Jones  wrote:
> 
> 
> Yes, FAPI requires PKCE, which is great.  Many of its requirements come from 
> OpenID Connect but some of them are intentionally incompatible – such as 
> requiring that Basic authentication not be supported, whereas Connect 
> requires that it be supported.  It’s a different ecosystem with different 
> requirements.
>  
> Don’t get me wrong, I support PKCE where it makes sense, such as when you’re 
> doing bare OAuth without OpenID Connect.  But trying to impose an unnecessary 
> requirement on a working and secure ecosystem will just create grief for us 
> and our customers and lessen our credibility as stewards of the OAuth 
> ecosystem.
>  
>-- Mike
>  
> From: Aaron Parecki  
> Sent: Wednesday, May 6, 2020 12:29 PM
> To: Steinar Noem 
> Cc: Phillip Hunt ; Mike Jones 
> ; oauth@ietf.org
> Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?
>  
> I should add that even some OpenID Connect profiles require PKCE, such as 
> FAPI:
>  
> https://openid.net/specs/openid-financial-api-part-1.html#authorization-server
>  
> So the precedent for requiring PKCE already exists within some OpenID Connect 
> profiles.
>  
> On Wed, May 6, 2020 at 12:23 PM Aaron Parecki  wrote:
> Yes, and also, many of those providers very likely already support PKCE 
> already. Skimming through that list of certified OPs, I recognize many names 
> there from providers that I know support PKCE.
>  
> On Wed, May 6, 2020 at 12:18 PM Steinar Noem  wrote:
> So, wouldn't a MUST just mean that we would have some OPs that are 2.1 
> compliant and some that aren't?
>  
> ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt :
> Mike,
>  
> The point of 2.1 is to raise the security bar.. 
>  
> Yes it adds new MUST requirements. 
>  
> But what about OIDC would break other than required implementation of PKCE to 
> support 2.1?
>  
> Eg Would additional signaling be required to facilitate interoperability and 
> migration between versions? Would that be an oauth issue or an OIDC one?
>  
> Phil
> 
> 
> On May 6, 2020, at 11:56 AM, Aaron Parecki  wrote:
> 
> 
> > In particular, authorization servers shouldn’t be required to support PKCE 
> > when they already support the OpenID Connect nonce.
>  
> The Security BCP already requires that ASs support PKCE: 
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
> Are you suggesting that the Security BCP change that requirement as well? If 
> so, that's a discussion that needs to be had ASAP. If not, then that's an 
> implicit statement that it's okay for OpenID Connect implementations to not 
> be best-practice OAuth implementations. And if that's the case, then I also 
> think it's acceptable that they are not complete OAuth 2.1 implementations 
> either.
>  
>  
>  
>  
>  
>  
> On Wed, May 6, 2020 at 11:21 AM Mike Jones 
>  wrote:
> The disadvantage of requiring PKCE for OpenID Connect implementations is that 
> you’re trying to add a normative requirement that’s not required of OpenID 
> Connect deployments today, which would bifurcate the ecosystem.  There are 
> hundreds of implementations (including the 141 certified ones at 
> https://openid.net/certification/), none of which have ever been required to 
> support PKCE.  Therefore, most don’t.
>  
> Per feedback already provided, I believe that OAuth 2.1 should align with the 
> guidance already in the draft Security BCP, requiring EITHER the use of PKCE 
> or the OpenID Connect nonce.  Trying to retroactively impose unnecessary 
> requirements on existing deployments is unlikely to succeed and will 
> significantly reduce the relevance of the OAuth 2.1 effort.
>  
> In particular, authorization servers shouldn’t be required to support PKCE 
> when they already support the OpenID Connect nonce.  And clients shouldn’t 
> reject responses from servers that don’t support PKCE when they do contain 
> the OpenID Connect nonce.  Doing so would unnecessarily break things and 
> create confusion in the marketplace.
>  
>   -- Mike
>  
> From: OAuth  On Behalf Of Dick Hardt
> Sent: Wednesday, May 6, 2020 10:48 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?
>  
> Hello!
>  
> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
> practice for OAuth 2.0. It is not common in OpenID Connect servers as the 
> nonce solves some of the issues that PKCE protects against. We think that 
> most OpenID 

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

Yes, FAPI requires PKCE, which is great.  Many of its requirements come from 
OpenID Connect but some of them are intentionally incompatible – such as 
requiring that Basic authentication not be supported, whereas Connect requires 
that it be supported.  It’s a different ecosystem with different requirements.

Don’t get me wrong, I support PKCE where it makes sense, such as when you’re 
doing bare OAuth without OpenID Connect.  But trying to impose an unnecessary 
requirement on a working and secure ecosystem will just create grief for us and 
our customers and lessen our credibility as stewards of the OAuth ecosystem.

   -- Mike

From: Aaron Parecki 
Sent: Wednesday, May 6, 2020 12:29 PM
To: Steinar Noem 
Cc: Phillip Hunt ; Mike Jones 
; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

I should add that even some OpenID Connect profiles require PKCE, such as FAPI:

https://openid.net/specs/openid-financial-api-part-1.html#authorization-server

So the precedent for requiring PKCE already exists within some OpenID Connect 
profiles.

On Wed, May 6, 2020 at 12:23 PM Aaron Parecki 
mailto:aa...@parecki.com>> wrote:
Yes, and also, many of those providers very likely already support PKCE 
already. Skimming through that list of certified OPs, I recognize many names 
there from providers that I know support PKCE.

On Wed, May 6, 2020 at 12:18 PM Steinar Noem 
mailto:stei...@udelt.no>> wrote:
So, wouldn't a MUST just mean that we would have some OPs that are 2.1 
compliant and some that aren't?

ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt 
mailto:phil.h...@independentid.com>>:
Mike,

The point of 2.1 is to raise the security bar..

Yes it adds new MUST requirements.

But what about OIDC would break other than required implementation of PKCE to 
support 2.1?

Eg Would additional signaling be required to facilitate interoperability and 
migration between versions? Would that be an oauth issue or an OIDC one?

Phil


On May 6, 2020, at 11:56 AM, Aaron Parecki 
mailto:aa...@parecki.com>> wrote:

> In particular, authorization servers shouldn’t be required to support PKCE 
> when they already support the OpenID Connect nonce.

The Security BCP already requires that ASs support PKCE: 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
Are you suggesting that the Security BCP change that requirement as well? If 
so, that's a discussion that needs to be had ASAP. If not, then that's an 
implicit statement that it's okay for OpenID Connect implementations to not be 
best-practice OAuth implementations. And if that's the case, then I also think 
it's acceptable that they are not complete OAuth 2.1 implementations either.






On Wed, May 6, 2020 at 11:21 AM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
The disadvantage of requiring PKCE for OpenID Connect implementations is that 
you’re trying to add a normative requirement that’s not required of OpenID 
Connect deployments today, which would bifurcate the ecosystem.  There are 
hundreds of implementations (including the 141 certified ones at 
https://openid.net/certification/), none of which have ever been required to 
support PKCE.  Therefore, most don’t.

Per feedback already provided, I believe that OAuth 2.1 should align with the 
guidance already in the draft Security BCP, requiring EITHER the use of PKCE or 
the OpenID Connect nonce.  Trying to retroactively impose unnecessary 
requirements on existing deployments is unlikely to succeed and will 
significantly reduce the relevance of the OAuth 2.1 effort.

In particular, authorization servers shouldn’t be required to support PKCE when 
they already support the OpenID Connect nonce.  And clients shouldn’t reject 
responses from servers that don’t support PKCE when they do contain the OpenID 
Connect nonce.  Doing so would unnecessarily break things and create confusion 
in the marketplace.

  -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Dick Hardt
Sent: Wednesday, May 6, 2020 10:48 AM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce 
solves some of the issues that PKCE protects against. We think that most OpenID 
Connect implementations also support OAuth 2.0, and hence have support for PKCE 
if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as 
they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier is 
sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client 
developer

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

I realize what it says about servers.  My point is that OAuth 2.1’s 
requirements on clients should match those in the security BCP and not try to 
go beyond them.

   -- Mike

From: Aaron Parecki 
Sent: Wednesday, May 6, 2020 12:24 PM
To: Mike Jones 
Cc: Dick Hardt ; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Yes, the BCP says *clients* may use either PKCE or nonce to prevent 
authorization code injection. Shortly after that quoted segment is the below:

> Authorization servers MUST support PKCE [RFC7636].

On Wed, May 6, 2020 at 12:22 PM Mike Jones 
mailto:michael.jo...@microsoft.com>> wrote:
Aaron, the section you cited at 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
makes it clear that clients can support EITHER PKCE or the OpenID Connect 
nonce.   The text is:

   Clients MUST prevent injection (replay) of authorization codes into
   the authorization response by attackers.  The use of PKCE 
[RFC7636<https://tools.ietf.org/html/rfc7636>]
   is RECOMMENDED to this end.  The OpenID Connect "nonce" parameter and
   ID Token Claim 
[OpenID<https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#ref-OpenID>]
 MAY be used as well.  The PKCE challenge or
   OpenID Connect "nonce" MUST be transaction-specific and securely
   bound to the client and the user agent in which the transaction was
   started.

We should not attempt to change that in OAuth 2.1, as doing so would needlessly 
break already working and secure clients.

   -- Mike

From: Aaron Parecki mailto:aa...@parecki.com>>
Sent: Wednesday, May 6, 2020 11:56 AM
To: Mike Jones mailto:michael.jo...@microsoft.com>>
Cc: Dick Hardt mailto:dick.ha...@gmail.com>>; 
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

> In particular, authorization servers shouldn’t be required to support PKCE 
> when they already support the OpenID Connect nonce.

The Security BCP already requires that ASs support PKCE: 
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
Are you suggesting that the Security BCP change that requirement as well? If 
so, that's a discussion that needs to be had ASAP. If not, then that's an 
implicit statement that it's okay for OpenID Connect implementations to not be 
best-practice OAuth implementations. And if that's the case, then I also think 
it's acceptable that they are not complete OAuth 2.1 implementations either.






On Wed, May 6, 2020 at 11:21 AM Mike Jones 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
The disadvantage of requiring PKCE for OpenID Connect implementations is that 
you’re trying to add a normative requirement that’s not required of OpenID 
Connect deployments today, which would bifurcate the ecosystem.  There are 
hundreds of implementations (including the 141 certified ones at 
https://openid.net/certification/), none of which have ever been required to 
support PKCE.  Therefore, most don’t.

Per feedback already provided, I believe that OAuth 2.1 should align with the 
guidance already in the draft Security BCP, requiring EITHER the use of PKCE or 
the OpenID Connect nonce.  Trying to retroactively impose unnecessary 
requirements on existing deployments is unlikely to succeed and will 
significantly reduce the relevance of the OAuth 2.1 effort.

In particular, authorization servers shouldn’t be required to support PKCE when 
they already support the OpenID Connect nonce.  And clients shouldn’t reject 
responses from servers that don’t support PKCE when they do contain the OpenID 
Connect nonce.  Doing so would unnecessarily break things and create confusion 
in the marketplace.

  -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Dick Hardt
Sent: Wednesday, May 6, 2020 10:48 AM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce 
solves some of the issues that PKCE protects against. We think that most OpenID 
Connect implementations also support OAuth 2.0, and hence have support for PKCE 
if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as 
they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier is 
sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client 
developers and AS can ensure the check is conducted

What are disadvantages besides the potential impact to OpenID Connect 
deployments? How signifi

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Aaron Parecki]

I should add that even some OpenID Connect profiles require PKCE, such as
FAPI:

https://openid.net/specs/openid-financial-api-part-1.html#authorization-server

So the precedent for requiring PKCE already exists within some OpenID
Connect profiles.

On Wed, May 6, 2020 at 12:23 PM Aaron Parecki  wrote:

> Yes, and also, many of those providers very likely already support PKCE
> already. Skimming through that list of certified OPs, I recognize many
> names there from providers that I know support PKCE.
>
> On Wed, May 6, 2020 at 12:18 PM Steinar Noem  wrote:
>
>> So, wouldn't a MUST just mean that we would have some OPs that are 2.1
>> compliant and some that aren't?
>>
>> ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt <
>> phil.h...@independentid.com>:
>>
>>> Mike,
>>>
>>> The point of 2.1 is to raise the security bar.
>>>
>>> Yes it adds new MUST requirements.
>>>
>>> But what about OIDC would break other than required implementation of
>>> PKCE to support 2.1?
>>>
>>> Eg Would additional signaling be required to facilitate interoperability
>>> and migration between versions? Would that be an oauth issue or an OIDC one?
>>>
>>> Phil
>>>
>>> On May 6, 2020, at 11:56 AM, Aaron Parecki  wrote:
>>>
>>> 
>>> > In particular, authorization servers shouldn’t be required to support
>>> PKCE when they already support the OpenID Connect nonce.
>>>
>>> The Security BCP already requires that ASs support PKCE:
>>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>>>  Are
>>> you suggesting that the Security BCP change that requirement as well? If
>>> so, that's a discussion that needs to be had ASAP. If not, then that's an
>>> implicit statement that it's okay for OpenID Connect implementations to not
>>> be best-practice OAuth implementations. And if that's the case, then I also
>>> think it's acceptable that they are not complete OAuth 2.1 implementations
>>> either.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, May 6, 2020 at 11:21 AM Mike Jones >> 40microsoft@dmarc.ietf.org> wrote:
>>>
>>>> The disadvantage of requiring PKCE for OpenID Connect implementations
>>>> is that you’re trying to add a normative requirement that’s not required of
>>>> OpenID Connect deployments today, which would bifurcate the ecosystem.
>>>> There are hundreds of implementations (including the 141 certified ones at
>>>> https://openid.net/certification/), none of which have ever been
>>>> required to support PKCE.  Therefore, most don’t.
>>>>
>>>>
>>>>
>>>> Per feedback already provided, I believe that OAuth 2.1 should align
>>>> with the guidance already in the draft Security BCP, requiring EITHER the
>>>> use of PKCE or the OpenID Connect nonce.  Trying to retroactively impose
>>>> unnecessary requirements on existing deployments is unlikely to succeed and
>>>> will significantly reduce the relevance of the OAuth 2.1 effort.
>>>>
>>>>
>>>>
>>>> In particular, authorization servers shouldn’t be required to support
>>>> PKCE when they already support the OpenID Connect nonce.  And clients
>>>> shouldn’t reject responses from servers that don’t support PKCE when they
>>>> do contain the OpenID Connect nonce.  Doing so would unnecessarily break
>>>> things and create confusion in the marketplace.
>>>>
>>>>
>>>>
>>>>   -- Mike
>>>>
>>>>
>>>>
>>>> *From:* OAuth  *On Behalf Of * Dick Hardt
>>>> *Sent:* Wednesday, May 6, 2020 10:48 AM
>>>> *To:* oauth@ietf.org
>>>> *Subject:* [OAUTH-WG] OAuth 2.1 - require PKCE?
>>>>
>>>>
>>>>
>>>> Hello!
>>>>
>>>>
>>>>
>>>> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is
>>>> best practice for OAuth 2.0. It is not common in OpenID Connect servers as
>>>> the nonce solves some of the issues that PKCE protects against. We think
>>>> that most OpenID Connect implementations also support OAuth 2.0, and
>>>> hence have support for PKCE if following best practices.
>>>>
>>>>
>>>>
>>>> The advantages or requiring PKCE are:
>>>

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Aaron Parecki]

Yes, and also, many of those providers very likely already support PKCE
already. Skimming through that list of certified OPs, I recognize many
names there from providers that I know support PKCE.

On Wed, May 6, 2020 at 12:18 PM Steinar Noem  wrote:

> So, wouldn't a MUST just mean that we would have some OPs that are 2.1
> compliant and some that aren't?
>
> ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt  >:
>
>> Mike,
>>
>> The point of 2.1 is to raise the security bar.
>>
>> Yes it adds new MUST requirements.
>>
>> But what about OIDC would break other than required implementation of
>> PKCE to support 2.1?
>>
>> Eg Would additional signaling be required to facilitate interoperability
>> and migration between versions? Would that be an oauth issue or an OIDC one?
>>
>> Phil
>>
>> On May 6, 2020, at 11:56 AM, Aaron Parecki  wrote:
>>
>> 
>> > In particular, authorization servers shouldn’t be required to support
>> PKCE when they already support the OpenID Connect nonce.
>>
>> The Security BCP already requires that ASs support PKCE:
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>>  Are
>> you suggesting that the Security BCP change that requirement as well? If
>> so, that's a discussion that needs to be had ASAP. If not, then that's an
>> implicit statement that it's okay for OpenID Connect implementations to not
>> be best-practice OAuth implementations. And if that's the case, then I also
>> think it's acceptable that they are not complete OAuth 2.1 implementations
>> either.
>>
>>
>>
>>
>>
>>
>> On Wed, May 6, 2020 at 11:21 AM Mike Jones > 40microsoft@dmarc.ietf.org> wrote:
>>
>>> The disadvantage of requiring PKCE for OpenID Connect implementations is
>>> that you’re trying to add a normative requirement that’s not required of
>>> OpenID Connect deployments today, which would bifurcate the ecosystem.
>>> There are hundreds of implementations (including the 141 certified ones at
>>> https://openid.net/certification/), none of which have ever been
>>> required to support PKCE.  Therefore, most don’t.
>>>
>>>
>>>
>>> Per feedback already provided, I believe that OAuth 2.1 should align
>>> with the guidance already in the draft Security BCP, requiring EITHER the
>>> use of PKCE or the OpenID Connect nonce.  Trying to retroactively impose
>>> unnecessary requirements on existing deployments is unlikely to succeed and
>>> will significantly reduce the relevance of the OAuth 2.1 effort.
>>>
>>>
>>>
>>> In particular, authorization servers shouldn’t be required to support
>>> PKCE when they already support the OpenID Connect nonce.  And clients
>>> shouldn’t reject responses from servers that don’t support PKCE when they
>>> do contain the OpenID Connect nonce.  Doing so would unnecessarily break
>>> things and create confusion in the marketplace.
>>>
>>>
>>>
>>>   -- Mike
>>>
>>>
>>>
>>> *From:* OAuth  *On Behalf Of * Dick Hardt
>>> *Sent:* Wednesday, May 6, 2020 10:48 AM
>>> *To:* oauth@ietf.org
>>> *Subject:* [OAUTH-WG] OAuth 2.1 - require PKCE?
>>>
>>>
>>>
>>> Hello!
>>>
>>>
>>>
>>> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is
>>> best practice for OAuth 2.0. It is not common in OpenID Connect servers as
>>> the nonce solves some of the issues that PKCE protects against. We think
>>> that most OpenID Connect implementations also support OAuth 2.0, and
>>> hence have support for PKCE if following best practices.
>>>
>>>
>>>
>>> The advantages or requiring PKCE are:
>>>
>>>
>>>
>>> - a simpler programming model across all OAuth applications and profiles
>>> as they all use PKCE
>>>
>>>
>>>
>>> - reduced attack surface when using  S256 as a fingerprint of the
>>> verifier is sent through the browser instead of the clear text value
>>>
>>>
>>>
>>> - enforcement by AS not client - makes it easier to handle for client
>>> developers and AS can ensure the check is conducted
>>>
>>>
>>>
>>> What are disadvantages besides the potential impact to OpenID Connect
>>> deployments? How significant is that impact?
>>>
>>>
>>>
>>> Dick, Aaron, and Torsten
>>>
>>>
>>>
>>> ᐧ
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
> --
> Vennlig hilsen
>
> Steinar Noem
> Partner Udelt AS
> Systemutvikler
>
> | stei...@udelt.no | h...@udelt.no  | +47 955 21 620 | www.udelt.no |
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Phillip Hunt]

Yes. Some would be 2.0 and some2.1. Not unlike TLS versioning.  

 Maybe i should not have said that. ;-)

Phil

> On May 6, 2020, at 12:18 PM, Steinar Noem  wrote:
> 
> 
> So, wouldn't a MUST just mean that we would have some OPs that are 2.1 
> compliant and some that aren't?
> 
>> ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt :
>> Mike,
>> 
>> The point of 2.1 is to raise the security bar. 
>> 
>> Yes it adds new MUST requirements. 
>> 
>> But what about OIDC would break other than required implementation of PKCE 
>> to support 2.1?
>> 
>> Eg Would additional signaling be required to facilitate interoperability and 
>> migration between versions? Would that be an oauth issue or an OIDC one?
>> 
>> Phil
>> 
>>>> On May 6, 2020, at 11:56 AM, Aaron Parecki  wrote:
>>>> 
>>> 
>>> > In particular, authorization servers shouldn’t be required to support 
>>> > PKCE when they already support the OpenID Connect nonce.
>>> 
>>> The Security BCP already requires that ASs support PKCE: 
>>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1
>>>  Are you suggesting that the Security BCP change that requirement as well? 
>>> If so, that's a discussion that needs to be had ASAP. If not, then that's 
>>> an implicit statement that it's okay for OpenID Connect implementations to 
>>> not be best-practice OAuth implementations. And if that's the case, then I 
>>> also think it's acceptable that they are not complete OAuth 2.1 
>>> implementations either.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> On Wed, May 6, 2020 at 11:21 AM Mike Jones 
>>>>  wrote:
>>>> The disadvantage of requiring PKCE for OpenID Connect implementations is 
>>>> that you’re trying to add a normative requirement that’s not required of 
>>>> OpenID Connect deployments today, which would bifurcate the ecosystem.  
>>>> There are hundreds of implementations (including the 141 certified ones at 
>>>> https://openid.net/certification/), none of which have ever been required 
>>>> to support PKCE.  Therefore, most don’t.
>>>> 
>>>>  
>>>> 
>>>> Per feedback already provided, I believe that OAuth 2.1 should align with 
>>>> the guidance already in the draft Security BCP, requiring EITHER the use 
>>>> of PKCE or the OpenID Connect nonce.  Trying to retroactively impose 
>>>> unnecessary requirements on existing deployments is unlikely to succeed 
>>>> and will significantly reduce the relevance of the OAuth 2.1 effort.
>>>> 
>>>>  
>>>> 
>>>> In particular, authorization servers shouldn’t be required to support PKCE 
>>>> when they already support the OpenID Connect nonce.  And clients shouldn’t 
>>>> reject responses from servers that don’t support PKCE when they do contain 
>>>> the OpenID Connect nonce.  Doing so would unnecessarily break things and 
>>>> create confusion in the marketplace.
>>>> 
>>>>  
>>>> 
>>>>   -- Mike
>>>> 
>>>>  
>>>> 
>>>> From: OAuth  On Behalf Of Dick Hardt
>>>> Sent: Wednesday, May 6, 2020 10:48 AM
>>>> To: oauth@ietf.org
>>>> Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?
>>>> 
>>>>  
>>>> 
>>>> Hello!
>>>> 
>>>>  
>>>> 
>>>> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
>>>> practice for OAuth 2.0. It is not common in OpenID Connect servers as the 
>>>> nonce solves some of the issues that PKCE protects against. We think that 
>>>> most OpenID Connect implementations also support OAuth 2.0, and hence have 
>>>> support for PKCE if following best practices.
>>>> 
>>>>  
>>>> 
>>>> The advantages or requiring PKCE are:
>>>> 
>>>>  
>>>> 
>>>> - a simpler programming model across all OAuth applications and profiles 
>>>> as they all use PKCE
>>>> 
>>>>  
>>>> 
>>>> - reduced attack surface when using  S256 as a fingerprint of the verifier 
>>>> is sent through the browser instead of the clear text value
>>>> 
>>>>  
>>>> 
>>>> - enforcement by AS not client - makes it easier to handle for client 
>>>> developers and AS can ensure the check is conducted
>>>> 
>>>>  
>>>> 
>>>> What are disadvantages besides the potential impact to OpenID Connect 
>>>> deployments? How significant is that impact?
>>>> 
>>>>  
>>>> 
>>>> Dick, Aaron, and Torsten
>>>> 
>>>>  
>>>> 
>>>> ᐧ
>>>> 
>>>> ___
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> -- 
> Vennlig hilsen
> 
> Steinar Noem
> Partner Udelt AS
> Systemutvikler
>  
> | stei...@udelt.no | h...@udelt.no  | +47 955 21 620 | www.udelt.no | 
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Steinar Noem]

So, wouldn't a MUST just mean that we would have some OPs that are 2.1
compliant and some that aren't?

ons. 6. mai 2020 kl. 21:12 skrev Phillip Hunt :

> Mike,
>
> The point of 2.1 is to raise the security bar.
>
> Yes it adds new MUST requirements.
>
> But what about OIDC would break other than required implementation of PKCE
> to support 2.1?
>
> Eg Would additional signaling be required to facilitate interoperability
> and migration between versions? Would that be an oauth issue or an OIDC one?
>
> Phil
>
> On May 6, 2020, at 11:56 AM, Aaron Parecki  wrote:
>
> 
> > In particular, authorization servers shouldn’t be required to support
> PKCE when they already support the OpenID Connect nonce.
>
> The Security BCP already requires that ASs support PKCE:
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2..1.1
>  Are
> you suggesting that the Security BCP change that requirement as well? If
> so, that's a discussion that needs to be had ASAP. If not, then that's an
> implicit statement that it's okay for OpenID Connect implementations to not
> be best-practice OAuth implementations. And if that's the case, then I also
> think it's acceptable that they are not complete OAuth 2.1 implementations
> either.
>
>
>
>
>
>
> On Wed, May 6, 2020 at 11:21 AM Mike Jones  40microsoft@dmarc.ietf.org> wrote:
>
>> The disadvantage of requiring PKCE for OpenID Connect implementations is
>> that you’re trying to add a normative requirement that’s not required of
>> OpenID Connect deployments today, which would bifurcate the ecosystem.
>> There are hundreds of implementations (including the 141 certified ones at
>> https://openid.net/certification/), none of which have ever been
>> required to support PKCE.  Therefore, most don’t.
>>
>>
>>
>> Per feedback already provided, I believe that OAuth 2.1 should align with
>> the guidance already in the draft Security BCP, requiring EITHER the use of
>> PKCE or the OpenID Connect nonce.  Trying to retroactively impose
>> unnecessary requirements on existing deployments is unlikely to succeed and
>> will significantly reduce the relevance of the OAuth 2.1 effort.
>>
>>
>>
>> In particular, authorization servers shouldn’t be required to support
>> PKCE when they already support the OpenID Connect nonce.  And clients
>> shouldn’t reject responses from servers that don’t support PKCE when they
>> do contain the OpenID Connect nonce.  Doing so would unnecessarily break
>> things and create confusion in the marketplace.
>>
>>
>>
>>   -- Mike
>>
>>
>>
>> *From:* OAuth  *On Behalf Of * Dick Hardt
>> *Sent:* Wednesday, May 6, 2020 10:48 AM
>> *To:* oauth@ietf.org
>> *Subject:* [OAUTH-WG] OAuth 2.1 - require PKCE?
>>
>>
>>
>> Hello!
>>
>>
>>
>> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is
>> best practice for OAuth 2.0. It is not common in OpenID Connect servers as
>> the nonce solves some of the issues that PKCE protects against. We think
>> that most OpenID Connect implementations also support OAuth 2.0, and
>> hence have support for PKCE if following best practices.
>>
>>
>>
>> The advantages or requiring PKCE are:
>>
>>
>>
>> - a simpler programming model across all OAuth applications and profiles
>> as they all use PKCE
>>
>>
>>
>> - reduced attack surface when using  S256 as a fingerprint of the
>> verifier is sent through the browser instead of the clear text value
>>
>>
>>
>> - enforcement by AS not client - makes it easier to handle for client
>> developers and AS can ensure the check is conducted
>>
>>
>>
>> What are disadvantages besides the potential impact to OpenID Connect
>> deployments? How significant is that impact?
>>
>>
>>
>> Dick, Aaron, and Torsten
>>
>>
>>
>> ᐧ
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler

| stei...@udelt.no | h...@udelt.no  | +47 955 21 620 | www.udelt.no |
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Phillip Hunt]

Mike,

The point of 2.1 is to raise the security bar. 

Yes it adds new MUST requirements. 

But what about OIDC would break other than required implementation of PKCE to 
support 2.1?

Eg Would additional signaling be required to facilitate interoperability and 
migration between versions? Would that be an oauth issue or an OIDC one?

Phil

> On May 6, 2020, at 11:56 AM, Aaron Parecki  wrote:
> 
> 
> > In particular, authorization servers shouldn’t be required to support PKCE 
> > when they already support the OpenID Connect nonce.
> 
> The Security BCP already requires that ASs support PKCE: 
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 
> Are you suggesting that the Security BCP change that requirement as well? If 
> so, that's a discussion that needs to be had ASAP. If not, then that's an 
> implicit statement that it's okay for OpenID Connect implementations to not 
> be best-practice OAuth implementations. And if that's the case, then I also 
> think it's acceptable that they are not complete OAuth 2.1 implementations 
> either.
> 
> 
> 
> 
> 
> 
>> On Wed, May 6, 2020 at 11:21 AM Mike Jones 
>>  wrote:
>> The disadvantage of requiring PKCE for OpenID Connect implementations is 
>> that you’re trying to add a normative requirement that’s not required of 
>> OpenID Connect deployments today, which would bifurcate the ecosystem.  
>> There are hundreds of implementations (including the 141 certified ones at 
>> https://openid.net/certification/), none of which have ever been required to 
>> support PKCE.  Therefore, most don’t.
>> 
>>  
>> 
>> Per feedback already provided, I believe that OAuth 2.1 should align with 
>> the guidance already in the draft Security BCP, requiring EITHER the use of 
>> PKCE or the OpenID Connect nonce.  Trying to retroactively impose 
>> unnecessary requirements on existing deployments is unlikely to succeed and 
>> will significantly reduce the relevance of the OAuth 2.1 effort.
>> 
>>  
>> 
>> In particular, authorization servers shouldn’t be required to support PKCE 
>> when they already support the OpenID Connect nonce.  And clients shouldn’t 
>> reject responses from servers that don’t support PKCE when they do contain 
>> the OpenID Connect nonce.  Doing so would unnecessarily break things and 
>> create confusion in the marketplace.
>> 
>>  
>> 
>>   -- Mike
>> 
>>  
>> 
>> From: OAuth  On Behalf Of Dick Hardt
>> Sent: Wednesday, May 6, 2020 10:48 AM
>> To: oauth@ietf.org
>> Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?
>> 
>>  
>> 
>> Hello!
>> 
>>  
>> 
>> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
>> practice for OAuth 2.0. It is not common in OpenID Connect servers as the 
>> nonce solves some of the issues that PKCE protects against. We think that 
>> most OpenID Connect implementations also support OAuth 2.0, and hence have 
>> support for PKCE if following best practices.
>> 
>>  
>> 
>> The advantages or requiring PKCE are:
>> 
>>  
>> 
>> - a simpler programming model across all OAuth applications and profiles as 
>> they all use PKCE
>> 
>>  
>> 
>> - reduced attack surface when using  S256 as a fingerprint of the verifier 
>> is sent through the browser instead of the clear text value
>> 
>>  
>> 
>> - enforcement by AS not client - makes it easier to handle for client 
>> developers and AS can ensure the check is conducted
>> 
>>  
>> 
>> What are disadvantages besides the potential impact to OpenID Connect 
>> deployments? How significant is that impact?
>> 
>>  
>> 
>> Dick, Aaron, and Torsten
>> 
>>  
>> 
>> ᐧ
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Aaron Parecki]

> In particular, authorization servers shouldn’t be required to support
PKCE when they already support the OpenID Connect nonce.

The Security BCP already requires that ASs support PKCE:
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1..1
Are
you suggesting that the Security BCP change that requirement as well? If
so, that's a discussion that needs to be had ASAP. If not, then that's an
implicit statement that it's okay for OpenID Connect implementations to not
be best-practice OAuth implementations. And if that's the case, then I also
think it's acceptable that they are not complete OAuth 2.1 implementations
either.






On Wed, May 6, 2020 at 11:21 AM Mike Jones  wrote:

> The disadvantage of requiring PKCE for OpenID Connect implementations is
> that you’re trying to add a normative requirement that’s not required of
> OpenID Connect deployments today, which would bifurcate the ecosystem.
> There are hundreds of implementations (including the 141 certified ones at
> https://openid.net/certification/), none of which have ever been required
> to support PKCE.  Therefore, most don’t.
>
>
>
> Per feedback already provided, I believe that OAuth 2.1 should align with
> the guidance already in the draft Security BCP, requiring EITHER the use of
> PKCE or the OpenID Connect nonce.  Trying to retroactively impose
> unnecessary requirements on existing deployments is unlikely to succeed and
> will significantly reduce the relevance of the OAuth 2.1 effort.
>
>
>
> In particular, authorization servers shouldn’t be required to support PKCE
> when they already support the OpenID Connect nonce.  And clients shouldn’t
> reject responses from servers that don’t support PKCE when they do contain
> the OpenID Connect nonce.  Doing so would unnecessarily break things and
> create confusion in the marketplace.
>
>
>
>   -- Mike
>
>
>
> *From:* OAuth  *On Behalf Of * Dick Hardt
> *Sent:* Wednesday, May 6, 2020 10:48 AM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] OAuth 2.1 - require PKCE?
>
>
>
> Hello!
>
>
>
> We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
> practice for OAuth 2.0. It is not common in OpenID Connect servers as the
> nonce solves some of the issues that PKCE protects against. We think that
> most OpenID Connect implementations also support OAuth 2.0, and hence have
> support for PKCE if following best practices.
>
>
>
> The advantages or requiring PKCE are:
>
>
>
> - a simpler programming model across all OAuth applications and profiles
> as they all use PKCE
>
>
>
> - reduced attack surface when using  S256 as a fingerprint of the verifier
> is sent through the browser instead of the clear text value
>
>
>
> - enforcement by AS not client - makes it easier to handle for client
> developers and AS can ensure the check is conducted
>
>
>
> What are disadvantages besides the potential impact to OpenID Connect
> deployments? How significant is that impact?
>
>
>
> Dick, Aaron, and Torsten
>
>
>
> ᐧ
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

[Mike Jones]

The disadvantage of requiring PKCE for OpenID Connect implementations is that 
you’re trying to add a normative requirement that’s not required of OpenID 
Connect deployments today, which would bifurcate the ecosystem.  There are 
hundreds of implementations (including the 141 certified ones at 
https://openid.net/certification/), none of which have ever been required to 
support PKCE.  Therefore, most don’t.

Per feedback already provided, I believe that OAuth 2.1 should align with the 
guidance already in the draft Security BCP, requiring EITHER the use of PKCE or 
the OpenID Connect nonce.  Trying to retroactively impose unnecessary 
requirements on existing deployments is unlikely to succeed and will 
significantly reduce the relevance of the OAuth 2.1 effort.

In particular, authorization servers shouldn’t be required to support PKCE when 
they already support the OpenID Connect nonce.  And clients shouldn’t reject 
responses from servers that don’t support PKCE when they do contain the OpenID 
Connect nonce.  Doing so would unnecessarily break things and create confusion 
in the marketplace.

  -- Mike

From: OAuth  On Behalf Of Dick Hardt
Sent: Wednesday, May 6, 2020 10:48 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce 
solves some of the issues that PKCE protects against. We think that most OpenID 
Connect implementations also support OAuth 2.0, and hence have support for PKCE 
if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as 
they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier is 
sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client 
developers and AS can ensure the check is conducted

What are disadvantages besides the potential impact to OpenID Connect 
deployments? How significant is that impact?

Dick, Aaron, and Torsten

[https://mailfoogae..appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D=zerocontent=452438ba-d429-4656-ace9-b284744bc171]ᐧ
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] OAuth 2.1 - require PKCE?

[Dick Hardt]

Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best
practice for OAuth 2.0. It is not common in OpenID Connect servers as the
nonce solves some of the issues that PKCE protects against. We think that
most OpenID Connect implementations also support OAuth 2.0, and hence have
support for PKCE if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as
they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier
is sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client
developers and AS can ensure the check is conducted

What are disadvantages besides the potential impact to OpenID Connect
deployments? How significant is that impact?

Dick, Aaron, and Torsten

ᐧ
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth