Re: [OAUTH-WG] proposed resolution for PKCE in OAuth 2.1

Mon, 11 May 2020 16:56:00 -0700 

Thank you Neil.

To address Mike's concerns in the previous threads, I would like to also
update section 9.7 with the following text:

Clients MUST prevent injection (replay) of authorization codes into the
authorization response by attackers. The use of the `code_challenge`
parameter is RECOMMENDED to this end. For confidential clients, the
OpenID Connect `nonce` parameter and ID Token Claim {{OpenID}} MAY be used
instead of or in addition to the `code_challenge` parameter for this
purpose. The `code_challenge` or OpenID Connect `nonce` value MUST be
transaction-specific and securely bound to the client and the user agent
in which the transaction was started.

This change better clarifies the specific circumstances under which the
"nonce" parameter is sufficient to protect against authorization code
injection.

Aaron Parecki

On Mon, May 11, 2020 at 11:55 AM Neil Madden <neil.mad...@forgerock.com>
wrote:

> I am happy with this proposed wording. Thanks for updating it.
>
> — Neil
>
> On 11 May 2020, at 19:52, Aaron Parecki <aa...@parecki.com> wrote:
>
> Thanks for the lively discussion around PKCE in OAuth 2.1 everyone!
>
> We would like to propose the following text, which is a slight variation
> from the text Neil proposed. This would replace the paragraph in 4.1.2.1 (
> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-02#section-4.1.2.1)
> that begins with "If the client does not send the "code_challenge" in the
> request..."
>
> "An AS MUST reject requests without a code_challenge from public clients,
> and MUST reject such requests from other clients unless there is reasonable
> assurance that the client mitigates authorization code injection in other
> ways. See section 9.7 for details."
>
> Section 9.7 is where the nuances of PKCE vs nonce are described.
>
> As Neil described, we believe this will allow ASs to support both OAuth
> 2.0 and 2.1 clients simultaneously. The change from Neil's text is the
> clarification of which threats, and changing to MUST instead of SHOULD. The
> "MUST...unless" is more specific than "SHOULD", and since we are already
> describing the explicit exception to the rule, it's more clear as a MUST
> here.
>
> Aaron Parecki
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to