Hello Aaron,
> * Whether an AS token endpoint rejects a request that contains a PKCE > code_verifier > if the authorization code was issued with no code_challenge present This is indeed one of the test cases. Out of the small set of 15 sites I have currently tested (major providers - think Google, Microsoft, Facebook, ....), the results are the following: - 7 sites do not implement PKCE (they ignore the parameters altogether) - 3 sites have PKCE support but do not detect the downgrade - 3 sites have PKCE support and detect the downgrade - 2 sites do not use the authorization code grant > * Whether an OIDC client uses PKCE > * Whether an OIDC client that does not use PKCE properly checks the nonce > value (for all response types) I should have been more specific in my first email: the test suite tests server implementations, not client implementations. The framework is basically a (malicious) client. I've thought about testing clients, but it seems much harder. A number of the client security guidelines are difficult to test (e.g. "the client secret should be stored securely"), and the testing procedure will likely not support a high degree of automation. But it is something I'm interested in investigating further in a follow-up project. ? Regards, Pieter ________________________________ From: Aaron Parecki <aa...@parecki.com> Sent: Monday, June 22, 2020 16:03 To: Pieter Philippaerts Subject: Re: [OAUTH-WG] OAuth services/libraries wanted for security evaluation... Hi Pieter, This sounds like a great project! Can you make sure to test these things, I would be very curious to see the result and it will help inform some of the future work in the Security BCP and OAuth 2.1. * Whether an AS token endpoint rejects a request that contains a PKCE code_verifier if the authorization code was issued with no code_challenge present * Whether an OIDC client uses PKCE * Whether an OIDC client that does not use PKCE properly checks the nonce value (for all response types) Thank you! --- Aaron Parecki https://aaronparecki.com On Mon, Jun 22, 2020 at 6:51 AM Pieter Philippaerts <pieter.philippae...@kuleuven.be<mailto:pieter.philippae...@kuleuven.be>> wrote: Hello everyone, As part of a research project, I've created a test suite to test OAuth 2.0 implementations and measure how well they implement the various MAY/SHOULD/MUST security recommendations in the OAuth standards. (It also includes test cases for the OIDC and FAPI RO/RW recommendations.) The tool is practically finished and will be made available to the public in a few months. I'm currently working on a security analysis of the OAuth2 ecosystem (i.e. I'm using the tool to test various OAuth/OIDC implementations) and I'm still looking for more candidates to test. If you are the author of an OAuth library or if you are running an OAuth service, feel free to contact me to get involved. Apart from my gratitude, I can offer you a free security audit of your product :-) Regards, Pieter _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
