draft-ietf-oauth-spop-05.txt   draft-ietf-oauth-spop-06.txt 
OAuth Working Group N. Sakimura, Ed. OAuth Working Group N. Sakimura, Ed.
Internet-Draft Nomura Research Institute Internet-Draft Nomura Research Institute
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: June 08, 2015 Ping Identity Expires: July 26, 2015 Ping Identity
N. Agarwal N. Agarwal
Google Google
December 07, 2014 January 22, 2015
Symmetric Proof of Possession for the OAuth Authorization Code Grant Proof Key for Code Exchange by OAuth Public Clients
draft-ietf-oauth-spop-05 draft-ietf-oauth-spop-06
Abstract Abstract
The OAuth 2.0 public client utilizing Authorization Code Grant (RFC OAuth 2.0 public clients utilizing the Authorization Code Grant are
6749 - 4.1) is susceptible to the code interception attack. This susceptible to the authorization code interception attack. This
specification describes a mechanism that acts as a control against specification describes the attack as well as a technique to mitigate
this threat. against the threat.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 08, 2015. This Internet-Draft will expire on July 26, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (http://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (http://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Simplified BSD License text to this document. Code Components extracted from this document must
as described in Section 4.e of the Trust Legal Provisions and are include Simplified BSD License text as described in Section 4.e of
provided without warranty as described in the Simplified BSD License. the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 4
2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 3 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 5
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. Client creates a code verifier . . . . . . . . . . . . . . 4 4.1. Client creates a code verifier . . . . . . . . . . . . . 6
4.2. Client creates the code challenge . . . . . . . . . . . . 5 4.2. Client creates the code challenge . . . . . . . . . . . . 6
4.3. Client sends the code challenge with the authorization 4.3. Client sends the code challenge with the authorization
request . . . . . . . . . . . . . . . . . . . . . . . . . 5 request . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.4. Server returns the code . . . . . . . . . . . . . . . . . 5 4.4. Server returns the code . . . . . . . . . . . . . . . . . 7
4.4.1. Error Response . . . . . . . . . . . . . . . . . . . . 6 4.4.1. Error Response . . . . . . . . . . . . . . . . . . . 7
4.5. Client sends the code and the secret to the token endpoint 6 4.5. Client sends the code and the secret to the token
4.6. Server verifies code_verifier before returning the tokens 6 endpoint . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 7 4.6. Server verifies code_verifier before returning the tokens 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 9
6.1. OAuth Parameters Registry . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
6.2. SPOP Code Challenge Method Registry . . . . . . . . . . . 7 6.1. OAuth Parameters Registry . . . . . . . . . . . . . . . . 9
6.2.1. Registration Template . . . . . . . . . . . . . . . . 8 6.2. PKCE Code Challenge Method Registry . . . . . . . . . . . 9
6.2.2. Initial Registry Contents . . . . . . . . . . . . . . 8 6.2.1. Registration Template . . . . . . . . . . . . . . . . 10
7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6.2.2. Initial Registry Contents . . . . . . . . . . . . . . 10
7.1. Entropy of the code verifier . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7.2. Protection against eavesdroppers . . . . . . . . . . . . . 9 7.1. Entropy of the code verifier . . . . . . . . . . . . . . 11
7.3. Checking the Server support . . . . . . . . . . . . . . . 9 7.2. Protection against eavesdroppers . . . . . . . . . . . . 11
7.4. OAuth security considerations . . . . . . . . . . . . . . 9 7.3. Checking the Server support . . . . . . . . . . . . . . . 11
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 7.4. Entropy of the code_verifier . . . . . . . . . . . . . . 11
9. Revision History . . . . . . . . . . . . . . . . . . . . . . . 10 7.5. OAuth security considerations . . . . . . . . . . . . . . 12
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
10.1. Normative References . . . . . . . . . . . . . . . . . . 10 9. Revision History . . . . . . . . . . . . . . . . . . . . . . 13
10.2. Informative References . . . . . . . . . . . . . . . . . 11 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
Appendix A. Notes on implementing base64url encoding without paddi 11 10.1. Normative References . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 10.2. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. Notes on implementing base64url encoding without
padding . . . . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
Public clients in OAuth 2.0 [RFC6749] are susceptible to the OAuth 2.0 [RFC6749] public clients are susceptible to the
authorization "code" interception attack. A malicious client authorization "code" interception attack.
intercepts the authorization code returned from the authorization
endpoint within communication path not protected by TLS, such as The attacker thereby intercepts the authorization code returned from
inter-app communication, and uses it to obtain the access token. the authorization endpoint within communication path not protected by
This is possible on a public client as there is no client secret TLS, such as inter-app communication within the operating system of
associated for it to be sent to the token endpoint. This is the client.
especially true on Smartphone applications where the authorization
code can be returned through custom URL Schemes where the same scheme Once the attacker has gained access to the authorization code it can
can be registered by multiple applications. Under this scenario, the use it to obtain the access token.
mitigation strategy stated in section 4.4.1 of [RFC6819] does not
work as they rely on per-client instance secret or per client Figure 1 shows the attack graphically. In step (1) the native app
instance redirect URI. running on the end device, such as a smart phone, issues an
authorization request via the browser/operating system, which then
gets forwarded to the OAuth 2.0 authorization server in step (2).
The authorization server returns the authorization code in step (3).
The malicious app is able to observe the authorization code in step
(4) since it is registered to the custom URI scheme used by the
legitimate app. This allows the attacker to reguest and obtain an
access token in step (5) and step (6), respectively.
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
| End Device (e.g., Smart Phone) |
| |
| +-------------+ +----------+ | (6) Access Token +----------+
| |Legitimate | | Malicious|<--------------------| |
| |OAuth 2.0 App| | App |-------------------->| |
| +-------------+ +----------+ | (5) Authorization | |
| | ^ ^ | Grant | |
| | \ | | | |
| | \ (4) | | | |
| (1) | \ Authz| | | |
| Authz| \ Code | | | Authz |
| Request| \ | | | Server |
| | \ | | | |
| | \ | | | |
| v \ | | | |
| +----------------------------+ | | |
| | | | (3) Authz Code | |
| | Operating System/ |<--------------------| |
| | Browser |-------------------->| |
| | | | (2) Authz Request | |
| +----------------------------+ | +----------+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
Figure 1: Authorization Code Interception Attack.
A number of pre-conditions need to hold in order for this attack to
work:
1) The attacker manages to register a malicious application on the
client device and registers a custom URI scheme that is also used
by another application.
The operating systems must allow a custom URI schemes to be
registered by multiple applications.
2) The OAuth 2.0 authorization code grant is used.
3) The attacker has access to the client id. All native app client-
instances use the same client id. No client secret is used (since
public clients cannot keep their secrets confidential.)
4) The attacker (via the installed app) is able to observe responses
from the authorization endpoint. As a more sophisticated attack
scenario the attacker is also able to observe requests (in
addition to responses) to the authorization endpoint. The
attacker is, however, not able to act as a man-in-the-middle.
While this is a long list of pre-conditions the described attack has
been observed in the wild and has to be considered in OAuth 2.0
deployments. While Section 4.4.1 of [RFC6819] describes mitigation
techniques they are, unfortunately, not applicable since they rely on
a per-client instance secret or aper client instance redirect URI.
To mitigate this attack, this extension utilizes a dynamically To mitigate this attack, this extension utilizes a dynamically
created cryptographically random key called 'code verifier'. The code created cryptographically random key called 'code verifier'. The
verifier is created for every authorization request and its code verifier is created for every authorization request and its
transformed value, called 'code challenge', is sent to the transformed value, called 'code challenge', is sent to the
authorization server to obtain the authorization code. The authorization server to obtain the authorization code. The
authorization "code" obtained is then sent to the token endpoint with authorization "code" obtained is then sent to the token endpoint with
the 'code verifier' and the server compares it with the previously the 'code verifier' and the server compares it with the previously
received request code so that it can perform the proof of possession received request code so that it can perform the proof of possession
of the 'code verifier' by the client. This works as the mitigation of the 'code verifier' by the client. This works as the mitigation
since the attacker would not know this one-time key. since the attacker would not know this one-time key.
1.1. Protocol Flow 1.1. Protocol Flow
+--------+ +---------------+ +--------+ +---------------+
| |--(A)-- Authorization Request --->| | | |--(A)-- Authorization Request --->| |
| | + t(code_verifier), t | Resource | | | + t(code_verifier), t | Resource |
| | | Owner | | | | Owner |
| |<-(B)--- Authorization Grant -----| | | |<-(B)--- Authorization Grant -----| |
| | +---------------+ | | +---------------+
| Client | | Client |
| | +---------------+ | | +---------------+
| |--(C)--- Access Token Request --->| | | |--(C)--- Access Token Request --->| |
| | + code_verifier | Authorization | | | + code_verifier | Authorization |
| | | Server | | | | Server |
| |<-(D)------ Access Token ---------| | | |<-(D)------ Access Token ---------| |
+--------+ +---------------+ +--------+ +---------------+
Figure 2: Abstract Protocol Flow
This specification adds additional parameters to the OAuth 2.0 This specification adds additional parameters to the OAuth 2.0
Authorization and Access Token Requests, shown in abstract form in Authorization and Access Token Requests, shown in abstract form in
Figure 1. Figure 1.
A. The client creates and records a secret named the "code_verifier", A. The client creates and records a secret named the "code_verifier",
and derives a transformed version "t(code_verifier)" (referred to and derives a transformed version "t(code_verifier)" (referred to
as the "code_challenge") which is sent in the OAuth 2.0 as the "code_challenge") which is sent in the OAuth 2.0
Authorization Request, along with the transformation method "t". Authorization Request, along with the transformation method "t".
B. The resource owner responds as usual, but records B. The resource owner responds as usual, but records
"t(code_verifier)" and the transformation method. "t(code_verifier)" and the transformation method.
C. The client then sends the code to the Access Token Request as C. The client then sends the code to the Access Token Request as
usual, but includes the "code_verifier" secret generated at (A). usual, but includes the "code_verifier" secret generated at (A).
D. The authorization server transforms "code_verifier" and compares D. The authorization server transforms "code_verifier" and compares
it to "t(code_verifier)" from (B). Access is denied if they are it to "t(code_verifier)" from (B). Access is denied if they are
not equal. not equal.
An attacker who intercepts the Authorization Grant at (B) is unable An attacker who intercepts the Authorization Grant at (B) is unable
to redeem it for an Access Token, as they are not in possession of to redeem it for an Access Token, as they are not in possession of
the "code_verifier" secret. the "code_verifier" secret.
2. Notational Conventions 2. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in Key "OPTIONAL" in this document are to be interpreted as described in Key
words for use in RFCs to Indicate Requirement Levels [RFC2119]. If words for use in RFCs to Indicate Requirement Levels [RFC2119]. If
these words are used without being spelled in uppercase then they are these words are used without being spelled in uppercase then they are
to be interpreted with their normal natural language meanings. to be interpreted with their normal natural language meanings.
This specification uses the Augmented Backus-Naur Form (ABNF) This specification uses the Augmented Backus-Naur Form (ABNF)
notation of [RFC5234]. notation of [RFC5234].
skipping to change at page 4, line 15 skipping to change at page 5, line 38
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in Key "OPTIONAL" in this document are to be interpreted as described in Key
words for use in RFCs to Indicate Requirement Levels [RFC2119]. If words for use in RFCs to Indicate Requirement Levels [RFC2119]. If
these words are used without being spelled in uppercase then they are these words are used without being spelled in uppercase then they are
to be interpreted with their normal natural language meanings. to be interpreted with their normal natural language meanings.
This specification uses the Augmented Backus-Naur Form (ABNF) This specification uses the Augmented Backus-Naur Form (ABNF)
notation of [RFC5234]. notation of [RFC5234].
BASE64URL(OCTETS) denotes the base64url encoding of OCTETS, per BASE64URL(OCTETS) denotes the base64url encoding of OCTETS, per
Section 3 producing a [US-ASCII] STRING. Section 3 producing a ASCII [RFC0020] STRING.
BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING, BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING,
per Section 3, producing a UTF-8 sequence of octets. per Section 3, producing a UTF-8 sequence of octets.
SHA256(STRING) denotes a SHA2 256bit hash [RFC4634] of STRING. SHA256(STRING) denotes a SHA2 256bit hash [RFC6234] of STRING.
UTF8(STRING) denotes the octets of the UTF-8 [RFC3629] representation UTF8(STRING) denotes the octets of the UTF-8 [RFC3629] representation
of STRING. of STRING.
ASCII(STRING) denotes the octets of the ASCII [US-ASCII] ASCII(STRING) denotes the octets of the ASCII [RFC0020]
representation of STRING. representation of STRING.
The concatenation of two values A and B is denoted as A || B. The concatenation of two values A and B is denoted as A || B.
3. Terminology 3. Terminology
In addition to the terms defined in OAuth 2.0 [RFC6749], this In addition to the terms defined in OAuth 2.0 [RFC6749], this
specification defines the following terms: specification defines the following terms:
code verifier A cryptographically random string that is used to code verifier A cryptographically random string that is used to
correlate the authorization request to the token request. correlate the authorization request to the token request.
code challenge A challenge derived from the code verifier that is code challenge A challenge derived from the code verifier that is
sent in the authorization request, to be verified against later. sent in the authorization request, to be verified against later.
Base64url Encoding Base64 encoding using the URL- and filename-safe Base64url Encoding Base64 encoding using the URL- and filename-safe
character set defined in Section 5 of RFC 4648 [RFC4648], with all character set defined in Section 5 of RFC 4648 [RFC4648], with all
trailing '=' characters omitted (as permitted by Section 3.2) and trailing '=' characters omitted (as permitted by Section 3.2) and
without the inclusion of any line breaks, whitespace, or other without the inclusion of any line breaks, whitespace, or other
additional characters. (See Appendix Appendix A for notes on additional characters. (See Appendix A for notes on implementing
implementing base64url encoding without padding.) base64url encoding without padding.)
4. Protocol 4. Protocol
4.1. Client creates a code verifier 4.1. Client creates a code verifier
The client first creates a code verifier, "code_verifier", for each The client first creates a code verifier, "code_verifier", for each
OAuth 2.0 [RFC6749] Authorization Request, in the following manner: OAuth 2.0 [RFC6749] Authorization Request, in the following manner:
code_verifier = high entropy cryptographic random [US-ASCII] sequence code_verifier = high entropy cryptographic random ASCII [RFC0020]
using the url and filename safe Alphabet [A-Z] / [a-z] / [0-9] / "-" octet sequence using the url and filename safe Alphabet [A-Z] / [a-z]
/ "_" from Sec 5 of RFC 4648 [RFC4648], with length less than 128 / [0-9] / "-" / "_" from Sec 5 of RFC 4648 [RFC4648], with length
characters. less than 128 characters.
ABNF for "code_verifier" is as follows. ABNF for "code_verifier" is as follows.
code_verifier = 42*128unreserved code-verifier = 42*128unreserved
unreserved = [A-Z] / [a-z] / [0-9] / "-" / "_" unreserved = ALPHA / DIGIT / "-" / "_"
ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39
NOTE: code verifier SHOULD have enough entropy to make it impractical NOTE: code verifier SHOULD have enough entropy to make it impractical
to guess the value. It is RECOMMENDED that the output of a suitable to guess the value. It is RECOMMENDED that the output of a suitable
random number generator be used to create a 32-octet sequence. The random number generator be used to create a 32-octet sequence. The
Octet sequence is then BASE64URL encoded to produce a 42-octet URL Octet sequence is then BASE64URL encoded to produce a 42-octet URL
safe string to use as the code verifier. safe string to use as the code verifier.
4.2. Client creates the code challenge 4.2. Client creates the code challenge
The client then creates a code challenge, "code_challenge", derived The client then creates a code challenge, "code_challenge", derived
from the "code_verifier" by using one of the following from the "code_verifier" by using one of the following
transformations on the "code_verifier": transformations on the "code_verifier":
plain "code_challenge" = "code_verifier" plain "code_challenge" = "code_verifier"
S256 "code_challenge" = BASE64URL(SHA256("code_verifier")) S256 "code_challenge" = BASE64URL(SHA256("code_verifier"))
It is RECOMMENDED to use the S256 transformation when possible. It is RECOMMENDED to use the S256 transformation when possible.
ABNF for "code_challenge" is as follows. ABNF for "code_challenge" is as follows.
code_challenge = 42*128unreserved code-challenge = 42*128unreserved
unreserved = [A-Z] / [a-z] / [0-9] / "-" / "_" unreserved = ALPHA / DIGIT / "-" / "_"
ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39
4.3. Client sends the code challenge with the authorization request 4.3. Client sends the code challenge with the authorization request
The client sends the code challenge as part of the OAuth 2.0 The client sends the code challenge as part of the OAuth 2.0
[RFC6749] Authorization Request (Section 4.1.1.) using the following [RFC6749] Authorization Request (Section 4.1.1.) using the following
additional parameters: additional parameters:
code_challenge REQUIRED. Code challenge. code_challenge REQUIRED. Code challenge.
code_challenge_method OPTIONAL, defaults to "plain". Code verifier code_challenge_method OPTIONAL, defaults to "plain". Code verifier
transformation method, "S256" or "plain". transformation method, "S256" or "plain".
4.4. Server returns the code 4.4. Server returns the code
When the server issues the "code" in the Authorization Response, it When the server issues the "code" in the Authorization Response, it
MUST associate the "code_challenge" and "code_challenge_method" MUST associate the "code_challenge" and "code_challenge_method"
values with the "code" so it can be verified later. values with the "code" so it can be verified later.
Typically, the "code_challenge" and "code_challenge_method" values Typically, the "code_challenge" and "code_challenge_method" values
are stored in encrypted form in the "code" itself, but could are stored in encrypted form in the "code" itself, but could
alternatively be stored on the server, associated with the code. The alternatively be stored on the server, associated with the code. The
server MUST NOT include the "code_challenge" value in client requests server MUST NOT include the "code_challenge" value in client requests
in a form that other entities can extract. in a form that other entities can extract.
The exact method that the server uses to associate the The exact method that the server uses to associate the
"code_challenge" with the issued "code" is out of scope for this "code_challenge" with the issued "code" is out of scope for this
specification. specification.
4.4.1. Error Response 4.4.1. Error Response
If the server requires SPOP, and the client does not send the If the server requires PKCE, and the client does not send the
"code_challenge" in the request, the authorization endpoint MUST "code_challenge" in the request, the authorization endpoint MUST
return the authorization error response with "error" value set to return the authorization error response with "error" value set to
"invalid_request" and "error_description" or "error_uri" whose "invalid_request". The "error_description" or the response of
content explaining the nature of error. "error_uri" SHOULD explain the nature of error, e.g., code challenge
required.
If the server supporting SPOP only supports "S256", and the client If the server supporting PKCE does not support the requested
requests plain transformation, the authorization endpoint MUST return transform, the authorization endpoint MUST return the authorization
the authorization error response with "error" value set to error response with "error" value set to "invalid_request". The
"unsupported_spop_transform". The "error_description" or the "error_description" or the response of "error_uri" SHOULD explain the
response of "error_uri" SHOULD explain the nature of error, e.g., nature of error, e.g., transform algorithm not supported.
transform algorithm not supported.
If the client is capable of using "S256", it MUST use "S256", as If the client is capable of using "S256", it MUST use "S256", as
"S256" is MTI on the server. Clients MAY use plain only if they "S256" is MTI on the server. Clients MAY use plain only if they
cannot support "S256" for some technical reason and knows that the cannot support "S256" for some technical reason and knows that the
server supports "plain". server supports "plain".
4.5. Client sends the code and the secret to the token endpoint 4.5. Client sends the code and the secret to the token endpoint
Upon receipt of the "code", the client sends the Access Token Request Upon receipt of the "code", the client sends the Access Token Request
to the token endpoint. In addition to the parameters defined in to the token endpoint. In addition to the parameters defined in
OAuth 2.0 [RFC6749] Access Token Request (Section 4.1.3.), it sends OAuth 2.0 [RFC6749] Access Token Request (Section 4.1.3.), it sends
the following parameter: the following parameter:
code_verifier REQUIRED. Code verifier code_verifier REQUIRED. Code verifier
4.6. Server verifies code_verifier before returning the tokens 4.6. Server verifies code_verifier before returning the tokens
Upon receipt of the request at the Access Token endpoint, the server Upon receipt of the request at the Access Token endpoint, the server
verifies it by calculating the code challenge from received verifies it by calculating the code challenge from received
"code_verifier" and comparing it with the previously associated "code_verifier" and comparing it with the previously associated
"code_challenge", after first transforming it according to the "code_challenge", after first transforming it according to the
"code_challenge_method" method specified by the client. "code_challenge_method" method specified by the client.
If the "code_challenge_method" from Section 4.2 was "S256", the If the "code_challenge_method" from Section 4.2 was "S256", the
received "code_verifier" is first hashed with SHA-256 then compared received "code_verifier" is first hashed with SHA-256 then compared
to the base64url decoded "code_challenge". i.e., to the base64url decoded "code_challenge". i.e.,
SHA256("code_verifier" ) == BASE64URL-DECODE("code_challenge"). SHA256("code_verifier" ) == BASE64URL-DECODE("code_challenge").
If the "code_challenge_method" from Section 4.2 was "plain", they are If the "code_challenge_method" from Section 4.2 was "plain", they are
compared directly. i.e., compared directly. i.e.,
"code_challenge" == "code_verifier". "code_challenge" == "code_verifier".
If the values are equal, the Access Token endpoint MUST continue If the values are equal, the Access Token endpoint MUST continue
processing as normal (as defined by OAuth 2.0 [RFC6749]). If the processing as normal (as defined by OAuth 2.0 [RFC6749]). If the
values are not equal, an error response indicating "invalid_grant" as values are not equal, an error response indicating "invalid_grant" as
described in section 5.2 of OAuth 2.0 [RFC6749] MUST be returned. described in section 5.2 of OAuth 2.0 [RFC6749] MUST be returned.
5. Compatibility 5. Compatibility
Server implementations of this specification MAY accept OAuth2.0 Server implementations of this specification MAY accept OAuth2.0
Clients that do not implement this extension. If the "code_verifier" Clients that do not implement this extension. If the "code_verifier"
is not received from the client in the Authorization Request, servers is not received from the client in the Authorization Request, servers
supporting backwards compatibility SHOULD revert to a normal OAuth supporting backwards compatibility SHOULD revert to a normal OAuth
2.0 [RFC6749] protocol. 2.0 [RFC6749] protocol.
skipping to change at page 7, line 51 skipping to change at page 9, line 43
o Parameter name: code_challenge o Parameter name: code_challenge
o Parameter usage location: Authorization Request o Parameter usage location: Authorization Request
o Change controller: IESG o Change controller: IESG
o Specification document(s): this document o Specification document(s): this document
o Parameter name: code_challenge_method o Parameter name: code_challenge_method
o Parameter usage location: Authorization Request o Parameter usage location: Authorization Request
o Change controller: IESG o Change controller: IESG
o Specification document(s): this document o Specification document(s): this document
6.2. SPOP Code Challenge Method Registry 6.2. PKCE Code Challenge Method Registry
This specification establishes the SPOP Code Challenge Method This specification establishes the PKCE Code Challenge Method
registry. registry.
Additional code_challenge_method types for use with the authorization Additional code_challenge_method types for use with the authorization
endpoint are registered with a Specification Required ([RFC5226]) endpoint are registered with a Specification Required ([RFC5226])
after a two-week review period on the oauth-ext-review@ietf.org after a two-week review period on the oauth-ext-review@ietf.org
mailing list, on the advice of one or more Designated Experts. mailing list, on the advice of one or more Designated Experts.
However, to allow for the allocation of values prior to publication, However, to allow for the allocation of values prior to publication,
the Designated Expert(s) may approve registration once they are the Designated Expert(s) may approve registration once they are
satisfied that such a specification will be published. satisfied that such a specification will be published.
Registration requests must be sent to the oauth-ext-review@ietf.org Registration requests must be sent to the oauth-ext-review@ietf.org
mailing list for review and comment, with an appropriate subject mailing list for review and comment, with an appropriate subject
(e.g., "Request for SPOP code_challenge_method: example"). (e.g., "Request for PKCE code_challenge_method: example").
Within the review period, the Designated Expert(s) will either Within the review period, the Designated Expert(s) will either
approve or deny the registration request, communicating this decision approve or deny the registration request, communicating this decision
to the review list and IANA. Denials should include an explanation to the review list and IANA. Denials should include an explanation
and, if applicable, suggestions as to how to make the request and, if applicable, suggestions as to how to make the request
successful. successful.
IANA must only accept registry updates from the Designated Expert(s) IANA must only accept registry updates from the Designated Expert(s)
and should direct all requests for registration to the review mailing and should direct all requests for registration to the review mailing
list. list.
skipping to change at page 8, line 45 skipping to change at page 10, line 39
case-insensitive manner unless the Designated Expert(s) state that case-insensitive manner unless the Designated Expert(s) state that
there is a compelling reason to allow an exception in this there is a compelling reason to allow an exception in this
particular case. particular case.
Change Controller: Change Controller:
For Standards Track RFCs, state "IESG". For others, give the name For Standards Track RFCs, state "IESG". For others, give the name
of the responsible party. Other details (e.g., postal address, of the responsible party. Other details (e.g., postal address,
email address, home page URI) may also be included. email address, home page URI) may also be included.
Specification Document(s): Specification Document(s):
Reference to the document(s) that specify the parameter, Reference to the document(s) that specify the parameter,
preferably including URI(s) that can be used to retrieve copies of preferably including URI(s) that can be used to retrieve copies of
the document(s). An indication of the relevant sections may also the document(s). An indication of the relevant sections may also
be included but is not required. be included but is not required.
6.2.2. Initial Registry Contents 6.2.2. Initial Registry Contents
This specification registers the Code Challenge Method Parameter This specification registers the Code Challenge Method Parameter
names defined in Section 4.2 in this registry. names defined in Section 4.2 in this registry.
o Code Challenge Method Parameter Name: "plain" o Code Challenge Method Parameter Name: "plain"
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.2 of [[ this document ]] o Specification Document(s): Section 4.2 of [[ this document ]]
skipping to change at page 9, line 22 skipping to change at page 11, line 22
learned or guessed by the attacker. It is vitally important to learned or guessed by the attacker. It is vitally important to
adhere to this principle. As such, the code verifier has to be adhere to this principle. As such, the code verifier has to be
created in such a manner that it is cryptographically random and has created in such a manner that it is cryptographically random and has
high entropy that it is not practical for the attacker to guess. It high entropy that it is not practical for the attacker to guess. It
is RECOMMENDED that the output of a suitable random number generator is RECOMMENDED that the output of a suitable random number generator
be used to create a 32-octet sequence. be used to create a 32-octet sequence.
7.2. Protection against eavesdroppers 7.2. Protection against eavesdroppers
Clients MUST NOT try down grading the algorithm after trying "S256" Clients MUST NOT try down grading the algorithm after trying "S256"
method. If the server is SPOP compliant, then "S256" method works. method. If the server is PKCE compliant, then "S256" method works.
If the server does not support SPOP, it does not generate error. If the server does not support PKCE, it does not generate error.
Only the time that the server returns that it does not support "S256" Only the time that the server returns that it does not support "S256"
is there is a MITM trying the algorithm downgrade attack. is there is a MITM trying the algorithm downgrade attack.
"S256" method protects against eavesdroppers observing or "S256" method protects against eavesdroppers observing or
intercepting the "code_challenge". If the "plain" method is used, intercepting the "code_challenge". If the "plain" method is used,
there is a chance that it will be observed by the attacker on the there is a chance that it will be observed by the attacker on the
device. The use of "S256" protects against it. device. The use of "S256" protects against it.
If "code_challenge" is to be returned inside authorization "code" to If "code_challenge" is to be returned inside authorization "code" to
achieve a stateless server, it has to be encrypted in such a manner achieve a stateless server, it has to be encrypted in such a manner
skipping to change at page 9, line 46 skipping to change at page 11, line 46
7.3. Checking the Server support 7.3. Checking the Server support
Before starting the authorization process, the client SHOULD check if Before starting the authorization process, the client SHOULD check if
the server supports this specification. Confirmation of the server the server supports this specification. Confirmation of the server
support may be obtained out-of-band or through some other mechanisms support may be obtained out-of-band or through some other mechanisms
such as the discovery document in OpenID Connect Discovery such as the discovery document in OpenID Connect Discovery
[OpenID.Discovery]. The exact mechanism on how the client obtains [OpenID.Discovery]. The exact mechanism on how the client obtains
this information, or the action it takes as a result is out of scope this information, or the action it takes as a result is out of scope
of this specification. of this specification.
7.4. OAuth security considerations 7.4. Entropy of the code_verifier
The client SHOULD create a code_verifier with a minimum of 256bits of
entropy. This can be done by having a suitable random number
generator create a 32-octet sequence. The Octet sequence can then be
Base64url encoded to produce a 42-octet URL safe string to use as a
code_challenge that has the required entropy.
Salting is not used in the production of the code_verifier, as the
code_chalange contains sufficient entropy to prevent brute force
attacks. Concatenating a publicly known value to a code_challenge
(with 256 bits of entropy) and then hashing it with SHA256 would
actually reduce the entropy in the resulting code_verifier making it
easier for an attacker to brute force.
While the S256 transformation is like hashing a password there are
important differences. Passwords tend to be relatively low entropy
words that can be hashed offline and the hash looked up in a
dictionary. By concatenating a unique though public value to each
password prior to hashing, the dictionary space that an attacker
needs to search is greatly expanded.
Modern graphics processors now allow attackers to calculate hashes in
real time faster than they could be looked up from a disk. This
eliminates the value of the salt in increasing the complexity of a
brute force attack for even low entropy passwords.
7.5. OAuth security considerations
All the OAuth security analysis presented in [RFC6819] applies so All the OAuth security analysis presented in [RFC6819] applies so
readers SHOULD carefully follow it. readers SHOULD carefully follow it.
8. Acknowledgements 8. Acknowledgements
The initial draft of this specification was created by the OpenID AB/ The initial draft of this specification was created by the OpenID AB/
Connect Working Group of the OpenID Foundation, most notably by the Connect Working Group of the OpenID Foundation, most notably by the
following people: following people:
o Naveen Agarwal, Google o Anthony Nadalin, Microsoft
o Dirk Balfanz, Google o Axel Nenker, Deutsche Telekom
o Sergey Beryozkin o Breno de Medeiros, Google
o John Bradley, Ping Identity
o Brian Campbell, Ping Identity o Brian Campbell, Ping Identity
o William Denniss, Google o Chuck Mortimore, Salesforce
o Dirk Balfanz, Google
o Eduardo Gueiros, Jive Communications o Eduardo Gueiros, Jive Communications
o Hannes Tschonfenig, ARM
o James Manger, Telstra
o John Bradley, Ping Identity
o Justin Richer, MIT Kerberos
o Josh Mandel, Boston Children's Hospital
o Lewis Adam, Motorola Solutions
o Madjid Nakhjiri, Samsung
o Michael B. Jones, Microsoft
o Nat Sakimura, Nomura Research Institute
o Naveen Agarwal, Google
o Paul Madsen, Ping Identity
o Phil Hunt, Oracle o Phil Hunt, Oracle
o Prateek Mishra, Oracle
o Ryo Ito, mixi o Ryo Ito, mixi
o Michael B. Jones, Microsoft o Scott Tomlinson
o Sergey Beryozkin
o Takamichi Saito
o Torsten Lodderstedt, Deutsche Telekom o Torsten Lodderstedt, Deutsche Telekom
o Breno de Medeiros, Google o William Denniss, Google
o Prateek Mishra, Oracle
o Anthony Nadalin, Microsoft
o Axel Nenker, Deutsche Telekom
o Nat Sakimura, Nomura Research Institute
9. Revision History 9. Revision History
-06
o fix date
o replace spop with pkce for registry and other references
o re #29 change name again
o re #27 removed US-ASCII reference
o re #27 updated ABNF for code_verifier
o resolves #24 added security consideration for salting
o resolves #29 Changed title
o updated reference to RFC4634 to RFC6234 re #27
o changed reference for US-ASCII to RFC20 re #27
o resolves #28 added Acknowledgements
o resolves #27 updated ABNF
o resolves #26 updated abstract and added Hannes figure
-05 -05
o Added IANA registry for code_challenge_method + fixed some broken o Added IANA registry for code_challenge_method + fixed some broken
internal references. internal references.
-04 -04
o Added error response to authorization response. o Added error response to authorization response.
-03 -03
skipping to change at page 10, line 54 skipping to change at page 14, line 17
o Changed MUST in 3.1 to SHOULD. o Changed MUST in 3.1 to SHOULD.
-00 -00
o Initial IETF version. o Initial IETF version.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC0020] Cerf, V., "ASCII format for network interchange", RFC 20,
October 1969.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003. 10646", STD 63, RFC 3629, November 2003.
[RFC4634] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and HMAC-SHA)", RFC 4634, July 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, October 2006.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008. Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC
6749, October 2012. 6749, October 2012.
[US-ASCII]
American National Standards Institute, "Coded Character
Set -- 7-bit American Standard Code for Information
Interchange", ANSI X3.4, 1986.
10.2. Informative References 10.2. Informative References
[OpenID.Discovery] [OpenID.Discovery]
Sakimura, N., Bradley, J., Jones, M.B. and E. Jay, "OpenID Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID
Connect Discovery 1.0", February 2014. Connect Discovery 1.0", February 2014.
[RFC6819] Lodderstedt, T., McGloin, M. and P. Hunt, "OAuth 2.0 [RFC6819] Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", RFC 6819, Threat Model and Security Considerations", RFC 6819,
January 2013. January 2013.
Appendix A. Notes on implementing base64url encoding without padding Appendix A. Notes on implementing base64url encoding without padding
This appendix describes how to implement base64url encoding and This appendix describes how to implement base64url encoding and
decoding functions without padding based upon standard base64 decoding functions without padding based upon standard base64
encoding and decoding functions that do use padding. encoding and decoding functions that do use padding.
To be concrete, example C# code implementing these functions is shown To be concrete, example C# code implementing these functions is shown
skipping to change at page 12, line 44 skipping to change at page 16, line 4
length mod 4 is 0, no padding is added; if the length mod 4 is 2, two length mod 4 is 0, no padding is added; if the length mod 4 is 2, two
'=' padding characters are added; if the length mod 4 is 3, one '=' '=' padding characters are added; if the length mod 4 is 3, one '='
padding character is added; if the length mod 4 is 1, the input is padding character is added; if the length mod 4 is 1, the input is
malformed. malformed.
An example correspondence between unencoded and encoded values An example correspondence between unencoded and encoded values
follows. The octet sequence below encodes into the string below, follows. The octet sequence below encodes into the string below,
which when decoded, reproduces the octet sequence. which when decoded, reproduces the octet sequence.
3 236 255 224 193 3 236 255 224 193
A-z_4ME A-z_4ME
Authors' Addresses Authors' Addresses
Nat Sakimura, editor Nat Sakimura (editor)
Nomura Research Institute Nomura Research Institute
1-6-5 Marunouchi, Marunouchi Kitaguchi Bldg. 1-6-5 Marunouchi, Marunouchi Kitaguchi Bldg.
Chiyoda-ku, Tokyo 100-0005 Chiyoda-ku, Tokyo 100-0005
Japan Japan
Phone: +81-3-5533-2111 Phone: +81-3-5533-2111
Email: n-sakimura@nri.co.jp Email: n-sakimura@nri.co.jp
URI: http://nat.sakimura.org/ URI: http://nat.sakimura.org/
John Bradley John Bradley
Ping Identity Ping Identity
Casilla 177, Sucursal Talagante Casilla 177, Sucursal Talagante
Talagante, RM Talagante, RM
Chile Chile
Phone: +44 20 8133 3718 Phone: +44 20 8133 3718
Email: ve7jtb@ve7jtb.com Email: ve7jtb@ve7jtb.com
URI: http://www.thread-safe.com/ URI: http://www.thread-safe.com/
skipping to change at page 13, line 17 skipping to change at page 16, line 31
Talagante, RM Talagante, RM
Chile Chile
Phone: +44 20 8133 3718 Phone: +44 20 8133 3718
Email: ve7jtb@ve7jtb.com Email: ve7jtb@ve7jtb.com
URI: http://www.thread-safe.com/ URI: http://www.thread-safe.com/
Naveen Agarwal Naveen Agarwal
Google Google
1600 Amphitheatre Pkwy 1600 Amphitheatre Pkwy
Mountain View, CA 94043 Mountain View, CA 94043
USA USA
Phone: +1 650-253-0000 Phone: +1 650-253-0000
Email: naa@google.com Email: naa@google.com
URI: http://google.com/ URI: http://google.com/
 End of changes. 59 change blocks. 
142 lines changed or deleted 261 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/