draft-ietf-oauth-spop-09.txt   draft-ietf-oauth-spop-10.txt 
OAuth Working Group N. Sakimura, Ed. OAuth Working Group N. Sakimura, Ed.
Internet-Draft Nomura Research Institute Internet-Draft Nomura Research Institute
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: August 9, 2015 Ping Identity Expires: August 10, 2015 Ping Identity
N. Agarwal N. Agarwal
Google Google
February 05, 2015 February 06, 2015
Proof Key for Code Exchange by OAuth Public Clients Proof Key for Code Exchange by OAuth Public Clients
draft-ietf-oauth-spop-09 draft-ietf-oauth-spop-10
Abstract Abstract
OAuth 2.0 public clients utilizing the Authorization Code Grant are OAuth 2.0 public clients utilizing the Authorization Code Grant are
susceptible to the authorization code interception attack. This susceptible to the authorization code interception attack. This
specification describes the attack as well as a technique to mitigate specification describes the attack as well as a technique to mitigate
against the threat. against the threat.
Status of This Memo Status of This Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 9, 2015. This Internet-Draft will expire on August 10, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 42 skipping to change at page 2, line 42
7.3. Entropy of the code_verifier . . . . . . . . . . . . . . 12 7.3. Entropy of the code_verifier . . . . . . . . . . . . . . 12
7.4. OAuth security considerations . . . . . . . . . . . . . . 12 7.4. OAuth security considerations . . . . . . . . . . . . . . 12
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
9. Revision History . . . . . . . . . . . . . . . . . . . . . . 13 9. Revision History . . . . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
10.1. Normative References . . . . . . . . . . . . . . . . . . 15 10.1. Normative References . . . . . . . . . . . . . . . . . . 15
10.2. Informative References . . . . . . . . . . . . . . . . . 15 10.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. Notes on implementing base64url encoding without Appendix A. Notes on implementing base64url encoding without
padding . . . . . . . . . . . . . . . . . . . . . . 15 padding . . . . . . . . . . . . . . . . . . . . . . 15
Appendix B. Example for the S256 code_challenge_method . . . . . 16 Appendix B. Example for the S256 code_challenge_method . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
OAuth 2.0 [RFC6749] public clients are susceptible to the OAuth 2.0 [RFC6749] public clients are susceptible to the
authorization "code" interception attack. authorization "code" interception attack.
The attacker thereby intercepts the authorization code returned from The attacker thereby intercepts the authorization code returned from
the authorization endpoint within communication path not protected by the authorization endpoint within communication path not protected by
TLS, such as inter-app communication within the operating system of TLS, such as inter-app communication within the operating system of
the client. the client.
skipping to change at page 6, line 49 skipping to change at page 6, line 49
4. Protocol 4. Protocol
4.1. Client creates a code verifier 4.1. Client creates a code verifier
The client first creates a code verifier, "code_verifier", for each The client first creates a code verifier, "code_verifier", for each
OAuth 2.0 [RFC6749] Authorization Request, in the following manner: OAuth 2.0 [RFC6749] Authorization Request, in the following manner:
code_verifier = high entropy cryptographic random STRING using the code_verifier = high entropy cryptographic random STRING using the
Unreserved Characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" Unreserved Characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
from Sec 2.3 of RFC 3986 [RFC3986], with length less than 128 from Sec 2.3 of RFC 3986 [RFC3986], with a minimum length of 43
characters. characters and a maximum length of 128 characters.
ABNF for "code_verifier" is as follows. ABNF for "code_verifier" is as follows.
code-verifier = 42*128unreserved code-verifier = 43*128unreserved
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39 DIGIT = %x30-39
NOTE: code verifier SHOULD have enough entropy to make it impractical NOTE: code verifier SHOULD have enough entropy to make it impractical
to guess the value. It is RECOMMENDED that the output of a suitable to guess the value. It is RECOMMENDED that the output of a suitable
random number generator be used to create a 32-octet sequence. The random number generator be used to create a 32-octet sequence. The
Octet sequence is then BASE64URL encoded to produce a 42-octet URL Octet sequence is then base64url encoded to produce a 43-octet URL
safe string to use as the code verifier. safe string to use as the code verifier.
4.2. Client creates the code challenge 4.2. Client creates the code challenge
The client then creates a code challenge, "code_challenge", derived The client then creates a code challenge, "code_challenge", derived
from the "code_verifier" by using one of the following from the "code_verifier" by using one of the following
transformations on the "code_verifier": transformations on the "code_verifier":
plain "code_challenge" = "code_verifier" plain "code_challenge" = "code_verifier"
S256 "code_challenge" = BASE64URL- S256 "code_challenge" = BASE64URL-
ENCODE(SHA256(ASCII("code_verifier"))) ENCODE(SHA256(ASCII("code_verifier")))
It is RECOMMENDED to use the S256 transformation when possible. It is RECOMMENDED to use the S256 transformation when possible.
ABNF for "code_challenge" is as follows. ABNF for "code_challenge" is as follows.
code-challenge = 42*128unreserved code-challenge = 43*128unreserved
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39 DIGIT = %x30-39
4.3. Client sends the code challenge with the authorization request 4.3. Client sends the code challenge with the authorization request
The client sends the code challenge as part of the OAuth 2.0 The client sends the code challenge as part of the OAuth 2.0
Authorization Request (Section 4.1.1 of [RFC6749].) using the Authorization Request (Section 4.1.1 of [RFC6749].) using the
following additional parameters: following additional parameters:
skipping to change at page 8, line 31 skipping to change at page 8, line 31
"error_uri" SHOULD explain the nature of error, e.g., code challenge "error_uri" SHOULD explain the nature of error, e.g., code challenge
required. required.
If the server supporting PKCE does not support the requested If the server supporting PKCE does not support the requested
transform, the authorization endpoint MUST return the authorization transform, the authorization endpoint MUST return the authorization
error response with "error" value set to "invalid_request". The error response with "error" value set to "invalid_request". The
"error_description" or the response of "error_uri" SHOULD explain the "error_description" or the response of "error_uri" SHOULD explain the
nature of error, e.g., transform algorithm not supported. nature of error, e.g., transform algorithm not supported.
If the client is capable of using "S256", it MUST use "S256", as If the client is capable of using "S256", it MUST use "S256", as
"S256" is MTI on the server. Clients MAY use plain only if they "S256" is Mandatory To Implement (MTI) on the server. Clients MAY
cannot support "S256" for some technical reason and knows that the use plain only if they cannot support "S256" for some technical
server supports "plain". reason and knows that the server supports "plain".
4.5. Client sends the code and the secret to the token endpoint 4.5. Client sends the code and the secret to the token endpoint
Upon receipt of the "code", the client sends the Access Token Request Upon receipt of the "code", the client sends the Access Token Request
to the token endpoint. In addition to the parameters defined in the to the token endpoint. In addition to the parameters defined in the
OAuth 2.0 Access Token Request (Section 4.1.3 of [RFC6749]), it sends OAuth 2.0 Access Token Request (Section 4.1.3 of [RFC6749]), it sends
the following parameter: the following parameter:
code_verifier REQUIRED. Code verifier code_verifier REQUIRED. Code verifier
4.6. Server verifies code_verifier before returning the tokens 4.6. Server verifies code_verifier before returning the tokens
Upon receipt of the request at the Access Token endpoint, the server Upon receipt of the request at the Access Token endpoint, the server
verifies it by calculating the code challenge from received verifies it by calculating the code challenge from received
"code_verifier" and comparing it with the previously associated "code_verifier" and comparing it with the previously associated
"code_challenge", after first transforming it according to the "code_challenge", after first transforming it according to the
"code_challenge_method" method specified by the client. "code_challenge_method" method specified by the client.
If the "code_challenge_method" from Section 4.2 was "S256", the If the "code_challenge_method" from Section 4.2 was "S256", the
received "code_verifier" is first hashed with SHA-256 then compared received "code_verifier" is hashed by SHA-256, then base64url
to the base64url decoded "code_challenge". i.e., encoded, and then compared to the "code_challenge". i.e.,
SHA256(ASCII("code_verifier" )) == BASE64URL- BASE64URL-ENCODE(SHA256(ASCII("code_verifier" ))) == "code_challenge"
DECODE("code_challenge").
If the "code_challenge_method" from Section 4.2 was "plain", they are If the "code_challenge_method" from Section 4.2 was "plain", they are
compared directly. i.e., compared directly. i.e.,
"code_challenge" == "code_verifier". "code_verifier" == "code_challenge".
If the values are equal, the Access Token endpoint MUST continue If the values are equal, the Access Token endpoint MUST continue
processing as normal (as defined by OAuth 2.0 [RFC6749]). If the processing as normal (as defined by OAuth 2.0 [RFC6749]). If the
values are not equal, an error response indicating "invalid_grant" as values are not equal, an error response indicating "invalid_grant" as
described in section 5.2 of [RFC6749] MUST be returned. described in section 5.2 of [RFC6749] MUST be returned.
5. Compatibility 5. Compatibility
Server implementations of this specification MAY accept OAuth2.0 Server implementations of this specification MAY accept OAuth2.0
Clients that do not implement this extension. If the "code_verifier" Clients that do not implement this extension. If the "code_verifier"
skipping to change at page 12, line 14 skipping to change at page 12, line 10
If "code_challenge" is to be returned inside authorization "code" to If "code_challenge" is to be returned inside authorization "code" to
achieve a stateless server, it has to be encrypted in such a manner achieve a stateless server, it has to be encrypted in such a manner
that only the server can decrypt and extract it. that only the server can decrypt and extract it.
7.3. Entropy of the code_verifier 7.3. Entropy of the code_verifier
The client SHOULD create a code_verifier with a minimum of 256bits of The client SHOULD create a code_verifier with a minimum of 256bits of
entropy. This can be done by having a suitable random number entropy. This can be done by having a suitable random number
generator create a 32-octet sequence. The Octet sequence can then be generator create a 32-octet sequence. The Octet sequence can then be
Base64url encoded to produce a 42-octet URL safe string to use as a base64url encoded to produce a 43-octet URL safe string to use as a
code_challenge that has the required entropy. code_challenge that has the required entropy.
Salting is not used in the production of the code_verifier, as the Salting is not used in the production of the code_verifier, as the
code_chalange contains sufficient entropy to prevent brute force code_chalange contains sufficient entropy to prevent brute force
attacks. Concatenating a publicly known value to a code_challenge attacks. Concatenating a publicly known value to a code_challenge
(with 256 bits of entropy) and then hashing it with SHA256 would (with 256 bits of entropy) and then hashing it with SHA256 would
actually reduce the entropy in the resulting code_verifier making it actually reduce the entropy in the resulting code_verifier making it
easier for an attacker to brute force. easier for an attacker to brute force.
While the S256 transformation is like hashing a password there are While the S256 transformation is like hashing a password there are
skipping to change at page 13, line 31 skipping to change at page 13, line 27
Prateek Mishra, Oracle Prateek Mishra, Oracle
Ryo Ito, mixi Ryo Ito, mixi
Scott Tomilson, Ping Identity Scott Tomilson, Ping Identity
Sergey Beryozkin Sergey Beryozkin
Takamichi Saito Takamichi Saito
Torsten Lodderstedt, Deutsche Telekom Torsten Lodderstedt, Deutsche Telekom
William Denniss, Google William Denniss, Google
9. Revision History 9. Revision History
-08 -10
o re #33 specify lower limit to code_verifier in prose
o remove base64url decode from draft, all steps now use encode only
o Expanded MTI
o re #33 change length of 32 octet base64url encoded string back to
43 octets
-09
o clean up some external references so they don't point at internal o clean up some external references so they don't point at internal
sections sections
-07 -08
o changed BASE64URL to BASE64URL-ENCODE to be more consistent with o changed BASE64URL to BASE64URL-ENCODE to be more consistent with
appendix A Fixed lowercase base64url in appendix B appendix A Fixed lowercase base64url in appendix B
o Added appendix B as an example of S256 processing o Added appendix B as an example of S256 processing
o Change reference for unreserved characters to RFC3986 from o Change reference for unreserved characters to RFC3986 from
base64URL base64URL
-07 -07
o removed unused discovery reference and UTF8 o removed unused discovery reference and UTF8
skipping to change at page 15, line 43 skipping to change at page 15, line 46
6749, October 2012. 6749, October 2012.
10.2. Informative References 10.2. Informative References
[RFC6819] Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0 [RFC6819] Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", RFC 6819, Threat Model and Security Considerations", RFC 6819,
January 2013. January 2013.
Appendix A. Notes on implementing base64url encoding without padding Appendix A. Notes on implementing base64url encoding without padding
This appendix describes how to implement base64url encoding and This appendix describes how to implement a base64url encoding
decoding functions without padding based upon standard base64 function without padding based upon standard base64 encoding function
encoding and decoding functions that do use padding. that uses padding.
To be concrete, example C# code implementing these functions is shown To be concrete, example C# code implementing these functions is shown
below. Similar code could be used in other languages. below. Similar code could be used in other languages.
static string base64urlencode(byte [] arg) static string base64urlencode(byte [] arg)
{ {
string s = Convert.ToBase64String(arg); // Regular base64 encoder string s = Convert.ToBase64String(arg); // Regular base64 encoder
s = s.Split('=')[0]; // Remove any trailing '='s s = s.Split('=')[0]; // Remove any trailing '='s
s = s.Replace('+', '-'); // 62nd char of encoding s = s.Replace('+', '-'); // 62nd char of encoding
s = s.Replace('/', '_'); // 63rd char of encoding s = s.Replace('/', '_'); // 63rd char of encoding
return s; return s;
} }
static byte [] base64urldecode(string arg)
{
string s = arg;
s = s.Replace('-', '+'); // 62nd char of encoding
s = s.Replace('_', '/'); // 63rd char of encoding
switch (s.Length % 4) // Pad with trailing '='s
{
case 0: break; // No pad chars in this case
case 2: s += "=="; break; // Two pad chars
case 3: s += "="; break; // One pad char
default: throw new System.Exception(
"Illegal base64url string!");
}
return Convert.FromBase64String(s); // Standard base64 decoder
}
As per the example code above, the number of '=' padding characters
that needs to be added to the end of a base64url encoded string
without padding to turn it into one with padding is a deterministic
function of the length of the encoded string. Specifically, if the
length mod 4 is 0, no padding is added; if the length mod 4 is 2, two
'=' padding characters are added; if the length mod 4 is 3, one '='
padding character is added; if the length mod 4 is 1, the input is
malformed.
An example correspondence between unencoded and encoded values An example correspondence between unencoded and encoded values
follows. The octet sequence below encodes into the string below, follows. The octet sequence below encodes into the string below,
which when decoded, reproduces the octet sequence. which when decoded, reproduces the octet sequence.
3 236 255 224 193 3 236 255 224 193
A-z_4ME A-z_4ME
Appendix B. Example for the S256 code_challenge_method Appendix B. Example for the S256 code_challenge_method
skipping to change at page 17, line 21 skipping to change at page 16, line 44
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
The code_verifier is then hashed via the SHA256 hash function to The code_verifier is then hashed via the SHA256 hash function to
produce: produce:
[19, 211, 30, 150, 26, 26, 216, 236, 47, 22, 177, 12, 76, 152, 46, [19, 211, 30, 150, 26, 26, 216, 236, 47, 22, 177, 12, 76, 152, 46,
8, 118, 168, 120, 173, 109, 241, 68, 86, 110, 225, 137, 74, 203, 8, 118, 168, 120, 173, 109, 241, 68, 86, 110, 225, 137, 74, 203,
112, 249, 195] 112, 249, 195]
Encoding this octet sequence as a Base64url provides the value of the Encoding this octet sequence as a base64url provides the value of the
code_challenge: code_challenge:
E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
The authorization request includes: The authorization request includes:
code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
&code_challange_method=S256 &code_challange_method=S256
The Authorization server then records the code_challenge and The Authorization server then records the code_challenge and
skipping to change at page 17, line 43 skipping to change at page 17, line 20
client. client.
in the request to the token_endpoint the client includes the code in the request to the token_endpoint the client includes the code
received in the authorization response as well as the additional received in the authorization response as well as the additional
paramater: paramater:
code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
The Authorization server retrieves the information for the code The Authorization server retrieves the information for the code
grant. Based on the recorded code_challange_method being S256, it grant. Based on the recorded code_challange_method being S256, it
then hashes the value of code_verifier. SHA256(ASCII("code_verifier" then hashes and base64url encodes the value of code_verifier.
)) BASE64URL-ENCODE(SHA256(ASCII("code_verifier" )))
The Authorization can then either one of: The calculated value is then compared with the value of
"code_challenge":
BASE64-DECODE(code_challenge ) == SHA256(ASCII("code_verifier" )) BASE64URL-ENCODE(SHA256(ASCII("code_verifier" ))) == code_challenge
BASE64URL-ENCODE(SHA256(ASCII("code_verifier" ))) ==
code_challenge
If the two values are equal then the Authorization server can provide If the two values are equal then the Authorization server can provide
the tokens as long as there are no other errors in the request. If the tokens as long as there are no other errors in the request. If
the values are not equal then the request must be rejected, and an the values are not equal then the request must be rejected, and an
error returned. error returned.
Authors' Addresses Authors' Addresses
Nat Sakimura (editor) Nat Sakimura (editor)
Nomura Research Institute Nomura Research Institute
 End of changes. 22 change blocks. 
56 lines changed or deleted 37 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/