draft-ietf-oauth-spop-13.txt   draft-ietf-oauth-spop-14.txt 
OAuth Working Group N. Sakimura, Ed. OAuth Working Group N. Sakimura, Ed.
Internet-Draft Nomura Research Institute Internet-Draft Nomura Research Institute
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: January 6, 2016 Ping Identity Expires: January 7, 2016 Ping Identity
N. Agarwal N. Agarwal
Google Google
July 5, 2015 July 6, 2015
Proof Key for Code Exchange by OAuth Public Clients Proof Key for Code Exchange by OAuth Public Clients
draft-ietf-oauth-spop-13 draft-ietf-oauth-spop-14
Abstract Abstract
OAuth 2.0 public clients utilizing the Authorization Code Grant are OAuth 2.0 public clients utilizing the Authorization Code Grant are
susceptible to the authorization code interception attack. This susceptible to the authorization code interception attack. This
specification describes the attack as well as a technique to mitigate specification describes the attack as well as a technique to mitigate
against the threat. against the threat through the use of Proof Key for Code Exchange
(PKCE, pronounced "pixy").
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 6, 2016. This Internet-Draft will expire on January 7, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 5
2. Notational Conventions . . . . . . . . . . . . . . . . . . . 5 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 6
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7
4. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 7
4.1. Client creates a code verifier . . . . . . . . . . . . . 6 4. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2. Client creates the code challenge . . . . . . . . . . . . 7 4.1. Client creates a code verifier . . . . . . . . . . . . . 7
4.2. Client creates the code challenge . . . . . . . . . . . . 8
4.3. Client sends the code challenge with the authorization 4.3. Client sends the code challenge with the authorization
request . . . . . . . . . . . . . . . . . . . . . . . . . 7 request . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.4. Server returns the code . . . . . . . . . . . . . . . . . 8 4.4. Server returns the code . . . . . . . . . . . . . . . . . 8
4.4.1. Error Response . . . . . . . . . . . . . . . . . . . 8 4.4.1. Error Response . . . . . . . . . . . . . . . . . . . 9
4.5. Client sends the code and the secret to the token 4.5. Client sends the Authorization Code and the Code Verifier
endpoint . . . . . . . . . . . . . . . . . . . . . . . . 8 to the token endpoint . . . . . . . . . . . . . . . . . . 9
4.6. Server verifies code_verifier before returning the tokens 9 4.6. Server verifies code_verifier before returning the tokens 9
5. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 9 5. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 10
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
6.1. OAuth Parameters Registry . . . . . . . . . . . . . . . . 9 6.1. OAuth Parameters Registry . . . . . . . . . . . . . . . . 10
6.2. PKCE Code Challenge Method Registry . . . . . . . . . . . 10 6.2. PKCE Code Challenge Method Registry . . . . . . . . . . . 11
6.2.1. Registration Template . . . . . . . . . . . . . . . . 10 6.2.1. Registration Template . . . . . . . . . . . . . . . . 11
6.2.2. Initial Registry Contents . . . . . . . . . . . . . . 11 6.2.2. Initial Registry Contents . . . . . . . . . . . . . . 12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12
7.1. Entropy of the code_verifier . . . . . . . . . . . . . . 11 7.1. Entropy of the code_verifier . . . . . . . . . . . . . . 12
7.2. Protection against eavesdroppers . . . . . . . . . . . . 12 7.2. Protection against eavesdroppers . . . . . . . . . . . . 12
7.3. Salting the code_challenge . . . . . . . . . . . . . . . 12 7.3. Salting the code_challenge . . . . . . . . . . . . . . . 13
7.4. OAuth security considerations . . . . . . . . . . . . . . 13 7.4. OAuth security considerations . . . . . . . . . . . . . . 14
7.5. TLS security considerations . . . . . . . . . . . . . . . 13 7.5. TLS security considerations . . . . . . . . . . . . . . . 14
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
9. Revision History . . . . . . . . . . . . . . . . . . . . . . 14 9. Revision History . . . . . . . . . . . . . . . . . . . . . . 15
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 17
10.1. Normative References . . . . . . . . . . . . . . . . . . 16 10.1. Normative References . . . . . . . . . . . . . . . . . . 17
10.2. Informative References . . . . . . . . . . . . . . . . . 16 10.2. Informative References . . . . . . . . . . . . . . . . . 18
Appendix A. Notes on implementing base64url encoding without Appendix A. Notes on implementing base64url encoding without
padding . . . . . . . . . . . . . . . . . . . . . . 17 padding . . . . . . . . . . . . . . . . . . . . . . 18
Appendix B. Example for the S256 code_challenge_method . . . . . 17 Appendix B. Example for the S256 code_challenge_method . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20
1. Introduction 1. Introduction
OAuth 2.0 [RFC6749] public clients are susceptible to the OAuth 2.0 [RFC6749] public clients are susceptible to the
authorization "code" interception attack. authorization code interception attack.
The attacker thereby intercepts the authorization code returned from The attacker thereby intercepts the authorization code returned from
the authorization endpoint within communication path not protected by the authorization endpoint within communication path not protected by
TLS, such as inter-app communication within the operating system of TLS, such as inter-app communication within the operating system of
the client. the client.
Once the attacker has gained access to the authorization code it can Once the attacker has gained access to the authorization code it can
use it to obtain the access token. use it to obtain the access token.
Figure 1 shows the attack graphically. In step (1) the native app Figure 1 shows the attack graphically. In step (1) the native app
running on the end device, such as a smart phone, issues an running on the end device, such as a smart phone, issues an OAuth 2.0
authorization request via the browser/operating system, which then Authorization Request via the browser/operating system. The
gets forwarded to the OAuth 2.0 authorization server in step (2). Redirection Endpoint URI in this case typically uses a custom URI
The authorization server returns the authorization code in step (3). scheme. Step (1) happens through a secure API that cannot be
The malicious app is able to observe the authorization code in step intercepted, though it may potentially be observed in advanced attack
(4) since it is registered to the custom URI scheme used by the scenarios. The request then gets forwarded to the OAuth 2.0
legitimate app. This allows the attacker to reguest and obtain an authorization server in step (2). Because OAuth requires the use of
access token in step (5) and step (6), respectively. TLS, this communication is protected by TLS, and also cannot be
intercepted. The authorization server returns the authorization code
in step (3). In step (4), the Authorization Code is returned to the
requester via the Redirection Endpoint URI that was provided in step
(1).
A malicious app that has been designed to attack this native app has
previously registered itself as a handler for the custom URI scheme
is now able to intercept the Authorization Code in step (4). This
allows the attacker to request and obtain an access token in steps
(5) and (6), respectively.
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
| End Device (e.g., Smart Phone) | | End Device (e.g., Smart Phone) |
| | | |
| +-------------+ +----------+ | (6) Access Token +----------+ | +-------------+ +----------+ | (6) Access Token +----------+
| |Legitimate | | Malicious|<--------------------| | | |Legitimate | | Malicious|<--------------------| |
| |OAuth 2.0 App| | App |-------------------->| | | |OAuth 2.0 App| | App |-------------------->| |
| +-------------+ +----------+ | (5) Authorization | | | +-------------+ +----------+ | (5) Authorization | |
| | ^ ^ | Grant | | | | ^ ^ | Grant | |
| | \ | | | | | | \ | | | |
skipping to change at page 4, line 32 skipping to change at page 5, line 16
While this is a long list of pre-conditions the described attack has While this is a long list of pre-conditions the described attack has
been observed in the wild and has to be considered in OAuth 2.0 been observed in the wild and has to be considered in OAuth 2.0
deployments. deployments.
While the OAuth 2.0 Threat Model Section 4.4.1 [RFC6819] describes While the OAuth 2.0 Threat Model Section 4.4.1 [RFC6819] describes
mitigation techniques they are, unfortunately, not applicable since mitigation techniques they are, unfortunately, not applicable since
they rely on a per-client instance secret or aper client instance they rely on a per-client instance secret or aper client instance
redirect URI. redirect URI.
To mitigate this attack, this extension utilizes a dynamically To mitigate this attack, this extension utilizes a dynamically
created cryptographically random key called 'code verifier'. A created cryptographically random key called "code verifier". A
unique code verifier is created for every authorization request and unique code verifier is created for every authorization request and
its transformed value, called 'code challenge', is sent to the its transformed value, called "code challenge", is sent to the
authorization server to obtain the authorization code. The authorization server to obtain the authorization code. The
authorization "code" obtained is then sent to the token endpoint with authorization code obtained is then sent to the token endpoint with
the 'code verifier' and the server compares it with the previously the "code verifier" and the server compares it with the previously
received request code so that it can perform the proof of possession received request code so that it can perform the proof of possession
of the 'code verifier' by the client. This works as the mitigation of the "code verifier" by the client. This works as the mitigation
since the attacker would not know this one-time key. since the attacker would not know this one-time key, since it is sent
over TLS and cannot be intercepted.
1.1. Protocol Flow 1.1. Protocol Flow
+-------------------+ +-------------------+
| Authz Server | | Authz Server |
+--------+ | +---------------+ | +--------+ | +---------------+ |
| |--(A)- Authorization Request ---->| | | | |--(A)- Authorization Request ---->| | |
| | + t(code_verifier), t | | Authorization | | | | + t(code_verifier), t | | Authorization | |
| | | | Endpoint | | | | | | Endpoint | |
| |<-(B)---- Authorization Code -----| | | | |<-(B)---- Authorization Code -----| | |
| | | +---------------+ | | | | +---------------+ |
| Client | | | | Client | | |
| | | +---------------+ | | | | +---------------+ |
skipping to change at page 5, line 33 skipping to change at page 6, line 11
This specification adds additional parameters to the OAuth 2.0 This specification adds additional parameters to the OAuth 2.0
Authorization and Access Token Requests, shown in abstract form in Authorization and Access Token Requests, shown in abstract form in
Figure 1. Figure 1.
A. The client creates and records a secret named the "code_verifier", A. The client creates and records a secret named the "code_verifier",
and derives a transformed version "t(code_verifier)" (referred to and derives a transformed version "t(code_verifier)" (referred to
as the "code_challenge") which is sent in the OAuth 2.0 as the "code_challenge") which is sent in the OAuth 2.0
Authorization Request, along with the transformation method "t". Authorization Request, along with the transformation method "t".
B. The Authorization Endpoint responds as usual, but records B. The Authorization Endpoint responds as usual, but records
"t(code_verifier)" and the transformation method. "t(code_verifier)" and the transformation method.
C. The client then sends the code in the Access Token Request as C. The client then sends the authorization code in the Access Token
usual, but includes the "code_verifier" secret generated at (A). Request as usual, but includes the "code_verifier" secret
generated at (A).
D. The authorization server transforms "code_verifier" and compares D. The authorization server transforms "code_verifier" and compares
it to "t(code_verifier)" from (B). Access is denied if they are it to "t(code_verifier)" from (B). Access is denied if they are
not equal. not equal.
An attacker who intercepts the Authorization Grant at (B) is unable An attacker who intercepts the Authorization Grant at (B) is unable
to redeem it for an Access Token, as they are not in possession of to redeem it for an Access Token, as they are not in possession of
the "code_verifier" secret. the "code_verifier" secret.
2. Notational Conventions 2. Notational Conventions
skipping to change at page 6, line 29 skipping to change at page 7, line 10
BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING, BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING,
per Section 3, producing a sequence of octets. per Section 3, producing a sequence of octets.
SHA256(OCTETS) denotes a SHA2 256bit hash [RFC6234] of OCTETS. SHA256(OCTETS) denotes a SHA2 256bit hash [RFC6234] of OCTETS.
3. Terminology 3. Terminology
In addition to the terms defined in OAuth 2.0 [RFC6749], this In addition to the terms defined in OAuth 2.0 [RFC6749], this
specification defines the following terms: specification defines the following terms:
code verifier A cryptographically random string that is used to code verifier
correlate the authorization request to the token request. A cryptographically random string that is used to correlate the
code challenge A challenge derived from the code verifier that is authorization request to the token request.
sent in the authorization request, to be verified against later. code challenge
Base64url Encoding Base64 encoding using the URL- and filename-safe A challenge derived from the code verifier that is sent in the
character set defined in Section 5 of [RFC4648], with all trailing authorization request, to be verified against later.
'=' characters omitted (as permitted by Section 3.2 of [RFC4648]) Base64url Encoding
and without the inclusion of any line breaks, whitespace, or other Base64 encoding using the URL- and filename-safe character set
defined in Section 5 of [RFC4648], with all trailing '='
characters omitted (as permitted by Section 3.2 of [RFC4648]) and
without the inclusion of any line breaks, whitespace, or other
additional characters. (See Appendix A for notes on implementing additional characters. (See Appendix A for notes on implementing
base64url encoding without padding.) base64url encoding without padding.)
3.1. Abbreviations
ABNF Augmented Backus-Naur Form
Authz Authorization
PKCE Proof Key for Code Exchange
MITM Man-in-the-middle
MTI Mandatory To Implement
4. Protocol 4. Protocol
4.1. Client creates a code verifier 4.1. Client creates a code verifier
The client first creates a code verifier, "code_verifier", for each The client first creates a code verifier, "code_verifier", for each
OAuth 2.0 [RFC6749] Authorization Request, in the following manner: OAuth 2.0 [RFC6749] Authorization Request, in the following manner:
code_verifier = high entropy cryptographic random STRING using the code_verifier = high entropy cryptographic random STRING using the
Unreserved Characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" Unreserved Characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
from Sec 2.3 of [RFC3986], with a minimum length of 43 characters and from Sec 2.3 of [RFC3986], with a minimum length of 43 characters and
skipping to change at page 7, line 18 skipping to change at page 8, line 10
DIGIT = %x30-39 DIGIT = %x30-39
NOTE: code verifier SHOULD have enough entropy to make it impractical NOTE: code verifier SHOULD have enough entropy to make it impractical
to guess the value. It is RECOMMENDED that the output of a suitable to guess the value. It is RECOMMENDED that the output of a suitable
random number generator be used to create a 32-octet sequence. The random number generator be used to create a 32-octet sequence. The
Octet sequence is then base64url encoded to produce a 43-octet URL Octet sequence is then base64url encoded to produce a 43-octet URL
safe string to use as the code verifier. safe string to use as the code verifier.
4.2. Client creates the code challenge 4.2. Client creates the code challenge
The client then creates a code challenge, "code_challenge", derived The client then creates a code challenge derived from the code
from the "code_verifier" by using one of the following verifier by using one of the following transformations on the code
transformations on the "code_verifier": verifier:
plain "code_challenge" = "code_verifier" plain
S256 "code_challenge" = BASE64URL- code_challenge = code_verifier
ENCODE(SHA256(ASCII("code_verifier"))) S256
code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
Clients SHOULD use the S256 transformation. The plain transformation Clients SHOULD use the S256 transformation. The plain transformation
is for compatibility with existing deployments and for constrained is for compatibility with existing deployments and for constrained
environments that can't use the S256 transformation. environments that can't use the S256 transformation.
ABNF for "code_challenge" is as follows. ABNF for "code_challenge" is as follows.
code-challenge = 43*128unreserved code-challenge = 43*128unreserved
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A ALPHA = %x41-5A / %x61-7A
skipping to change at page 8, line 7 skipping to change at page 8, line 44
following additional parameters: following additional parameters:
code_challenge REQUIRED. Code challenge. code_challenge REQUIRED. Code challenge.
code_challenge_method OPTIONAL, defaults to "plain" if not present code_challenge_method OPTIONAL, defaults to "plain" if not present
in the request. Code verifier transformation method, "S256" or in the request. Code verifier transformation method, "S256" or
"plain". "plain".
4.4. Server returns the code 4.4. Server returns the code
When the server issues the "code" in the Authorization Response, it When the server issues the authorization code in the authorization
MUST associate the "code_challenge" and "code_challenge_method" response, it MUST associate the "code_challenge" and
values with the "code" so it can be verified later. "code_challenge_method" values with the authorization code so it can
be verified later.
Typically, the "code_challenge" and "code_challenge_method" values Typically, the "code_challenge" and "code_challenge_method" values
are stored in encrypted form in the "code" itself, but could are stored in encrypted form in the "code" itself, but could
alternatively be stored on the server, associated with the code. The alternatively be stored on the server, associated with the code. The
server MUST NOT include the "code_challenge" value in client requests server MUST NOT include the "code_challenge" value in client requests
in a form that other entities can extract. in a form that other entities can extract.
The exact method that the server uses to associate the The exact method that the server uses to associate the
"code_challenge" with the issued "code" is out of scope for this "code_challenge" with the issued "code" is out of scope for this
specification. specification.
4.4.1. Error Response 4.4.1. Error Response
If the server requires PKCE, and the client does not send the If the server requires Proof Key for Code Exchange (PKCE) by OAuth
"code_challenge" in the request, the authorization endpoint MUST Public Clients, and the client does not send the "code_challenge" in
return the authorization error response with "error" value set to the request, the authorization endpoint MUST return the authorization
"invalid_request". The "error_description" or the response of error response with "error" value set to "invalid_request". The
"error_uri" SHOULD explain the nature of error, e.g., code challenge "error_description" or the response of "error_uri" SHOULD explain the
required. nature of error, e.g., code challenge required.
If the server supporting PKCE does not support the requested If the server supporting PKCE does not support the requested
transform, the authorization endpoint MUST return the authorization transform, the authorization endpoint MUST return the authorization
error response with "error" value set to "invalid_request". The error response with "error" value set to "invalid_request". The
"error_description" or the response of "error_uri" SHOULD explain the "error_description" or the response of "error_uri" SHOULD explain the
nature of error, e.g., transform algorithm not supported. nature of error, e.g., transform algorithm not supported.
If the client is capable of using "S256", it MUST use "S256", as If the client is capable of using "S256", it MUST use "S256", as
"S256" is Mandatory To Implement (MTI) on the server. Clients MAY "S256" is Mandatory To Implement (MTI) on the server. Clients are
use "plain" only if they cannot support "S256" for some technical permitted to use "plain" only if they cannot support "S256" for some
reason and knows that the server supports "plain". technical reason and knows that the server supports "plain".
4.5. Client sends the code and the secret to the token endpoint 4.5. Client sends the Authorization Code and the Code Verifier to the
token endpoint
Upon receipt of the "code", the client sends the Access Token Request Upon receipt of the Authorization Code, the client sends the Access
to the token endpoint. In addition to the parameters defined in the Token Request to the token endpoint. In addition to the parameters
OAuth 2.0 Access Token Request (Section 4.1.3 of [RFC6749]), it sends defined in the OAuth 2.0 Access Token Request (Section 4.1.3 of
the following parameter: [RFC6749]), it sends the following parameter:
code_verifier REQUIRED. Code verifier code_verifier REQUIRED. Code verifier
The code_challenge_method is bound to the code when the code is The code_challenge_method is bound to the Authorization Code when the
issued. That is the method that the token endpoint MUST use to Authorization Code is issued. That is the method that the token
verify the code_verifier. endpoint MUST use to verify the code_verifier.
4.6. Server verifies code_verifier before returning the tokens 4.6. Server verifies code_verifier before returning the tokens
Upon receipt of the request at the Access Token endpoint, the server Upon receipt of the request at the Access Token endpoint, the server
verifies it by calculating the code challenge from received verifies it by calculating the code challenge from received
"code_verifier" and comparing it with the previously associated "code_verifier" and comparing it with the previously associated
"code_challenge", after first transforming it according to the "code_challenge", after first transforming it according to the
"code_challenge_method" method specified by the client. "code_challenge_method" method specified by the client.
If the "code_challenge_method" from Section 4.2 was "S256", the If the "code_challenge_method" from Section 4.2 was "S256", the
skipping to change at page 9, line 34 skipping to change at page 10, line 26
If the values are equal, the Access Token endpoint MUST continue If the values are equal, the Access Token endpoint MUST continue
processing as normal (as defined by OAuth 2.0 [RFC6749]). If the processing as normal (as defined by OAuth 2.0 [RFC6749]). If the
values are not equal, an error response indicating "invalid_grant" as values are not equal, an error response indicating "invalid_grant" as
described in section 5.2 of [RFC6749] MUST be returned. described in section 5.2 of [RFC6749] MUST be returned.
5. Compatibility 5. Compatibility
Server implementations of this specification MAY accept OAuth2.0 Server implementations of this specification MAY accept OAuth2.0
Clients that do not implement this extension. If the "code_verifier" Clients that do not implement this extension. If the "code_verifier"
is not received from the client in the Authorization Request, servers is not received from the client in the Authorization Request, servers
supporting backwards compatibility SHOULD revert to a normal OAuth supporting backwards compatibility revert to a normal OAuth 2.0
2.0 [RFC6749] protocol. [RFC6749] protocol.
As the OAuth 2.0 [RFC6749] server responses are unchanged by this As the OAuth 2.0 [RFC6749] server responses are unchanged by this
specification, client implementations of this specification do not specification, client implementations of this specification do not
need to know if the server has implemented this specification or not, need to know if the server has implemented this specification or not,
and SHOULD send the additional parameters as defined in Section 3. to and SHOULD send the additional parameters as defined in Section 3. to
all servers. all servers.
6. IANA Considerations 6. IANA Considerations
This specification makes a registration request as follows: This specification makes a registration request as follows:
skipping to change at page 12, line 15 skipping to change at page 12, line 50
7.2. Protection against eavesdroppers 7.2. Protection against eavesdroppers
Clients MUST NOT try down grading the algorithm after trying "S256" Clients MUST NOT try down grading the algorithm after trying "S256"
method. If the server is PKCE compliant, then "S256" method will method. If the server is PKCE compliant, then "S256" method will
work. If the server does not support PKCE, it will not generate an work. If the server does not support PKCE, it will not generate an
error. The only time that a server will return that it does not error. The only time that a server will return that it does not
support "S256" is if there is a MITM trying the algorithm downgrade support "S256" is if there is a MITM trying the algorithm downgrade
attack. attack.
"S256" method protects against eavesdroppers observing or "S256" method protects against eavesdroppers observing or
intercepting the "code_challenge". If the "plain" method is used, intercepting the "code_challenge", because the challenge cannot be
there is a chance that "code_challenge" will be observed by the used without the verifier. With the "plain" method, there is a
attacker on the device, or in the http request. The use of "S256" chance that "code_challenge" will be observed by the attacker on the
protects against disclosure of "code_verifier" value to an attacker. device, or in the http request. Since the code challenge is the same
as the code verifier in this case, "plain" method deso not protect
against the eavesdropping of the initial request.
The use of "S256" protects against disclosure of "code_verifier"
value to an attacker.
Because of this, "plain" SHOULD NOT be used, and exists only for
compatibility with deployed implementations where the request path is
already protected. The "plain" method MUST NOT be used in new
implementations.
The "S256" code_challenge_method or other cryptographically secure The "S256" code_challenge_method or other cryptographically secure
code_challenge_method extension SHOULD be used. The plain code_challenge_method extension SHOULD be used. The plain
code_challenge_method relies on the operating system and transport code_challenge_method relies on the operating system and transport
security not to disclose the request to an attacker. security not to disclose the request to an attacker.
If the code_challenge_method is plain, and the "code_challenge" is to If the code_challenge_method is plain, and the "code_challenge" is to
be returned inside authorization "code" to achieve a stateless be returned inside authorization "code" to achieve a stateless
server, it MUST be encrypted in such a manner that only the server server, it MUST be encrypted in such a manner that only the server
can decrypt and extract it. can decrypt and extract it.
skipping to change at page 14, line 7 skipping to change at page 15, line 7
Prateek Mishra, Oracle Prateek Mishra, Oracle
Ryo Ito, mixi Ryo Ito, mixi
Scott Tomilson, Ping Identity Scott Tomilson, Ping Identity
Sergey Beryozkin Sergey Beryozkin
Takamichi Saito Takamichi Saito
Torsten Lodderstedt, Deutsche Telekom Torsten Lodderstedt, Deutsche Telekom
William Denniss, Google William Denniss, Google
9. Revision History 9. Revision History
-14
o #38. Expanded Section 7.2 to explain why plain should not be
used.
o #39. Modified Section 4.4.1 to discourage the use of plain.
o #40. Modified Intro text to explain the attack better.
o #41. Added explanation that the token request is protected in the
Last paragraph of the Introduction.
o #42. Sec 4.2: Removed redundant double quotes caused by spanx.
o #43. Sec 4.4: Replaced code with authorization code.
o #44. Sec 4.5: say "code_verifier" rather than "secret"
o #45. Sec 4.4.1: Expanded PKCE.
o #46. Sec 5: SHOULD in para 1 removed.
o Added abbreviations section.
-13 -13
o Fix the parameter usage locations for the OAuth Parameters o Fix the parameter usage locations for the OAuth Parameters
Registry per Hannes response. Registry per Hannes response.
o Clarify for IANA that the new registry is a sub-registry of OAuth o Clarify for IANA that the new registry is a sub-registry of OAuth
Parameters registry Parameters registry
o aded text on why the code_challenge_method is not sent to the o aded text on why the code_challenge_method is not sent to the
token endpoint. token endpoint.
-12 -12
 End of changes. 32 change blocks. 
91 lines changed or deleted 145 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/