draft-ietf-oauth-spop-15.txt   rfc7636.txt 
OAuth Working Group N. Sakimura, Ed. Internet Engineering Task Force (IETF) N. Sakimura, Ed.
Internet-Draft Nomura Research Institute Request for Comments: 7636 Nomura Research Institute
Intended status: Standards Track J. Bradley Category: Standards Track J. Bradley
Expires: January 9, 2016 Ping Identity ISSN: 2070-1721 Ping Identity
N. Agarwal N. Agarwal
Google Google
July 8, 2015 September 2015
Proof Key for Code Exchange by OAuth Public Clients Proof Key for Code Exchange by OAuth Public Clients
draft-ietf-oauth-spop-15
Abstract Abstract
OAuth 2.0 public clients utilizing the Authorization Code Grant are OAuth 2.0 public clients utilizing the Authorization Code Grant are
susceptible to the authorization code interception attack. This susceptible to the authorization code interception attack. This
specification describes the attack as well as a technique to mitigate specification describes the attack as well as a technique to mitigate
against the threat through the use of Proof Key for Code Exchange against the threat through the use of Proof Key for Code Exchange
(PKCE, pronounced "pixy"). (PKCE, pronounced "pixy").
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on January 9, 2016. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7636.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction ....................................................3
1.1. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Protocol Flow ..............................................5
2. Notational Conventions . . . . . . . . . . . . . . . . . . . 6 2. Notational Conventions ..........................................6
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Terminology .....................................................7
3.1. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 7 3.1. Abbreviations ..............................................7
4. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Protocol ........................................................8
4.1. Client creates a code verifier . . . . . . . . . . . . . 7 4.1. Client Creates a Code Verifier .............................8
4.2. Client creates the code challenge . . . . . . . . . . . . 8 4.2. Client Creates the Code Challenge ..........................8
4.3. Client sends the code challenge with the authorization 4.3. Client Sends the Code Challenge with the
request . . . . . . . . . . . . . . . . . . . . . . . . . 8 Authorization Request ......................................9
4.4. Server returns the code . . . . . . . . . . . . . . . . . 9 4.4. Server Returns the Code ....................................9
4.4.1. Error Response . . . . . . . . . . . . . . . . . . . 9 4.4.1. Error Response ......................................9
4.5. Client sends the Authorization Code and the Code Verifier 4.5. Client Sends the Authorization Code and the Code
to the token endpoint . . . . . . . . . . . . . . . . . . 9 Verifier to the Token Endpoint ............................10
4.6. Server verifies code_verifier before returning the tokens 10 4.6. Server Verifies code_verifier before Returning the
5. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 10 Tokens ....................................................10
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 5. Compatibility ..................................................11
6.1. OAuth Parameters Registry . . . . . . . . . . . . . . . . 10 6. IANA Considerations ............................................11
6.2. PKCE Code Challenge Method Registry . . . . . . . . . . . 11 6.1. OAuth Parameters Registry .................................11
6.2.1. Registration Template . . . . . . . . . . . . . . . . 11 6.2. PKCE Code Challenge Method Registry .......................11
6.2.2. Initial Registry Contents . . . . . . . . . . . . . . 12 6.2.1. Registration Template ..............................12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 6.2.2. Initial Registry Contents ..........................13
7.1. Entropy of the code_verifier . . . . . . . . . . . . . . 12 7. Security Considerations ........................................13
7.2. Protection against eavesdroppers . . . . . . . . . . . . 13 7.1. Entropy of the code_verifier ..............................13
7.3. Salting the code_challenge . . . . . . . . . . . . . . . 13 7.2. Protection against Eavesdroppers ..........................13
7.4. OAuth security considerations . . . . . . . . . . . . . . 14 7.3. Salting the code_challenge ................................14
7.5. TLS security considerations . . . . . . . . . . . . . . . 14 7.4. OAuth Security Considerations .............................14
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 7.5. TLS Security Considerations ...............................15
9. Revision History . . . . . . . . . . . . . . . . . . . . . . 15 8. References .....................................................15
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 8.1. Normative References ......................................15
10.1. Normative References . . . . . . . . . . . . . . . . . . 18 8.2. Informative References ....................................16
10.2. Informative References . . . . . . . . . . . . . . . . . 18 Appendix A. Notes on Implementing Base64url Encoding without
Appendix A. Notes on implementing base64url encoding without Padding .............................................17
padding . . . . . . . . . . . . . . . . . . . . . . 18 Appendix B. Example for the S256 code_challenge_method ...........17
Appendix B. Example for the S256 code_challenge_method . . . . . 19 Acknowledgements ..................................................19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses ................................................20
1. Introduction 1. Introduction
OAuth 2.0 [RFC6749] public clients are susceptible to the OAuth 2.0 [RFC6749] public clients are susceptible to the
authorization code interception attack. authorization code interception attack.
The attacker thereby intercepts the authorization code returned from In this attack, the attacker intercepts the authorization code
the authorization endpoint within communication path not protected by returned from the authorization endpoint within a communication path
TLS, such as inter-app communication within the operating system of not protected by Transport Layer Security (TLS), such as inter-
the client. application communication within the client's operating system.
Once the attacker has gained access to the authorization code it can Once the attacker has gained access to the authorization code, it can
use it to obtain the access token. use it to obtain the access token.
Figure 1 shows the attack graphically. In step (1) the native app Figure 1 shows the attack graphically. In step (1), the native
running on the end device, such as a smart phone, issues an OAuth 2.0 application running on the end device, such as a smartphone, issues
Authorization Request via the browser/operating system. The an OAuth 2.0 Authorization Request via the browser/operating system.
Redirection Endpoint URI in this case typically uses a custom URI The Redirection Endpoint URI in this case typically uses a custom URI
scheme. Step (1) happens through a secure API that cannot be scheme. Step (1) happens through a secure API that cannot be
intercepted, though it may potentially be observed in advanced attack intercepted, though it may potentially be observed in advanced attack
scenarios. The request then gets forwarded to the OAuth 2.0 scenarios. The request then gets forwarded to the OAuth 2.0
authorization server in step (2). Because OAuth requires the use of authorization server in step (2). Because OAuth requires the use of
TLS, this communication is protected by TLS, and also cannot be TLS, this communication is protected by TLS and cannot be
intercepted. The authorization server returns the authorization code intercepted. The authorization server returns the authorization code
in step (3). In step (4), the Authorization Code is returned to the in step (3). In step (4), the Authorization Code is returned to the
requester via the Redirection Endpoint URI that was provided in step requester via the Redirection Endpoint URI that was provided in step
(1). (1).
A malicious app that has been designed to attack this native app has Note that it is possible for a malicious app to register itself as a
previously registered itself as a handler for the custom URI scheme handler for the custom scheme in addition to the legitimate OAuth 2.0
is now able to intercept the Authorization Code in step (4). This app. Once it does so, the malicious app is now able to intercept the
allows the attacker to request and obtain an access token in steps authorization code in step (4). This allows the attacker to request
(5) and (6), respectively. and obtain an access token in steps (5) and (6), respectively.
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
| End Device (e.g., Smart Phone) | | End Device (e.g., Smartphone) |
| | | |
| +-------------+ +----------+ | (6) Access Token +----------+ | +-------------+ +----------+ | (6) Access Token +----------+
| |Legitimate | | Malicious|<--------------------| | | |Legitimate | | Malicious|<--------------------| |
| |OAuth 2.0 App| | App |-------------------->| | | |OAuth 2.0 App| | App |-------------------->| |
| +-------------+ +----------+ | (5) Authorization | | | +-------------+ +----------+ | (5) Authorization | |
| | ^ ^ | Grant | | | | ^ ^ | Grant | |
| | \ | | | | | | \ | | | |
| | \ (4) | | | | | | \ (4) | | | |
| (1) | \ Authz| | | | | (1) | \ Authz| | | |
| Authz| \ Code | | | Authz | | Authz| \ Code | | | Authz |
skipping to change at page 4, line 29 skipping to change at page 4, line 29
| | \ | | | | | | \ | | | |
| v \ | | | | | v \ | | | |
| +----------------------------+ | | | | +----------------------------+ | | |
| | | | (3) Authz Code | | | | | | (3) Authz Code | |
| | Operating System/ |<--------------------| | | | Operating System/ |<--------------------| |
| | Browser |-------------------->| | | | Browser |-------------------->| |
| | | | (2) Authz Request | | | | | | (2) Authz Request | |
| +----------------------------+ | +----------+ | +----------------------------+ | +----------+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
Figure 1: Authorization Code Interception Attack. Figure 1: Authorization Code Interception Attack
A number of pre-conditions need to hold in order for this attack to A number of pre-conditions need to hold for this attack to work:
work:
1) The attacker manages to register a malicious application on the 1. The attacker manages to register a malicious application on the
client device and registers a custom URI scheme that is also used client device and registers a custom URI scheme that is also used
by another application. by another application. The operating systems must allow a custom
The operating systems must allow a custom URI schemes to be URI scheme to be registered by multiple applications.
registered by multiple applications.
2) The OAuth 2.0 authorization code grant is used.
3) The attacker has access to the OAuth 2.0 [RFC6749] client_id and
client_secret(if provisioned). All OAuth 2.0 native app client-
instances use the same client_id. Secrets provisioned in client
binary applications cannot be considered confidential.
4a) The attacker (via the installed app) is able to observe only the
responses from the authorization endpoint. The plain
code_challenge_method mitigates only this attack.
4b) A more sophisticated attack scenario allows the attacker to
observe requests (in addition to responses) to the authorization
endpoint. The attacker is, however, not able to act as a man-in-
the-middle. This has been caused by leaking http log information
in the OS. To mitigate this the S256 code_challenge_method or
cryptographically secure code_challenge_method extension must be
used.
While this is a long list of pre-conditions the described attack has 2. The OAuth 2.0 authorization code grant is used.
3. The attacker has access to the OAuth 2.0 [RFC6749] "client_id" and
"client_secret" (if provisioned). All OAuth 2.0 native app
client-instances use the same "client_id". Secrets provisioned in
client binary applications cannot be considered confidential.
4. Either one of the following condition is met:
4a. The attacker (via the installed application) is able to
observe only the responses from the authorization endpoint.
When "code_challenge_method" value is "plain", only this
attack is mitigated.
4b. A more sophisticated attack scenario allows the attacker to
observe requests (in addition to responses) to the
authorization endpoint. The attacker is, however, not able to
act as a man in the middle. This was caused by leaking http
log information in the OS. To mitigate this,
"code_challenge_method" value must be set either to "S256" or
a value defined by a cryptographically secure
"code_challenge_method" extension.
While this is a long list of pre-conditions, the described attack has
been observed in the wild and has to be considered in OAuth 2.0 been observed in the wild and has to be considered in OAuth 2.0
deployments. deployments. While the OAuth 2.0 threat model (Section 4.4.1 of
While the OAuth 2.0 Threat Model Section 4.4.1 [RFC6819] describes [RFC6819]) describes mitigation techniques, they are, unfortunately,
mitigation techniques they are, unfortunately, not applicable since not applicable since they rely on a per-client instance secret or a
they rely on a per-client instance secret or aper client instance per-client instance redirect URI.
redirect URI.
To mitigate this attack, this extension utilizes a dynamically To mitigate this attack, this extension utilizes a dynamically
created cryptographically random key called "code verifier". A created cryptographically random key called "code verifier". A
unique code verifier is created for every authorization request and unique code verifier is created for every authorization request, and
its transformed value, called "code challenge", is sent to the its transformed value, called "code challenge", is sent to the
authorization server to obtain the authorization code. The authorization server to obtain the authorization code. The
authorization code obtained is then sent to the token endpoint with authorization code obtained is then sent to the token endpoint with
the "code verifier" and the server compares it with the previously the "code verifier", and the server compares it with the previously
received request code so that it can perform the proof of possession received request code so that it can perform the proof of possession
of the "code verifier" by the client. This works as the mitigation of the "code verifier" by the client. This works as the mitigation
since the attacker would not know this one-time key, since it is sent since the attacker would not know this one-time key, since it is sent
over TLS and cannot be intercepted. over TLS and cannot be intercepted.
1.1. Protocol Flow 1.1. Protocol Flow
+-------------------+ +-------------------+
| Authz Server | | Authz Server |
+--------+ | +---------------+ | +--------+ | +---------------+ |
skipping to change at page 5, line 50 skipping to change at page 6, line 7
| | + code_verifier | | Token | | | | + code_verifier | | Token | |
| | | | Endpoint | | | | | | Endpoint | |
| |<-(D)------ Access Token ---------| | | | |<-(D)------ Access Token ---------| | |
+--------+ | +---------------+ | +--------+ | +---------------+ |
+-------------------+ +-------------------+
Figure 2: Abstract Protocol Flow Figure 2: Abstract Protocol Flow
This specification adds additional parameters to the OAuth 2.0 This specification adds additional parameters to the OAuth 2.0
Authorization and Access Token Requests, shown in abstract form in Authorization and Access Token Requests, shown in abstract form in
Figure 1. Figure 2.
A. The client creates and records a secret named the "code_verifier", A. The client creates and records a secret named the "code_verifier"
and derives a transformed version "t(code_verifier)" (referred to and derives a transformed version "t(code_verifier)" (referred to
as the "code_challenge") which is sent in the OAuth 2.0 as the "code_challenge"), which is sent in the OAuth 2.0
Authorization Request, along with the transformation method "t_m". Authorization Request along with the transformation method "t_m".
B. The Authorization Endpoint responds as usual, but records
B. The Authorization Endpoint responds as usual but records
"t(code_verifier)" and the transformation method. "t(code_verifier)" and the transformation method.
C. The client then sends the authorization code in the Access Token C. The client then sends the authorization code in the Access Token
Request as usual, but includes the "code_verifier" secret Request as usual but includes the "code_verifier" secret generated
generated at (A). at (A).
D. The authorization server transforms "code_verifier" and compares D. The authorization server transforms "code_verifier" and compares
it to "t(code_verifier)" from (B). Access is denied if they are it to "t(code_verifier)" from (B). Access is denied if they are
not equal. not equal.
An attacker who intercepts the Authorization Grant at (B) is unable An attacker who intercepts the authorization code at (B) is unable to
to redeem it for an Access Token, as they are not in possession of redeem it for an access token, as they are not in possession of the
the "code_verifier" secret. "code_verifier" secret.
2. Notational Conventions 2. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in Key "OPTIONAL" in this document are to be interpreted as described in
words for use in RFCs to Indicate Requirement Levels [RFC2119]. If "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119].
these words are used without being spelled in uppercase then they are If these words are used without being spelled in uppercase, then they
to be interpreted with their normal natural language meanings. are to be interpreted with their natural language meanings.
This specification uses the Augmented Backus-Naur Form (ABNF) This specification uses the Augmented Backus-Naur Form (ABNF)
notation of [RFC5234]. notation of [RFC5234].
STRING denotes a sequence of zero or more ASCII [RFC0020] characters. STRING denotes a sequence of zero or more ASCII [RFC20] characters.
OCTETS denotes a sequence of zero or more octets. OCTETS denotes a sequence of zero or more octets.
ASCII(STRING) denotes the octets of the ASCII [RFC0020] ASCII(STRING) denotes the octets of the ASCII [RFC20] representation
representation of STRING where STRING is a sequence of zero or more of STRING where STRING is a sequence of zero or more ASCII
ASCII characters. characters.
BASE64URL-ENCODE(OCTETS) denotes the base64url encoding of OCTETS, BASE64URL-ENCODE(OCTETS) denotes the base64url encoding of OCTETS,
per Section 3 producing a STRING. per Appendix A, producing a STRING.
BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING, BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING,
per Section 3, producing a sequence of octets. per Appendix A, producing a sequence of octets.
SHA256(OCTETS) denotes a SHA2 256bit hash [RFC6234] of OCTETS. SHA256(OCTETS) denotes a SHA2 256-bit hash [RFC6234] of OCTETS.
3. Terminology 3. Terminology
In addition to the terms defined in OAuth 2.0 [RFC6749], this In addition to the terms defined in OAuth 2.0 [RFC6749], this
specification defines the following terms: specification defines the following terms:
code verifier code verifier
A cryptographically random string that is used to correlate the A cryptographically random string that is used to correlate the
authorization request to the token request. authorization request to the token request.
code challenge code challenge
A challenge derived from the code verifier that is sent in the A challenge derived from the code verifier that is sent in the
authorization request, to be verified against later. authorization request, to be verified against later.
code challenge method
A method that was used to derive code challenge.
Base64url Encoding Base64url Encoding
Base64 encoding using the URL- and filename-safe character set Base64 encoding using the URL- and filename-safe character set
defined in Section 5 of [RFC4648], with all trailing '=' defined in Section 5 of [RFC4648], with all trailing '='
characters omitted (as permitted by Section 3.2 of [RFC4648]) and characters omitted (as permitted by Section 3.2 of [RFC4648]) and
without the inclusion of any line breaks, whitespace, or other without the inclusion of any line breaks, whitespace, or other
additional characters. (See Appendix A for notes on implementing additional characters. (See Appendix A for notes on implementing
base64url encoding without padding.) base64url encoding without padding.)
3.1. Abbreviations 3.1. Abbreviations
ABNF Augmented Backus-Naur Form ABNF Augmented Backus-Naur Form
Authz Authorization Authz Authorization
PKCE Proof Key for Code Exchange
MITM Man-in-the-middle PKCE Proof Key for Code Exchange
MTI Mandatory To Implement
MITM Man-in-the-middle
MTI Mandatory To Implement
4. Protocol 4. Protocol
4.1. Client creates a code verifier 4.1. Client Creates a Code Verifier
The client first creates a code verifier, "code_verifier", for each The client first creates a code verifier, "code_verifier", for each
OAuth 2.0 [RFC6749] Authorization Request, in the following manner: OAuth 2.0 [RFC6749] Authorization Request, in the following manner:
code_verifier = high entropy cryptographic random STRING using the code_verifier = high-entropy cryptographic random STRING using the
Unreserved Characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
from Sec 2.3 of [RFC3986], with a minimum length of 43 characters and from Section 2.3 of [RFC3986], with a minimum length of 43 characters
a maximum length of 128 characters. and a maximum length of 128 characters.
ABNF for "code_verifier" is as follows. ABNF for "code_verifier" is as follows.
code-verifier = 43*128unreserved code-verifier = 43*128unreserved
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39 DIGIT = %x30-39
NOTE: code verifier SHOULD have enough entropy to make it impractical NOTE: The code verifier SHOULD have enough entropy to make it
to guess the value. It is RECOMMENDED that the output of a suitable impractical to guess the value. It is RECOMMENDED that the output of
random number generator be used to create a 32-octet sequence. The a suitable random number generator be used to create a 32-octet
Octet sequence is then base64url encoded to produce a 43-octet URL sequence. The octet sequence is then base64url-encoded to produce a
safe string to use as the code verifier. 43-octet URL safe string to use as the code verifier.
4.2. Client creates the code challenge 4.2. Client Creates the Code Challenge
The client then creates a code challenge derived from the code The client then creates a code challenge derived from the code
verifier by using one of the following transformations on the code verifier by using one of the following transformations on the code
verifier: verifier:
plain plain
code_challenge = code_verifier code_challenge = code_verifier
S256 S256
code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
If the client is capable of using "S256", it MUST use "S256", as If the client is capable of using "S256", it MUST use "S256", as
"S256" is Mandatory To Implement (MTI) on the server. Clients are "S256" is Mandatory To Implement (MTI) on the server. Clients are
permitted to use "plain" only if they cannot support "S256" for some permitted to use "plain" only if they cannot support "S256" for some
technical reason and know via out of band configuration that the technical reason and know via out-of-band configuration that the
server supports "plain". server supports "plain".
The plain transformation is for compatibility with existing The plain transformation is for compatibility with existing
deployments and for constrained environments that can't use the S256 deployments and for constrained environments that can't use the S256
transformation. transformation.
ABNF for "code_challenge" is as follows. ABNF for "code_challenge" is as follows.
code-challenge = 43*128unreserved code-challenge = 43*128unreserved
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39 DIGIT = %x30-39
4.3. Client sends the code challenge with the authorization request 4.3. Client Sends the Code Challenge with the Authorization Request
The client sends the code challenge as part of the OAuth 2.0 The client sends the code challenge as part of the OAuth 2.0
Authorization Request (Section 4.1.1 of [RFC6749].) using the Authorization Request (Section 4.1.1 of [RFC6749]) using the
following additional parameters: following additional parameters:
code_challenge REQUIRED. Code challenge. code_challenge
REQUIRED. Code challenge.
code_challenge_method OPTIONAL, defaults to "plain" if not present code_challenge_method
in the request. Code verifier transformation method, "S256" or OPTIONAL, defaults to "plain" if not present in the request. Code
"plain". verifier transformation method is "S256" or "plain".
4.4. Server returns the code 4.4. Server Returns the Code
When the server issues the authorization code in the authorization When the server issues the authorization code in the authorization
response, it MUST associate the "code_challenge" and response, it MUST associate the "code_challenge" and
"code_challenge_method" values with the authorization code so it can "code_challenge_method" values with the authorization code so it can
be verified later. be verified later.
Typically, the "code_challenge" and "code_challenge_method" values Typically, the "code_challenge" and "code_challenge_method" values
are stored in encrypted form in the "code" itself, but could are stored in encrypted form in the "code" itself but could
alternatively be stored on the server, associated with the code. The alternatively be stored on the server associated with the code. The
server MUST NOT include the "code_challenge" value in client requests server MUST NOT include the "code_challenge" value in client requests
in a form that other entities can extract. in a form that other entities can extract.
The exact method that the server uses to associate the The exact method that the server uses to associate the
"code_challenge" with the issued "code" is out of scope for this "code_challenge" with the issued "code" is out of scope for this
specification. specification.
4.4.1. Error Response 4.4.1. Error Response
If the server requires Proof Key for Code Exchange (PKCE) by OAuth If the server requires Proof Key for Code Exchange (PKCE) by OAuth
Public Clients, and the client does not send the "code_challenge" in public clients and the client does not send the "code_challenge" in
the request, the authorization endpoint MUST return the authorization the request, the authorization endpoint MUST return the authorization
error response with "error" value set to "invalid_request". The error response with the "error" value set to "invalid_request". The
"error_description" or the response of "error_uri" SHOULD explain the "error_description" or the response of "error_uri" SHOULD explain the
nature of error, e.g., code challenge required. nature of error, e.g., code challenge required.
If the server supporting PKCE does not support the requested If the server supporting PKCE does not support the requested
transform, the authorization endpoint MUST return the authorization transformation, the authorization endpoint MUST return the
error response with "error" value set to "invalid_request". The authorization error response with "error" value set to
"error_description" or the response of "error_uri" SHOULD explain the "invalid_request". The "error_description" or the response of
nature of error, e.g., transform algorithm not supported. "error_uri" SHOULD explain the nature of error, e.g., transform
algorithm not supported.
4.5. Client sends the Authorization Code and the Code Verifier to the 4.5. Client Sends the Authorization Code and the Code Verifier to the
token endpoint Token Endpoint
Upon receipt of the Authorization Code, the client sends the Access Upon receipt of the Authorization Code, the client sends the Access
Token Request to the token endpoint. In addition to the parameters Token Request to the token endpoint. In addition to the parameters
defined in the OAuth 2.0 Access Token Request (Section 4.1.3 of defined in the OAuth 2.0 Access Token Request (Section 4.1.3 of
[RFC6749]), it sends the following parameter: [RFC6749]), it sends the following parameter:
code_verifier REQUIRED. Code verifier code_verifier
REQUIRED. Code verifier
The code_challenge_method is bound to the Authorization Code when the The "code_challenge_method" is bound to the Authorization Code when
Authorization Code is issued. That is the method that the token the Authorization Code is issued. That is the method that the token
endpoint MUST use to verify the code_verifier. endpoint MUST use to verify the "code_verifier".
4.6. Server verifies code_verifier before returning the tokens 4.6. Server Verifies code_verifier before Returning the Tokens
Upon receipt of the request at the Access Token endpoint, the server Upon receipt of the request at the token endpoint, the server
verifies it by calculating the code challenge from received verifies it by calculating the code challenge from the received
"code_verifier" and comparing it with the previously associated "code_verifier" and comparing it with the previously associated
"code_challenge", after first transforming it according to the "code_challenge", after first transforming it according to the
"code_challenge_method" method specified by the client. "code_challenge_method" method specified by the client.
If the "code_challenge_method" from Section 4.2 was "S256", the If the "code_challenge_method" from Section 4.3 was "S256", the
received "code_verifier" is hashed by SHA-256, then base64url received "code_verifier" is hashed by SHA-256, base64url-encoded, and
encoded, and then compared to the "code_challenge". i.e., then compared to the "code_challenge", i.e.:
BASE64URL-ENCODE(SHA256(ASCII("code_verifier" ))) == "code_challenge" BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge
If the "code_challenge_method" from Section 4.2 was "plain", they are If the "code_challenge_method" from Section 4.3 was "plain", they are
compared directly. i.e., compared directly, i.e.:
"code_verifier" == "code_challenge". code_verifier == code_challenge.
If the values are equal, the Access Token endpoint MUST continue If the values are equal, the token endpoint MUST continue processing
processing as normal (as defined by OAuth 2.0 [RFC6749]). If the as normal (as defined by OAuth 2.0 [RFC6749]). If the values are not
values are not equal, an error response indicating "invalid_grant" as equal, an error response indicating "invalid_grant" as described in
described in section 5.2 of [RFC6749] MUST be returned. Section 5.2 of [RFC6749] MUST be returned.
5. Compatibility 5. Compatibility
Server implementations of this specification MAY accept OAuth2.0 Server implementations of this specification MAY accept OAuth2.0
Clients that do not implement this extension. If the "code_verifier" clients that do not implement this extension. If the "code_verifier"
is not received from the client in the Authorization Request, servers is not received from the client in the Authorization Request, servers
supporting backwards compatibility revert to a normal OAuth 2.0 supporting backwards compatibility revert to the OAuth 2.0 [RFC6749]
[RFC6749] protocol. protocol without this extension.
As the OAuth 2.0 [RFC6749] server responses are unchanged by this As the OAuth 2.0 [RFC6749] server responses are unchanged by this
specification, client implementations of this specification do not specification, client implementations of this specification do not
need to know if the server has implemented this specification or not, need to know if the server has implemented this specification or not
and SHOULD send the additional parameters as defined in Section 3. to and SHOULD send the additional parameters as defined in Section 4 to
all servers. all servers.
6. IANA Considerations 6. IANA Considerations
This specification makes a registration request as follows: IANA has made the following registrations per this document.
6.1. OAuth Parameters Registry 6.1. OAuth Parameters Registry
This specification registers the following parameters in the IANA This specification registers the following parameters in the IANA
OAuth Parameters registry defined in OAuth 2.0 [RFC6749]. "OAuth Parameters" registry defined in OAuth 2.0 [RFC6749].
o Parameter name: code_verifier o Parameter name: code_verifier
o Parameter usage location: token request o Parameter usage location: token request
o Change controller: IESG o Change controller: IESG
o Specification document(s): this document o Specification document(s): RFC 7636 (this document)
o Parameter name: code_challenge o Parameter name: code_challenge
o Parameter usage location: authorization request o Parameter usage location: authorization request
o Change controller: IESG o Change controller: IESG
o Specification document(s): this document o Specification document(s): RFC 7636 (this document)
o Parameter name: code_challenge_method o Parameter name: code_challenge_method
o Parameter usage location: authorization request o Parameter usage location: authorization request
o Change controller: IESG o Change controller: IESG
o Specification document(s): this document o Specification document(s): RFC 7636 (this document)
6.2. PKCE Code Challenge Method Registry 6.2. PKCE Code Challenge Method Registry
This specification establishes the PKCE Code Challenge Method This specification establishes the "PKCE Code Challenge Methods"
registry. The new registry should be a sub-registry of OAuth registry. The new registry should be a sub-registry of the "OAuth
Parameters registry. Parameters" registry.
Additional code_challenge_method types for use with the authorization Additional "code_challenge_method" types for use with the
endpoint are registered using the Specification Required policy authorization endpoint are registered using the Specification
[RFC5226], which includes review of the request by one or more Required policy [RFC5226], which includes review of the request by
Designated Experts. The DEs will ensure there is at least a two-week one or more Designated Experts (DEs). The DEs will ensure that there
review of the request on the oauth-ext-review@ietf.org mailing list, is at least a two-week review of the request on the oauth-ext-
and that any discussion on that list converges before they respond to review@ietf.org mailing list and that any discussion on that list
the request. To allow for the allocation of values prior to converges before they respond to the request. To allow for the
publication, the Designated Expert(s) may approve registration once allocation of values prior to publication, the Designated Expert(s)
they are satisfied that an acceptable specification will be may approve registration once they are satisfied that an acceptable
published. specification will be published.
Registration requests and discussion on the oauth-ext-review@ietf.org Registration requests and discussion on the oauth-ext-review@ietf.org
mailing list should use an appropriate subject, such as "Request for mailing list should use an appropriate subject, such as "Request for
PKCE code_challenge_method: example"). PKCE code_challenge_method: example").
The Designated Expert(s) should consider the discussion on the The Designated Expert(s) should consider the discussion on the
mailing list, as well as the overall security properties of the mailing list, as well as the overall security properties of the
challenge Method when evaluating registration requests. New methods challenge method when evaluating registration requests. New methods
should not disclose the value of the code_verifier in the request to should not disclose the value of the code_verifier in the request to
the Authorization endpoint. Denials should include an explanation the Authorization endpoint. Denials should include an explanation
and, if applicable, suggestions as to how to make the request and, if applicable, suggestions as to how to make the request
successful. successful.
6.2.1. Registration Template 6.2.1. Registration Template
Code Challenge Method Parameter Name: Code Challenge Method Parameter Name:
The name requested (e.g., "example"). Because a core goal of this The name requested (e.g., "example"). Because a core goal of this
specification is for the resulting representations to be compact, specification is for the resulting representations to be compact,
it is RECOMMENDED that the name be short -- not to exceed 8 it is RECOMMENDED that the name be short -- not to exceed 8
characters without a compelling reason to do so. This name is characters without a compelling reason to do so. This name is
case-sensitive. Names may not match other registered names in a case-sensitive. Names may not match other registered names in a
case-insensitive manner unless the Designated Expert(s) state that case-insensitive manner unless the Designated Expert(s) states
there is a compelling reason to allow an exception in this that there is a compelling reason to allow an exception in this
particular case. particular case.
Change Controller: Change Controller:
For Standards Track RFCs, state "IESG". For others, give the name For Standards Track RFCs, state "IESG". For others, give the name
of the responsible party. Other details (e.g., postal address, of the responsible party. Other details (e.g., postal address,
email address, home page URI) may also be included. email address, and home page URI) may also be included.
Specification Document(s): Specification Document(s):
Reference to the document(s) that specify the parameter, Reference to the document(s) that specifies the parameter,
preferably including URI(s) that can be used to retrieve copies of preferably including URI(s) that can be used to retrieve copies of
the document(s). An indication of the relevant sections may also the document(s). An indication of the relevant sections may also
be included but is not required. be included but is not required.
6.2.2. Initial Registry Contents 6.2.2. Initial Registry Contents
This specification registers the Code Challenge Method Parameter Per this document, IANA has registered the Code Challenge Method
names defined in Section 4.2 in this registry. Parameter Names defined in Section 4.2 in this registry.
o Code Challenge Method Parameter Name: "plain" o Code Challenge Method Parameter Name: plain
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.2 of [[ this document ]] o Specification Document(s): Section 4.2 of RFC 7636 (this document)
o Code Challenge Method Parameter Name: "S256" o Code Challenge Method Parameter Name: S256
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.2 of [[ this document ]] o Specification Document(s): Section 4.2 of RFC 7636 (this document)
7. Security Considerations 7. Security Considerations
7.1. Entropy of the code_verifier 7.1. Entropy of the code_verifier
The security model relies on the fact that the code verifier is not The security model relies on the fact that the code verifier is not
learned or guessed by the attacker. It is vitally important to learned or guessed by the attacker. It is vitally important to
adhere to this principle. As such, the code verifier has to be adhere to this principle. As such, the code verifier has to be
created in such a manner that it is cryptographically random and has created in such a manner that it is cryptographically random and has
high entropy that it is not practical for the attacker to guess. high entropy that it is not practical for the attacker to guess.
The client SHOULD create a code_verifier with a minimum of 256bits of The client SHOULD create a "code_verifier" with a minimum of 256 bits
entropy. This can be done by having a suitable random number of entropy. This can be done by having a suitable random number
generator create a 32-octet sequence. The Octet sequence can then be generator create a 32-octet sequence. The octet sequence can then be
base64url encoded to produce a 43-octet URL safe string to use as a base64url-encoded to produce a 43-octet URL safe string to use as a
code_challenge that has the required entropy. "code_challenge" that has the required entropy.
7.2. Protection against eavesdroppers 7.2. Protection against Eavesdroppers
Clients MUST NOT downgrade to "plain" after trying "S256" method. Clients MUST NOT downgrade to "plain" after trying the "S256" method.
Servers that support PKCE are required to support "S256", and servers Servers that support PKCE are required to support "S256", and servers
that do not support PKCE will simply ignore the unknown that do not support PKCE will simply ignore the unknown
"code_verifier" OAuth 2.0 (see Section 3.2 of [RFC6749]. Because of "code_verifier". Because of this, an error when "S256" is presented
that, an error when "S256" is presented can only mean that the server can only mean that the server is faulty or that a MITM attacker is
is faulty or that a MITM attacker is trying a downgrade attack. trying a downgrade attack.
"S256" method protects against eavesdroppers observing or The "S256" method protects against eavesdroppers observing or
intercepting the "code_challenge", because the challenge cannot be intercepting the "code_challenge", because the challenge cannot be
used without the verifier. With the "plain" method, there is a used without the verifier. With the "plain" method, there is a
chance that "code_challenge" will be observed by the attacker on the chance that "code_challenge" will be observed by the attacker on the
device, or in the http request. Since the code challenge is the same device or in the http request. Since the code challenge is the same
as the code verifier in this case, "plain" method does not protect as the code verifier in this case, the "plain" method does not
against the eavesdropping of the initial request. protect against the eavesdropping of the initial request.
The use of "S256" protects against disclosure of "code_verifier" The use of "S256" protects against disclosure of the "code_verifier"
value to an attacker. value to an attacker.
Because of this, "plain" SHOULD NOT be used, and exists only for Because of this, "plain" SHOULD NOT be used and exists only for
compatibility with deployed implementations where the request path is compatibility with deployed implementations where the request path is
already protected. The "plain" method SHOULD NOT be used in new already protected. The "plain" method SHOULD NOT be used in new
implementations, unless they cannot support "S256" for some technical implementations, unless they cannot support "S256" for some technical
reason. reason.
The "S256" code_challenge_method or other cryptographically secure The "S256" code challenge method or other cryptographically secure
code_challenge_method extension SHOULD be used. The plain code challenge method extension SHOULD be used. The "plain" code
code_challenge_method relies on the operating system and transport challenge method relies on the operating system and transport
security not to disclose the request to an attacker. security not to disclose the request to an attacker.
If the code_challenge_method is plain, and the "code_challenge" is to If the code challenge method is "plain" and the code challenge is to
be returned inside authorization "code" to achieve a stateless be returned inside authorization "code" to achieve a stateless
server, it MUST be encrypted in such a manner that only the server server, it MUST be encrypted in such a manner that only the server
can decrypt and extract it. can decrypt and extract it.
7.3. Salting the code_challenge 7.3. Salting the code_challenge
In order to reduce implementation complexity Salting is not used in To reduce implementation complexity, salting is not used in the
the production of the code_challenge, as the code_verifier contains production of the code challenge, as the code verifier contains
sufficient entropy to prevent brute force attacks. Concatenating a sufficient entropy to prevent brute-force attacks. Concatenating a
publicly known value to a code_verifier (containing 256 bits of publicly known value to a code verifier (containing 256 bits of
entropy) and then hashing it with SHA256 to produce a code_challenge entropy) and then hashing it with SHA256 to produce a code challenge
would not increase the number of attempts necessary to brute force a would not increase the number of attempts necessary to brute force a
valid value for code_verifier. valid value for code verifier.
While the S256 transformation is like hashing a password there are While the "S256" transformation is like hashing a password, there are
important differences. Passwords tend to be relatively low entropy important differences. Passwords tend to be relatively low-entropy
words that can be hashed offline and the hash looked up in a words that can be hashed offline and the hash looked up in a
dictionary. By concatenating a unique though public value to each dictionary. By concatenating a unique though public value to each
password prior to hashing, the dictionary space that an attacker password prior to hashing, the dictionary space that an attacker
needs to search is greatly expanded. needs to search is greatly expanded.
Modern graphics processors now allow attackers to calculate hashes in Modern graphics processors now allow attackers to calculate hashes in
real time faster than they could be looked up from a disk. This real time faster than they could be looked up from a disk. This
eliminates the value of the salt in increasing the complexity of a eliminates the value of the salt in increasing the complexity of a
brute force attack for even low entropy passwords. brute-force attack for even low-entropy passwords.
7.4. OAuth security considerations 7.4. OAuth Security Considerations
All the OAuth security analysis presented in [RFC6819] applies so All the OAuth security analysis presented in [RFC6819] applies, so
readers SHOULD carefully follow it. readers SHOULD carefully follow it.
7.5. TLS security considerations 7.5. TLS Security Considerations
Curent security considerations can be found in Recommendations for Current security considerations can be found in "Recommendations for
Secure Use of TLS and DTLS [BCP195]. This supersedes the TLS version Secure Use of Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS)" [BCP195]. This supersedes the TLS version
recommendations in OAuth 2.0 [RFC6749]. recommendations in OAuth 2.0 [RFC6749].
8. Acknowledgements 8. References
The initial draft of this specification was created by the OpenID AB/
Connect Working Group of the OpenID Foundation.
This specification is the work of the OAuth Working Group, which
includes dozens of active and dedicated participants. In particular,
the following individuals contributed ideas, feedback, and wording
that shaped and formed the final specification:
Anthony Nadalin, Microsoft
Axel Nenker, Deutsche Telekom
Breno de Medeiros, Google
Brian Campbell, Ping Identity
Chuck Mortimore, Salesforce
Dirk Balfanz, Google
Eduardo Gueiros, Jive Communications
Hannes Tschonfenig, ARM
James Manger, Telstra
John Bradley, Ping Identity
Justin Richer, MIT Kerberos
Josh Mandel, Boston Children's Hospital
Lewis Adam, Motorola Solutions
Madjid Nakhjiri, Samsung
Michael B. Jones, Microsoft
Nat Sakimura, Nomura Research Institute
Naveen Agarwal, Google
Paul Madsen, Ping Identity
Phil Hunt, Oracle
Prateek Mishra, Oracle
Ryo Ito, mixi
Scott Tomilson, Ping Identity
Sergey Beryozkin
Takamichi Saito
Torsten Lodderstedt, Deutsche Telekom
William Denniss, Google
9. Revision History
-15
o Addressed Barry's IESG comments around IANA Registration
o Addressed Barry's IESG comments around Sec 7.2 downgrade attack
o fix a typo for William and make a small change to Fig 1.1
clarifying t_m
o more wording changes to sec 7.2 re Barry
o made the two SHOULD NOT use plain recommendations consistent.
o slightly cleaned up grammer in Sec 7.2
-14
o #38. Expanded Section 7.2 to explain why plain should not be
used.
o #39. Modified Section 4.4.1 to discourage the use of plain.
o #40. Modified Intro text to explain the attack better.
o #41. Added explanation that the token request is protected in the
Last paragraph of the Introduction.
o #42. Sec 4.2: Removed redundant double quotes caused by spanx.
o #43. Sec 4.4: Replaced code with authorization code.
o #44. Sec 4.5: say "code_verifier" rather than "secret"
o #45. Sec 4.4.1: Expanded PKCE.
o #46. Sec 5: SHOULD in para 1 removed.
o Added abbreviations section.
-13
o Fix the parameter usage locations for the OAuth Parameters
Registry per Hannes response.
o Clarify for IANA that the new registry is a sub-registry of OAuth
Parameters registry
o aded text on why the code_challenge_method is not sent to the
token endpoint.
-12
o clarify that the client secret we are talking about in the
Introduction is a OAuth 2 client_secret.
o Update salting security consideration based on Ben's feedback
-11
o add spanx for plain in sec 4.4 RE Kathleen's comment
o Add security consideration on TLS and reference BCP195
o Update to make clearer that plain can only be used for backwards
compatibility and constrained environments
-10
o re #33 specify lower limit to code_verifier in prose
o remove base64url decode from draft, all steps now use encode only
o Expanded MTI
o re #33 change length of 32 octet base64url encoded string back to
43 octets
-09
o clean up some external references so they don't point at internal
sections
-08
o changed BASE64URL to BASE64URL-ENCODE to be more consistent with
appendix A Fixed lowercase base64url in appendix B
o Added appendix B as an example of S256 processing
o Change reference for unreserved characters to RFC3986 from
base64URL
-07
o removed unused discovery reference and UTF8
o re #32 added ASCII(STRING) to make clear that it is the byte array
that is being hashed
o re #2 Remove discovery requirement section.
o updated Acknowledgement
o re #32 remove unneeded UTF8(STRING) definition, and define STRING
for ASCII(STRING)
o re #32 remove unneeded utf8 reference from BASE64URL-
DECODE(STRING) def
o resolves #31 unused definition of concatenation
o re #30 Update figure text call out the endpoints
o re #30 Update figure to call out the endpoints
o small wording change to the introduction
-06
o fix date
o replace spop with pkce for registry and other references
o re #29 change name again
o re #27 removed US-ASCII reference
o re #27 updated ABNF for code_verifier
o resolves #24 added security consideration for salting
o resolves #29 Changed title
o updated reference to RFC4634 to RFC6234 re #27
o changed reference for US-ASCII to RFC20 re #27
o resolves #28 added Acknowledgements
o resolves #27 updated ABNF
o resolves #26 updated abstract and added Hannes figure
-05
o Added IANA registry for code_challenge_method + fixed some broken
internal references.
-04
o Added error response to authorization response.
-03
o Added an abstract protocol diagram and explanation
-02
o Copy edits
-01
o Specified exactly two supported transformations
o Moved discovery steps to security considerations.
o Incorporated readability comments by Eduardo Gueiros.
o Changed MUST in 3.1 to SHOULD.
-00
o Initial IETF version.
10. References 8.1. Normative References
10.1. Normative References
[BCP195] Sheffer, Y., Holz, R., and P. Saint-Andre, [BCP195] Sheffer, Y., Holz, R., and P. Saint-Andre,
"Recommendations for Secure Use of Transport Layer "Recommendations for Secure Use of Transport Layer
Security (TLS) and Datagram Transport Layer Security Security (TLS) and Datagram Transport Layer Security
(DTLS)", BCP 195, RFC 7525, May 2015. (DTLS)", BCP 195, RFC 7525, May 2015,
<http://www.rfc-editor.org/info/bcp195>.
[RFC0020] Cerf, V., "ASCII format for network interchange", RFC 20, [RFC20] Cerf, V., "ASCII format for network interchange", STD 80,
October 1969. RFC 20, DOI 10.17487/RFC0020, October 1969,
<http://www.rfc-editor.org/info/rfc20>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, RFC Resource Identifier (URI): Generic Syntax", STD 66, RFC
3986, January 2005. 3986, DOI 10.17487/RFC3986, January 2005,
<http://www.rfc-editor.org/info/rfc3986>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<http://www.rfc-editor.org/info/rfc4648>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008. DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008. Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008,
<http://www.rfc-editor.org/info/rfc5234>.
[RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. (SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011,
<http://www.rfc-editor.org/info/rfc6234>.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
6749, October 2012. RFC 6749, DOI 10.17487/RFC6749, October 2012,
<http://www.rfc-editor.org/info/rfc6749>.
10.2. Informative References 8.2. Informative References
[RFC6819] Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0 [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", RFC 6819, Threat Model and Security Considerations", RFC 6819,
January 2013. DOI 10.17487/RFC6819, January 2013,
<http://www.rfc-editor.org/info/rfc6819>.
Appendix A. Notes on implementing base64url encoding without padding Appendix A. Notes on Implementing Base64url Encoding without Padding
This appendix describes how to implement a base64url encoding This appendix describes how to implement a base64url-encoding
function without padding based upon standard base64 encoding function function without padding, based upon the standard base64-encoding
that uses padding. function that uses padding.
To be concrete, example C# code implementing these functions is shown To be concrete, example C# code implementing these functions is shown
below. Similar code could be used in other languages. below. Similar code could be used in other languages.
static string base64urlencode(byte [] arg) static string base64urlencode(byte [] arg)
{ {
string s = Convert.ToBase64String(arg); // Regular base64 encoder string s = Convert.ToBase64String(arg); // Regular base64 encoder
s = s.Split('=')[0]; // Remove any trailing '='s s = s.Split('=')[0]; // Remove any trailing '='s
s = s.Replace('+', '-'); // 62nd char of encoding s = s.Replace('+', '-'); // 62nd char of encoding
s = s.Replace('/', '_'); // 63rd char of encoding s = s.Replace('/', '_'); // 63rd char of encoding
skipping to change at page 19, line 26 skipping to change at page 17, line 35
which when decoded, reproduces the octet sequence. which when decoded, reproduces the octet sequence.
3 236 255 224 193 3 236 255 224 193
A-z_4ME A-z_4ME
Appendix B. Example for the S256 code_challenge_method Appendix B. Example for the S256 code_challenge_method
The client uses output of a suitable random number generator to The client uses output of a suitable random number generator to
create a 32-octet sequence. The octets representing the value in create a 32-octet sequence. The octets representing the value in
this example (using JSON array notation) are:" this example (using JSON array notation) are:
[116, 24, 223, 180, 151, 153, 224, 37, 79, 250, 96, 125, 216, 173, [116, 24, 223, 180, 151, 153, 224, 37, 79, 250, 96, 125, 216, 173,
187, 186, 22, 212, 37, 77, 105, 214, 191, 240, 91, 88, 5, 88, 83, 187, 186, 22, 212, 37, 77, 105, 214, 191, 240, 91, 88, 5, 88, 83,
132, 141, 121] 132, 141, 121]
Encoding this octet sequence as a Base64url provides the value of the Encoding this octet sequence as base64url provides the value of the
code_verifier: code_verifier:
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
The code_verifier is then hashed via the SHA256 hash function to The code_verifier is then hashed via the SHA256 hash function to
produce: produce:
[19, 211, 30, 150, 26, 26, 216, 236, 47, 22, 177, 12, 76, 152, 46, [19, 211, 30, 150, 26, 26, 216, 236, 47, 22, 177, 12, 76, 152, 46,
8, 118, 168, 120, 173, 109, 241, 68, 86, 110, 225, 137, 74, 203, 8, 118, 168, 120, 173, 109, 241, 68, 86, 110, 225, 137, 74, 203,
112, 249, 195] 112, 249, 195]
Encoding this octet sequence as a base64url provides the value of the Encoding this octet sequence as base64url provides the value of the
code_challenge: code_challenge:
E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
The authorization request includes: The authorization request includes:
code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
&code_challange_method=S256 &code_challenge_method=S256
The Authorization server then records the code_challenge and The authorization server then records the code_challenge and
code_challenge_method along with the code that is granted to the code_challenge_method along with the code that is granted to the
client. client.
in the request to the token_endpoint the client includes the code In the request to the token_endpoint, the client includes the code
received in the authorization response as well as the additional received in the authorization response as well as the additional
paramater: parameter:
code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
The Authorization server retrieves the information for the code The authorization server retrieves the information for the code
grant. Based on the recorded code_challange_method being S256, it grant. Based on the recorded code_challenge_method being S256, it
then hashes and base64url encodes the value of code_verifier. then hashes and base64url-encodes the value of code_verifier:
BASE64URL-ENCODE(SHA256(ASCII("code_verifier" )))
BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
The calculated value is then compared with the value of The calculated value is then compared with the value of
"code_challenge": "code_challenge":
BASE64URL-ENCODE(SHA256(ASCII("code_verifier" ))) == code_challenge BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge
If the two values are equal then the Authorization server can provide If the two values are equal, then the authorization server can
the tokens as long as there are no other errors in the request. If provide the tokens as long as there are no other errors in the
the values are not equal then the request must be rejected, and an request. If the values are not equal, then the request must be
error returned. rejected, and an error returned.
Acknowledgements
The initial draft version of this specification was created by the
OpenID AB/Connect Working Group of the OpenID Foundation.
This specification is the work of the OAuth Working Group, which
includes dozens of active and dedicated participants. In particular,
the following individuals contributed ideas, feedback, and wording
that shaped and formed the final specification:
Anthony Nadalin, Microsoft
Axel Nenker, Deutsche Telekom
Breno de Medeiros, Google
Brian Campbell, Ping Identity
Chuck Mortimore, Salesforce
Dirk Balfanz, Google
Eduardo Gueiros, Jive Communications
Hannes Tschonfenig, ARM
James Manger, Telstra
Justin Richer, MIT Kerberos
Josh Mandel, Boston Children's Hospital
Lewis Adam, Motorola Solutions
Madjid Nakhjiri, Samsung
Michael B. Jones, Microsoft
Paul Madsen, Ping Identity
Phil Hunt, Oracle
Prateek Mishra, Oracle
Ryo Ito, mixi
Scott Tomilson, Ping Identity
Sergey Beryozkin
Takamichi Saito
Torsten Lodderstedt, Deutsche Telekom
William Denniss, Google
Authors' Addresses Authors' Addresses
Nat Sakimura (editor) Nat Sakimura (editor)
Nomura Research Institute Nomura Research Institute
1-6-5 Marunouchi, Marunouchi Kitaguchi Bldg. 1-6-5 Marunouchi, Marunouchi Kitaguchi Bldg.
Chiyoda-ku, Tokyo 100-0005 Chiyoda-ku, Tokyo 100-0005
Japan Japan
Phone: +81-3-5533-2111 Phone: +81-3-5533-2111
skipping to change at page 21, line 16 skipping to change at page 20, line 29
Casilla 177, Sucursal Talagante Casilla 177, Sucursal Talagante
Talagante, RM Talagante, RM
Chile Chile
Phone: +44 20 8133 3718 Phone: +44 20 8133 3718
Email: ve7jtb@ve7jtb.com Email: ve7jtb@ve7jtb.com
URI: http://www.thread-safe.com/ URI: http://www.thread-safe.com/
Naveen Agarwal Naveen Agarwal
Google Google
1600 Amphitheatre Pkwy 1600 Amphitheatre Parkway
Mountain View, CA 94043 Mountain View, CA 94043
USA United States
Phone: +1 650-253-0000 Phone: +1 650-253-0000
Email: naa@google.com Email: naa@google.com
URI: http://google.com/ URI: http://google.com/
 End of changes. 128 change blocks. 
443 lines changed or deleted 348 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/