draft-ietf-oauth-spop-07.txt   draft-ietf-oauth-spop-08.txt 
OAuth Working Group N. Sakimura, Ed. OAuth Working Group N. Sakimura, Ed.
Internet-Draft Nomura Research Institute Internet-Draft Nomura Research Institute
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: August 4, 2015 Ping Identity Expires: August 7, 2015 Ping Identity
N. Agarwal N. Agarwal
Google Google
January 31, 2015 February 03, 2015
Proof Key for Code Exchange by OAuth Public Clients Proof Key for Code Exchange by OAuth Public Clients
draft-ietf-oauth-spop-07 draft-ietf-oauth-spop-08
Abstract Abstract
OAuth 2.0 public clients utilizing the Authorization Code Grant are OAuth 2.0 public clients utilizing the Authorization Code Grant are
susceptible to the authorization code interception attack. This susceptible to the authorization code interception attack. This
specification describes the attack as well as a technique to mitigate specification describes the attack as well as a technique to mitigate
against the threat. against the threat.
Status of This Memo Status of This Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 4, 2015. This Internet-Draft will expire on August 7, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 15 skipping to change at page 2, line 15
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 4
2. Notational Conventions . . . . . . . . . . . . . . . . . . . 5 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 5
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. Client creates a code verifier . . . . . . . . . . . . . 6 4.1. Client creates a code verifier . . . . . . . . . . . . . 6
4.2. Client creates the code challenge . . . . . . . . . . . . 6 4.2. Client creates the code challenge . . . . . . . . . . . . 7
4.3. Client sends the code challenge with the authorization 4.3. Client sends the code challenge with the authorization
request . . . . . . . . . . . . . . . . . . . . . . . . . 7 request . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.4. Server returns the code . . . . . . . . . . . . . . . . . 7 4.4. Server returns the code . . . . . . . . . . . . . . . . . 7
4.4.1. Error Response . . . . . . . . . . . . . . . . . . . 7 4.4.1. Error Response . . . . . . . . . . . . . . . . . . . 8
4.5. Client sends the code and the secret to the token 4.5. Client sends the code and the secret to the token
endpoint . . . . . . . . . . . . . . . . . . . . . . . . 8 endpoint . . . . . . . . . . . . . . . . . . . . . . . . 8
4.6. Server verifies code_verifier before returning the tokens 8 4.6. Server verifies code_verifier before returning the tokens 8
5. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 8 5. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 9
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
6.1. OAuth Parameters Registry . . . . . . . . . . . . . . . . 9 6.1. OAuth Parameters Registry . . . . . . . . . . . . . . . . 9
6.2. PKCE Code Challenge Method Registry . . . . . . . . . . . 9 6.2. PKCE Code Challenge Method Registry . . . . . . . . . . . 10
6.2.1. Registration Template . . . . . . . . . . . . . . . . 10 6.2.1. Registration Template . . . . . . . . . . . . . . . . 10
6.2.2. Initial Registry Contents . . . . . . . . . . . . . . 10 6.2.2. Initial Registry Contents . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7.1. Entropy of the code verifier . . . . . . . . . . . . . . 11 7.1. Entropy of the code verifier . . . . . . . . . . . . . . 11
7.2. Protection against eavesdroppers . . . . . . . . . . . . 11 7.2. Protection against eavesdroppers . . . . . . . . . . . . 11
7.3. Entropy of the code_verifier . . . . . . . . . . . . . . 11 7.3. Entropy of the code_verifier . . . . . . . . . . . . . . 12
7.4. OAuth security considerations . . . . . . . . . . . . . . 12 7.4. OAuth security considerations . . . . . . . . . . . . . . 12
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
9. Revision History . . . . . . . . . . . . . . . . . . . . . . 13 9. Revision History . . . . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
10.1. Normative References . . . . . . . . . . . . . . . . . . 14 10.1. Normative References . . . . . . . . . . . . . . . . . . 15
10.2. Informative References . . . . . . . . . . . . . . . . . 14 10.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. Notes on implementing base64url encoding without Appendix A. Notes on implementing base64url encoding without
padding . . . . . . . . . . . . . . . . . . . . . . 14 padding . . . . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 Appendix B. Example for the S256 code_challenge_method . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
OAuth 2.0 [RFC6749] public clients are susceptible to the OAuth 2.0 [RFC6749] public clients are susceptible to the
authorization "code" interception attack. authorization "code" interception attack.
The attacker thereby intercepts the authorization code returned from The attacker thereby intercepts the authorization code returned from
the authorization endpoint within communication path not protected by the authorization endpoint within communication path not protected by
TLS, such as inter-app communication within the operating system of TLS, such as inter-app communication within the operating system of
the client. the client.
skipping to change at page 5, line 45 skipping to change at page 6, line 16
notation of [RFC5234]. notation of [RFC5234].
STRING denotes a sequence of zero or more ASCII [RFC0020] characters. STRING denotes a sequence of zero or more ASCII [RFC0020] characters.
OCTETS denotes a sequence of zero or more octets. OCTETS denotes a sequence of zero or more octets.
ASCII(STRING) denotes the octets of the ASCII [RFC0020] ASCII(STRING) denotes the octets of the ASCII [RFC0020]
representation of STRING where STRING is a sequence of zero or more representation of STRING where STRING is a sequence of zero or more
ASCII characters. ASCII characters.
BASE64URL(OCTETS) denotes the base64url encoding of OCTETS, per BASE64URL-ENCODE(OCTETS) denotes the base64url encoding of OCTETS,
Section 3 producing a STRING. per Section 3 producing a STRING.
BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING, BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING,
per Section 3, producing a sequence of octets. per Section 3, producing a sequence of octets.
SHA256(OCTETS) denotes a SHA2 256bit hash [RFC6234] of OCTETS. SHA256(OCTETS) denotes a SHA2 256bit hash [RFC6234] of OCTETS.
3. Terminology 3. Terminology
In addition to the terms defined in OAuth 2.0 [RFC6749], this In addition to the terms defined in OAuth 2.0 [RFC6749], this
specification defines the following terms: specification defines the following terms:
skipping to change at page 6, line 29 skipping to change at page 6, line 48
base64url encoding without padding.) base64url encoding without padding.)
4. Protocol 4. Protocol
4.1. Client creates a code verifier 4.1. Client creates a code verifier
The client first creates a code verifier, "code_verifier", for each The client first creates a code verifier, "code_verifier", for each
OAuth 2.0 [RFC6749] Authorization Request, in the following manner: OAuth 2.0 [RFC6749] Authorization Request, in the following manner:
code_verifier = high entropy cryptographic random STRING using the code_verifier = high entropy cryptographic random STRING using the
url and filename safe Alphabet [A-Z] / [a-z] / [0-9] / "-" / "_" from Unreserved Characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
Sec 5 of RFC 4648 [RFC4648], with length less than 128 characters. from Sec 2.3 of RFC 3986 [RFC3986], with length less than 128
characters.
ABNF for "code_verifier" is as follows. ABNF for "code_verifier" is as follows.
code-verifier = 42*128unreserved code-verifier = 42*128unreserved
unreserved = ALPHA / DIGIT / "-" / "_" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39 DIGIT = %x30-39
NOTE: code verifier SHOULD have enough entropy to make it impractical NOTE: code verifier SHOULD have enough entropy to make it impractical
to guess the value. It is RECOMMENDED that the output of a suitable to guess the value. It is RECOMMENDED that the output of a suitable
random number generator be used to create a 32-octet sequence. The random number generator be used to create a 32-octet sequence. The
Octet sequence is then BASE64URL encoded to produce a 42-octet URL Octet sequence is then BASE64URL encoded to produce a 42-octet URL
safe string to use as the code verifier. safe string to use as the code verifier.
4.2. Client creates the code challenge 4.2. Client creates the code challenge
The client then creates a code challenge, "code_challenge", derived The client then creates a code challenge, "code_challenge", derived
from the "code_verifier" by using one of the following from the "code_verifier" by using one of the following
transformations on the "code_verifier": transformations on the "code_verifier":
plain "code_challenge" = "code_verifier" plain "code_challenge" = "code_verifier"
S256 "code_challenge" = BASE64URL(SHA256(ASCII("code_verifier"))) S256 "code_challenge" = BASE64URL-
ENCODE(SHA256(ASCII("code_verifier")))
It is RECOMMENDED to use the S256 transformation when possible. It is RECOMMENDED to use the S256 transformation when possible.
ABNF for "code_challenge" is as follows. ABNF for "code_challenge" is as follows.
code-challenge = 42*128unreserved code-challenge = 42*128unreserved
unreserved = ALPHA / DIGIT / "-" / "_" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39 DIGIT = %x30-39
4.3. Client sends the code challenge with the authorization request 4.3. Client sends the code challenge with the authorization request
The client sends the code challenge as part of the OAuth 2.0 The client sends the code challenge as part of the OAuth 2.0
[RFC6749] Authorization Request (Section 4.1.1.) using the following [RFC6749] Authorization Request (Section 4.1.1.) using the following
additional parameters: additional parameters:
code_challenge REQUIRED. Code challenge. code_challenge REQUIRED. Code challenge.
skipping to change at page 13, line 10 skipping to change at page 13, line 33
Scott Tomilson, Ping Identity Scott Tomilson, Ping Identity
Sergey Beryozkin Sergey Beryozkin
Takamichi Saito Takamichi Saito
Torsten Lodderstedt, Deutsche Telekom Torsten Lodderstedt, Deutsche Telekom
William Denniss, Google William Denniss, Google
9. Revision History 9. Revision History
-07 -07
o changed BASE64URL to BASE64URL-ENCODE to be more consistent with
appendix A Fixed lowercase base64url in appendix B
o Added appendix B as an example of S256 processing
o Change reference for unreserved characters to RFC3986 from
base64URL
-07
o removed unused discovery reference and UTF8 o removed unused discovery reference and UTF8
o re #32 added ASCII(STRING) to make clear that it is the byte array o re #32 added ASCII(STRING) to make clear that it is the byte array
that is being hashed that is being hashed
o re #2 Remove discovery requirement section. o re #2 Remove discovery requirement section.
o updated Acknowledgement o updated Acknowledgement
o re #32 remove unneeded UTF8(STRING) definition, and define STRING o re #32 remove unneeded UTF8(STRING) definition, and define STRING
for ASCII(STRING) for ASCII(STRING)
o re #32 remove unneeded utf8 reference from BASE64URL- o re #32 remove unneeded utf8 reference from BASE64URL-
DECODE(STRING) def DECODE(STRING) def
o resolves #31 unused definition of concatenation o resolves #31 unused definition of concatenation
skipping to change at page 14, line 29 skipping to change at page 15, line 15
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC0020] Cerf, V., "ASCII format for network interchange", RFC 20, [RFC0020] Cerf, V., "ASCII format for network interchange", RFC 20,
October 1969. October 1969.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, RFC
3986, January 2005.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, October 2006.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008. Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC
skipping to change at page 16, line 5 skipping to change at page 16, line 47
malformed. malformed.
An example correspondence between unencoded and encoded values An example correspondence between unencoded and encoded values
follows. The octet sequence below encodes into the string below, follows. The octet sequence below encodes into the string below,
which when decoded, reproduces the octet sequence. which when decoded, reproduces the octet sequence.
3 236 255 224 193 3 236 255 224 193
A-z_4ME A-z_4ME
Appendix B. Example for the S256 code_challenge_method
The client uses output of a suitable random number generator to
create a 32-octet sequence. The octets representing the value in
this example (using JSON array notation) are:"
[116, 24, 223, 180, 151, 153, 224, 37, 79, 250, 96, 125, 216, 173,
187, 186, 22, 212, 37, 77, 105, 214, 191, 240, 91, 88, 5, 88, 83,
132, 141, 121]
Encoding this octet sequence as a Base64url provides the value of the
code_verifier:
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
The code_verifier is then hashed via the SHA256 hash function to
produce:
[19, 211, 30, 150, 26, 26, 216, 236, 47, 22, 177, 12, 76, 152, 46,
8, 118, 168, 120, 173, 109, 241, 68, 86, 110, 225, 137, 74, 203,
112, 249, 195]
Encoding this octet sequence as a Base64url provides the value of the
code_challenge:
E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
The authorization request includes:
code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
&code_challange_method=S256
The Authorization server then records the code_challenge and
code_challenge_method along with the code that is granted to the
client.
in the request to the token_endpoint the client includes the code
received in the authorization response as well as the additional
paramater:
code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
The Authorization server retrieves the information for the code
grant. Based on the recorded code_challange_method being S256, it
then hashes the value of code_verifier. SHA256(ASCII("code_verifier"
))
The Authorization can then either one of:
BASE64-DECODE(code_challenge ) == SHA256(ASCII("code_verifier" ))
BASE64URL-ENCODE(SHA256(ASCII("code_verifier" ))) ==
code_challenge
If the two values are equal then the Authorization server can provide
the tokens as long as there are no other errors in the request. If
the values are not equal then the request must be rejected, and an
error returned.
Authors' Addresses Authors' Addresses
Nat Sakimura (editor) Nat Sakimura (editor)
Nomura Research Institute Nomura Research Institute
1-6-5 Marunouchi, Marunouchi Kitaguchi Bldg. 1-6-5 Marunouchi, Marunouchi Kitaguchi Bldg.
Chiyoda-ku, Tokyo 100-0005 Chiyoda-ku, Tokyo 100-0005
Japan Japan
Phone: +81-3-5533-2111 Phone: +81-3-5533-2111
Email: n-sakimura@nri.co.jp Email: n-sakimura@nri.co.jp
 End of changes. 20 change blocks. 
22 lines changed or deleted 96 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/