Re: [OAUTH-WG] OAuth 2.1 - require PKCE?

Wed, 06 May 2020 11:22:19 -0700 

The disadvantage of requiring PKCE for OpenID Connect implementations is that 
you’re trying to add a normative requirement that’s not required of OpenID 
Connect deployments today, which would bifurcate the ecosystem.  There are 
hundreds of implementations (including the 141 certified ones at 
https://openid.net/certification/), none of which have ever been required to 
support PKCE.  Therefore, most don’t.

Per feedback already provided, I believe that OAuth 2.1 should align with the 
guidance already in the draft Security BCP, requiring EITHER the use of PKCE or 
the OpenID Connect nonce.  Trying to retroactively impose unnecessary 
requirements on existing deployments is unlikely to succeed and will 
significantly reduce the relevance of the OAuth 2.1 effort.

In particular, authorization servers shouldn’t be required to support PKCE when 
they already support the OpenID Connect nonce.  And clients shouldn’t reject 
responses from servers that don’t support PKCE when they do contain the OpenID 
Connect nonce.  Doing so would unnecessarily break things and create confusion 
in the marketplace.

                                                          -- Mike

From: OAuth <[email protected]> On Behalf Of Dick Hardt
Sent: Wednesday, May 6, 2020 10:48 AM
To: [email protected]
Subject: [OAUTH-WG] OAuth 2.1 - require PKCE?

Hello!

We would like to have PKCE be a MUST in OAuth 2.1 code flows. This is best 
practice for OAuth 2.0. It is not common in OpenID Connect servers as the nonce 
solves some of the issues that PKCE protects against. We think that most OpenID 
Connect implementations also support OAuth 2.0, and hence have support for PKCE 
if following best practices.

The advantages or requiring PKCE are:

- a simpler programming model across all OAuth applications and profiles as 
they all use PKCE

- reduced attack surface when using  S256 as a fingerprint of the verifier is 
sent through the browser instead of the clear text value

- enforcement by AS not client - makes it easier to handle for client 
developers and AS can ensure the check is conducted

What are disadvantages besides the potential impact to OpenID Connect 
deployments? How significant is that impact?

Dick, Aaron, and Torsten

[https://mailfoogae..appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=452438ba-d429-4656-ace9-b284744bc171]ᐧ

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to