Symmetric Proof of
Possession for the OAuth Authorization Code GrantNomura Research Institute1-6-5 Marunouchi, Marunouchi Kitaguchi Bldg.Chiyoda-ku100-0005TokyoJapan+81-3-5533-2111n-sakimura@nri.co.jphttp://nat.sakimura.org/Ping IdentityCasilla 177, Sucursal TalaganteTalaganteRMChile+44 20 8133 3718ve7jtb@ve7jtb.comhttp://www.thread-safe.com/Googlenaa@google.com
Security
OAuth Working GroupThe OAuth 2.0 public client utilizing
Authorization Code Grant (RFC 6749 - 4.1) is
susceptible to the code interception attack. This specification describes
a mechanism that acts as a control against this threat.Public clients in OAuth 2.0 are
susceptible to the authorization code interception attack.
A malicious client intercepts the authorization code returned from the
authorization endpoint and uses it to obtain the access token.
This is possible on a public client as there is no client
secret associated for it to be sent to the token endpoint. This is
especially true on Smartphone applications where
the authorization code can be returned through custom URL Schemes
where the same scheme can be registered by multiple applications.
Under this scenario, the mitigation strategy stated in section
4.4.1 of does not work as they rely on
per-client instance secret or per client instance redirect URI.To mitigate this attack, this extension utilizes a dynamically created
cryptographically random key called 'code verifier'. The code verifier
is created for every authorization request and its transformed value,
called 'code challenge', is sent to the authorization server to obtain the
authorization code. The authorization code obtained is
then sent to the token endpoint with the 'code verifier' and the server
compares it with the previously received request code so that it can
perform the proof of possession of the 'code verifier' by the client. This
works as the mitigation since the attacker would not know this one-time
key.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in
Key words for use in RFCs to Indicate Requirement Levels .
If these words are used without being spelled in uppercase then
they are to be interpreted with their normal natural language meanings.
BASE64URL(OCTETS) denotes the base64url encoding of OCTETS,
per producing a STRING.
BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING,
per , producing a UTF-8 sequence of octets.
SHA256(STRING) denotes a SHA2 256bit hash of STRING.
UTF8(STRING) denotes the octets of the
UTF-8 representation of STRING.
ASCII(STRING) denotes the octets of the
ASCII representation of STRING.
The concatenation of two values A and B
is denoted as A || B.
In addition to the terms defined in OAuth
2.0, this specification defines the following terms:
A cryptographically random string that is used to correlate the
authorization request to the token request.
A challenge derived from the code verifier that is sent in the
authorization request, to be verified against later.
Base64 encoding using the URL- and filename-safe
character set defined in Section 5 of RFC 4648,
with all trailing '=' characters omitted (as permitted by Section 3.2)
and without the inclusion of any line breaks, white space, or other additional characters.
(See for notes on
implementing base64url encoding without padding.)
The client first creates a code verifier, code_verifier,
for each OAuth 2.0 Authorization Request,
in the following manner:code_verifier = high entropy cryptographic random sequence using the
url and filename safe Alphabet [A-Z] / [a-z] / [0-9] / "-" / "_" from Sec 5 of
RFC 4648
, with length less than 128 characters.ABNF for code_verifier is as follows.NOTE: code verifier SHOULD have enough entropy to make it
impractical to guess the value.
It is RECOMMENDED that the output of a suitable random number generator
be used to create a 32-octet sequence. The Octet sequence is then BASE64URL encoded
to produce a 42-octet URL safe string to use as the code verifier.The client then creates a code challenge,
code_challenge,
derived from the code_verifier. The code challenge can use one of two transformations on
the code_verifier.
code_challenge = code_verifiercode_challenge = BASE64URL(SHA256(code_verifier))
It is RECOMMENDED to use the S256 transformation when possible.ABNF for code_challenge is as follows.The client sends the code challenge as part of the OAuth 2.0 Authorization
Request (Section 4.1.1.) using the following additional parameters:REQUIRED. Code challenge.OPTIONAL, defaults to plain. Code verifier transformation method,
S256 or plain. When the server issues the code in the Authorization Response,
it MUST associate the code_challenge and code_challenge_method values with
the code so it can be verified later.Typically, the code_challenge and code_challenge_method values are stored in
encrypted form in the code itself, but
it could as well be just stored at the server, associated with the
code. The server MUST NOT include the code_challenge
value in the form that other entities can extract.The exact method that the server uses to associate the code_challenge
with the issued code is out of scope for this specification.Upon receipt of the code, the client
sends the Access Token Request to the token endpoint. In addition to the
parameters defined in OAuth 2.0 Access Token Request (Section 4.1.3.), it
sends the following parameter:REQUIRED. Code verifierUpon receipt of the request at the Access Token endpoint, the server
verifies it by calculating the code challenge from received code_verifier and comparing it with the
previously associated code_challenge,
after first transforming it according to the code_challenge_method method specified by the client.If the code_challenge_method from 3.2
was S256, the received code_verifier
is first hashed with SHA-256 then compared to the base64url decoded code_challenge. i.e.,
SHA256(code_verifier )
== BASE64URL-DECODE(code_challenge).If the code_challenge_method from 3.2
was none, they are compared
directly. i.e., code_challenge == code_verifier.If the values are equal, the Access Token endpoint MUST continue
processing as normal (as defined by OAuth 2.0). If the values are not equal, an
error response indicating invalid_grant as
described in section 5.2 of OAuth 2.0
MUST be returned.Server implementations of this specification MAY accept OAuth2.0 Clients that
do not implement this extension. If the code_verifier is not received from the client
in the Authorization Request, servers supporting backwards compatibility SHOULD revert
to a normal OAuth 2.0 protocol.As the OAuth 2.0 server
responses are unchanged by this specification, client
implementations of this specification do not need to know if the
server has implemented this specification or not,
and SHOULD send the additional parameters as defined in Section 3. to
all servers.This specification makes a registration request as follows:This specification registers the following parameters in the IANA
OAuth Parameters registry defined in OAuth
2.0.Parameter name: code_verifierParameter usage location: Access Token RequestChange controller: IESGSpecification document(s): this documentParameter name: code_challengeParameter usage location: Authorization RequestChange controller: IESGSpecification document(s): this documentParameter name: code_challenge_methodParameter usage location: Authorization RequestChange controller: IESGSpecification document(s): this documentThe security model relies on the fact that the code verifier is not
learned or guessed by the attacker. It is vitally important to adhere to
this principle. As such, the code verifier has to be created in such a
manner that it is cryptographically random and has high entropy that it
is not practical for the attacker to guess.
It is RECOMMENDED that the output of a suitable random number generator be used to create a 32-octet sequence.
Unless there is a compelling reason, implementations SHOULD use
S256 method to protect against
eavesdroppers intercepting the code_challenge.
If the no transformation algorithm, which is the default algorithm,
is used, the client SHOULD make sure that the authorization request is
adequately protected from an eavesdropper.
If code_challenge is to be returned
inside authorization code,
it has to be encrypted in such
a manner that only the server can decrypt and extract it.
Before starting the authorization process, the client SHOULD make
sure that the server supports this specification.
Confirmation of the server support may be obtained
out-of-band or through some other mechanisms such as the discovery
document in OpenID Connect
Discovery. The exact mechanism on how the client obtains this
information is out of scope of this specification.
All the OAuth security analysis presented in
applies so readers SHOULD carefully follow it.The initial draft of this specification was created by the OpenID
AB/Connect Working Group of the OpenID Foundation, by most notably of
the following people:Naveen Agarwal, GoogleDirk Balfanz, GoogleSergey BeryozkinJohn Bradley, Ping IdentityBrian Campbell, Ping IdentityWilliam Denniss, GoogleEduardo Gueiros, Jive CommunicationsPhil Hunt, OracleRyo Ito, mixiMichael B. Jones, MicrosoftTorsten Lodderstedt, Deutsche TelekomBreno de Medeiros, GooglePrateek Mishra, OracleAnthony Nadalin, MicrosoftAxel Nenker, Deutsche TelekomNat Sakimura, Nomura Research Institute-01Specified exactly two supported transformationsMoved discovery steps to security considerations.Incorporated readability comments by Eduardo Gueiros.Changed MUST in 3.1 to SHOULD.-00Initial IETF version.Coded Character Set -- 7-bit American Standard Code for Information InterchangeAmerican National Standards InstituteOpenID Connect Discovery 1.0Nomura Research Institute, Ltd.Ping IdentityMicrosoftIllumila
This appendix describes how to implement base64url encoding
and decoding functions without padding based upon standard
base64 encoding and decoding functions that do use padding.
To be concrete, example C# code implementing these functions
is shown below. Similar code could be used in other
languages.
As per the example code above, the number of '=' padding
characters that needs to be added to the end of a base64url
encoded string without padding to turn it into one with
padding is a deterministic function of the length of the
encoded string. Specifically,
if the length mod 4 is 0, no padding is added;
if the length mod 4 is 2, two '=' padding characters are added;
if the length mod 4 is 3, one '=' padding character is added;
if the length mod 4 is 1, the input is malformed.
An example correspondence between unencoded and encoded values
follows. The octet sequence below encodes into the string
below, which when decoded, reproduces the octet sequence.