Proof Key for Code Exchange by OAuth Public ClientsNomura Research Institute1-6-5 Marunouchi, Marunouchi Kitaguchi Bldg.Chiyoda-ku100-0005TokyoJapan+81-3-5533-2111n-sakimura@nri.co.jphttp://nat.sakimura.org/Ping IdentityCasilla 177, Sucursal TalaganteTalaganteRMChile+44 20 8133 3718ve7jtb@ve7jtb.comhttp://www.thread-safe.com/Google1600 Amphitheatre PkwyMountain ViewCA94043USA+1 650-253-0000naa@google.comhttp://google.com/
Security
OAuth Working GroupOAuth 2.0 public clients utilizing the Authorization Code Grant are
susceptible to the authorization code interception attack. This specification
describes the attack as well as a technique to mitigate against the threat.OAuth 2.0 public clients are
susceptible to the authorization code
interception attack.The attacker thereby intercepts the authorization code returned
from the authorization endpoint within communication path not
protected by TLS, such as inter-app communication within the
operating system of the client.Once the attacker has gained access to the authorization code it
can use it to obtain the access token.Figure 1 shows the attack graphically. In step (1) the native
app running on the end device, such as a smart phone, issues
an authorization request via the browser/operating system, which
then gets forwarded to the OAuth 2.0 authorization server in
step (2). The authorization server returns the authorization code
in step (3). The malicious app is able to observe the
authorization code in step (4) since it is registered to the
custom URI scheme used by the legitimate app. This allows the
attacker to reguest and obtain an access token in step (5)
and step (6), respectively.A number of pre-conditions need to hold in order for this attack
to work:The attacker manages to register a malicious application on
the client device and registers a custom URI scheme that is
also used by another application.
The operating systems must allow a custom URI schemes to
be registered by multiple applications.
The OAuth 2.0 authorization code grant is used.
The attacker has access to the client id. All native app
client-instances use the same client id. No client secret is
used (since public clients cannot keep their secrets
confidential.)
The attacker (via the installed app) is able to observe
responses from the authorization endpoint. As a more
sophisticated attack scenario the attacker is also able
to observe requests (in addition to responses) to the
authorization endpoint. The attacker is, however, not
able to act as a man-in-the-middle.
While this is a long list of pre-conditions the described attack
has been observed in the wild and has to be considered in
OAuth 2.0 deployments.
While the OAuth 2.0 Threat Model
Section 4.4.1
describes mitigation techniques they are, unfortunately, not applicable
since they rely on a per-client instance secret or aper client
instance redirect URI.To mitigate this attack, this extension utilizes a dynamically created
cryptographically random key called 'code verifier'. A unique code verifier
is created for every authorization request and its transformed value,
called 'code challenge', is sent to the authorization server to obtain the
authorization code. The authorization code obtained is
then sent to the token endpoint with the 'code verifier' and the server
compares it with the previously received request code so that it can
perform the proof of possession of the 'code verifier' by the client. This
works as the mitigation since the attacker would not know this one-time
key.This specification adds additional parameters to the OAuth 2.0 Authorization
and Access Token Requests, shown in abstract form in Figure 1.
The client creates and records a secret named the
code_verifier,
and derives a transformed version t(code_verifier)
(referred to as the code_challenge)
which is sent in the OAuth 2.0 Authorization Request, along with
the transformation method t.
The Authorization Endpoint responds as usual, but records
t(code_verifier) and the transformation method.
The client then sends the code in the Access Token
Request as usual, but includes the code_verifier
secret generated at (A).
The authorization server transforms code_verifier
and compares it to t(code_verifier) from (B). Access is
denied if they are not equal.
An attacker who intercepts the Authorization Grant at (B) is unable to redeem
it for an Access Token, as they are not in
possession of the code_verifier secret.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in
Key words for use in RFCs to Indicate Requirement Levels .
If these words are used without being spelled in uppercase then
they are to be interpreted with their normal natural language meanings.
This specification uses the Augmented Backus-Naur Form (ABNF)
notation of .
STRING denotes a sequence of zero or more ASCII characters.
OCTETS denotes a sequence of zero or more octets. ASCII(STRING) denotes the octets of the ASCII representation
of STRING where STRING is a sequence of zero or more ASCII characters.
BASE64URL-ENCODE(OCTETS) denotes the base64url encoding of OCTETS,
per producing a STRING.
BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING,
per , producing a sequence of octets.
SHA256(OCTETS) denotes a SHA2 256bit hash of OCTETS.
In addition to the terms defined in OAuth
2.0, this specification defines the following terms:
A cryptographically random string that is used to correlate the
authorization request to the token request.
A challenge derived from the code verifier that is sent in the
authorization request, to be verified against later.
Base64 encoding using the URL- and filename-safe
character set defined in Section 5 of ,
with all trailing '=' characters omitted
(as permitted by Section 3.2 of )
and without the inclusion of any line breaks, whitespace, or other additional
characters. (See for notes on
implementing base64url encoding without padding.)
The client first creates a code verifier, code_verifier,
for each OAuth 2.0 Authorization Request,
in the following manner:code_verifier = high entropy cryptographic random STRING
using the Unreserved Characters
[A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" from Sec 2.3 of
, with a minimum length of 43 characters
and a maximum length of 128 characters.ABNF for code_verifier is as follows.NOTE: code verifier SHOULD have enough entropy to make it
impractical to guess the value.
It is RECOMMENDED that the output of a suitable random number generator
be used to create a 32-octet sequence. The Octet sequence is then base64url encoded
to produce a 43-octet URL safe string to use as the code verifier.The client then creates a code challenge,
code_challenge,
derived from the code_verifier by using
one of the following transformations on
the code_verifier:
code_challenge = code_verifiercode_challenge =
BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
It is RECOMMENDED to use the S256 transformation when possible.ABNF for code_challenge is as follows.The client sends the code challenge as part of the
OAuth 2.0 Authorization
Request (Section 4.1.1 of .)
using the following additional parameters:REQUIRED. Code challenge.OPTIONAL, defaults to
plain. Code verifier transformation method,
S256 or plain. When the server issues the code in the
Authorization Response,
it MUST associate the code_challenge and
code_challenge_method values with
the code so it can be verified later.Typically, the code_challenge and
code_challenge_method values are stored in
encrypted form in the code itself, but
could alternatively be stored on the server, associated with the
code. The server MUST NOT include the code_challenge
value in client requests in a form that other entities can extract.The exact method that the server uses to associate the
code_challenge
with the issued code is out of scope for this
specification.
If the server requires PKCE, and the client does not send
the code_challenge in the request,
the authorization endpoint MUST return the authorization error response with
error value set to invalid_request.
The error_description or the response of
error_uri SHOULD explain the nature of error,
e.g., code challenge required.
If the server supporting PKCE does not support the requested transform,
the authorization endpoint MUST return the authorization error response with
error value set to invalid_request.
The error_description or the response of
error_uri SHOULD explain the nature of error,
e.g., transform algorithm not supported.
If the client is capable of using S256,
it MUST use S256, as
S256
is Mandatory To Implement (MTI) on the server.
Clients MAY use plain only if they cannot support
S256 for
some technical reason and knows that the server supports
plain.
Upon receipt of the code, the client
sends the Access Token Request to the token endpoint. In addition to the
parameters defined in the OAuth 2.0 Access Token Request (Section 4.1.3 of
), it
sends the following parameter:REQUIRED. Code verifierUpon receipt of the request at the Access Token endpoint, the server
verifies it by calculating the code challenge from received code_verifier and comparing it with the
previously associated code_challenge,
after first transforming it according to the code_challenge_method method specified by the client.If the code_challenge_method from
was S256, the received code_verifier
is hashed by SHA-256, then base64url encoded, and then compared to the code_challenge. i.e.,
BASE64URL-ENCODE(SHA256(ASCII(code_verifier )))
== code_challengeIf the code_challenge_method from
was plain, they are compared
directly. i.e., code_verifier == code_challenge.If the values are equal, the Access Token endpoint MUST continue
processing as normal (as defined by OAuth 2.0). If the values are not equal, an
error response indicating invalid_grant as
described in section 5.2 of
MUST be returned.Server implementations of this specification MAY accept OAuth2.0 Clients that
do not implement this extension. If the code_verifier is
not received from the client
in the Authorization Request, servers supporting backwards compatibility SHOULD revert
to a normal OAuth 2.0 protocol.As the OAuth 2.0 server
responses are unchanged by this specification, client
implementations of this specification do not need to know if the
server has implemented this specification or not,
and SHOULD send the additional parameters as defined in Section 3. to
all servers.This specification makes a registration request as follows:This specification registers the following parameters in the IANA
OAuth Parameters registry defined in OAuth
2.0.Parameter name: code_verifierParameter usage location: Access Token RequestChange controller: IESGSpecification document(s): this documentParameter name: code_challengeParameter usage location: Authorization RequestChange controller: IESGSpecification document(s): this documentParameter name: code_challenge_methodParameter usage location: Authorization RequestChange controller: IESGSpecification document(s): this documentThis specification establishes the PKCE Code Challenge Method registry.Additional code_challenge_method types for use with the authorization endpoint
are registered with a Specification Required ([RFC5226]) after a two-week
review period on the oauth-ext-review@ietf.org mailing list, on the
advice of one or more Designated Experts. However, to allow for the
allocation of values prior to publication, the Designated Expert(s)
may approve registration once they are satisfied that such a
specification will be published.Registration requests must be sent to the oauth-ext-review@ietf.org
mailing list for review and comment, with an appropriate subject
(e.g., "Request for PKCE code_challenge_method: example").Within the review period, the Designated Expert(s) will either
approve or deny the registration request, communicating this decision
to the review list and IANA. Denials should include an explanation
and, if applicable, suggestions as to how to make the request
successful.IANA must only accept registry updates from the Designated Expert(s)
and should direct all requests for registration to the review mailing
list.
The name requested (e.g., "example").
Because a core goal of this specification is for the resulting
representations to be compact, it is RECOMMENDED that the name be short
-- not to exceed 8 characters without a compelling reason to do so.
This name is case-sensitive.
Names may not match other registered names in a case-insensitive manner
unless the Designated Expert(s) state that there is a compelling reason
to allow an exception in this particular case.
For Standards Track RFCs, state "IESG". For others, give the name of the
responsible party. Other details (e.g., postal address, email address,
home page URI) may also be included.
Reference to the document(s) that specify the parameter, preferably
including URI(s) that can be used to retrieve copies of the document(s).
An indication of the relevant
sections may also be included but is not required.
This specification registers the Code Challenge Method Parameter names defined in
in this registry.
Code Challenge Method Parameter Name: plain
Change Controller: IESG
Specification Document(s): of [[ this document ]]
Code Challenge Method Parameter Name: S256
Change Controller: IESG
Specification Document(s): of [[ this document ]]
The security model relies on the fact that the code verifier is not
learned or guessed by the attacker. It is vitally important to adhere to
this principle. As such, the code verifier has to be created in such a
manner that it is cryptographically random and has high entropy that it
is not practical for the attacker to guess.
It is RECOMMENDED that the output of a suitable random number generator be used
to create a 32-octet sequence.
Clients MUST NOT try down grading the algorithm after trying
S256 method.
If the server is PKCE compliant, then S256 method works.
If the server does not support PKCE, it does not generate error.
Only the time that the server returns that it does not support
S256
is there is a MITM trying the algorithm downgrade attack.
S256 method protects against
eavesdroppers observing or intercepting the code_challenge.
If the plain method is used,
there is a chance that it will be observed by the attacker on the device.
The use of S256 protects against it.
If code_challenge is to be returned
inside authorization code to achieve a stateless server,
it has to be encrypted in such
a manner that only the server can decrypt and extract it.
The client SHOULD create a code_verifier with a minimum of 256bits of entropy.
This can be done by having a suitable random number generator create a 32-octet
sequence. The Octet sequence can then be base64url encoded to produce a 43-octet
URL safe string to use as a code_challenge that has the required entropy.
Salting is not used in the production of the code_verifier, as the code_chalange
contains sufficient entropy to prevent brute force attacks. Concatenating a
publicly known value to a code_challenge (with 256 bits of entropy) and then
hashing it with SHA256 would actually reduce the entropy in the resulting
code_verifier making it easier for an attacker to brute force.
While the S256 transformation is like hashing a password there are important
differences. Passwords tend to be relatively low entropy words that can be hashed
offline and the hash looked up in a dictionary. By concatenating a unique though
public value to each password prior to hashing, the dictionary space that an attacker
needs to search is greatly expanded.
Modern graphics processors now allow attackers to calculate
hashes in real time faster than they could be looked up from a disk.
This eliminates the value of the salt in increasing the complexity of
a brute force attack for even low entropy passwords.
All the OAuth security analysis presented in
applies so readers SHOULD carefully follow it.Curent security
considerations can be found in Recommendations
for Secure Use of TLS and DTLS. This
supersedes the TLS version recommendations in OAuth
2.0.The initial draft of this specification was created by the OpenID
AB/Connect Working Group of the OpenID Foundation. This specification is the work of the OAuth Working Group, which
includes dozens of active and dedicated participants. In particular,
the following individuals contributed ideas, feedback, and wording
that shaped and formed the final specification:Anthony Nadalin, MicrosoftAxel Nenker, Deutsche TelekomBreno de Medeiros, GoogleBrian Campbell, Ping IdentityChuck Mortimore, SalesforceDirk Balfanz, GoogleEduardo Gueiros, Jive CommunicationsHannes Tschonfenig, ARMJames Manger, TelstraJohn Bradley, Ping IdentityJustin Richer, MIT KerberosJosh Mandel, Boston Children's HospitalLewis Adam, Motorola SolutionsMadjid Nakhjiri, SamsungMichael B. Jones, MicrosoftNat Sakimura, Nomura Research InstituteNaveen Agarwal, GooglePaul Madsen, Ping IdentityPhil Hunt, OraclePrateek Mishra, OracleRyo Ito, mixiScott Tomilson, Ping IdentitySergey BeryozkinTakamichi SaitoTorsten Lodderstedt, Deutsche TelekomWilliam Denniss, Google-11add spanx for plain in sec 4.4 RE Kathleen's commentAdd security consideration on TLS and reference BCP195-10re #33 specify lower limit to code_verifier in proseremove base64url decode from draft, all steps now use encode onlyExpanded MTI re #33 change length of 32 octet base64url encoded string back to 43 octets-09clean up some external references so they don't point at internal sections-08changed BASE64URL to BASE64URL-ENCODE to be more consistent with appendix A
Fixed lowercase base64url in appendix BAdded appendix B as an example of S256 processing Change reference for unreserved characters to RFC3986 from base64URL-07removed unused discovery reference and UTF8re #32 added ASCII(STRING) to make clear that it is the byte array that is being hashedre #2 Remove discovery requirement section.updated Acknowledgementre #32 remove unneeded UTF8(STRING) definition, and define STRING for ASCII(STRING)re #32 remove unneeded utf8 reference from BASE64URL-DECODE(STRING) defresolves #31 unused definition of concatenation re #30 Update figure text call out the endpointsre #30 Update figure to call out the endpointssmall wording change to the introduction-06 fix datereplace spop with pkce for registry and other referencesre #29 change name againre #27 removed US-ASCII referencere #27 updated ABNF for code_verifier resolves #24 added security consideration for saltingresolves #29 Changed titleupdated reference to RFC4634 to RFC6234 re #27changed reference for US-ASCII to RFC20 re #27resolves #28 added Acknowledgementsresolves #27 updated ABNFresolves #26 updated abstract and added Hannes figure-05Added IANA registry for code_challenge_method + fixed some broken
internal references.-04Added error response to authorization response.-03Added an abstract protocol diagram and explanation-02Copy edits-01Specified exactly two supported transformationsMoved discovery steps to security considerations.Incorporated readability comments by Eduardo Gueiros.Changed MUST in 3.1 to SHOULD.-00Initial IETF version.Recommendations for Secure Use of Transport Layer Security (TLS) and
Datagram Transport Layer Security (DTLS)Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are
widely used to protect data exchanged over application protocols such as HTTP,
SMTP, IMAP, POP, SIP, and XMPP. Over the last few years, several serious
attacks on TLS have emerged, including attacks on its most commonly used cipher
suites and their modes of operation. This document provides recommendations for
improving the security of deployed services that use TLS and DTLS. The
recommendations are applicable to the majority of use cases.
This appendix describes how to implement a base64url encoding
function without padding based upon standard
base64 encoding function that uses padding.
To be concrete, example C# code implementing these functions
is shown below. Similar code could be used in other
languages.
An example correspondence between unencoded and encoded values
follows. The octet sequence below encodes into the string
below, which when decoded, reproduces the octet sequence.
The client uses output of a suitable random number generator to create a
32-octet sequence. The octets representing the value in this example
(using JSON array notation) are:"Encoding this octet sequence as a Base64url provides the value of the code_verifier:The code_verifier is then hashed via the SHA256 hash function to produce:Encoding this octet sequence as a base64url provides the value of the code_challenge:The authorization request includes:The Authorization server then records the code_challenge and
code_challenge_method along with the code that is granted to the client.in the request to the token_endpoint the client includes the code received in
the authorization response as well as the additional paramater:The Authorization server retrieves the information for the code grant.
Based on the recorded code_challange_method being S256, it then hashes
and base64url encodes the value of
code_verifier. BASE64URL-ENCODE(SHA256(ASCII(code_verifier )))The calculated value is then compared with the value of
code_challenge: BASE64URL-ENCODE(SHA256(ASCII(code_verifier )))
== code_challenge
If the two values are equal then the Authorization server can provide the tokens
as long as there are no other errors in the request. If the values are not equal
then the request must be rejected, and an error returned.