[OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)

William Denniss <wdenniss@google.com> Tue, 19 January 2016 05:46 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB1DC1A9152 for <oauth@ietfa.amsl.com>; Mon, 18 Jan 2016 21:46:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id joHyc5wT2_YG for <oauth@ietfa.amsl.com>; Mon, 18 Jan 2016 21:46:25 -0800 (PST)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 611601A9127 for <oauth@ietf.org>; Mon, 18 Jan 2016 21:46:25 -0800 (PST)
Received: by mail-oi0-x22d.google.com with SMTP id w75so155727131oie.0 for <oauth@ietf.org>; Mon, 18 Jan 2016 21:46:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=J4bbEbBNUsaJgNEoVwCTCqowq2NtEpNOt1dSNdu7Or4=; b=llJYkuSjCyp4KalBwXys9Ux2EEux53Wmlm7OOgx00koCVrssXuWK2sifkeLP2/3lWA 6ZjsIuUtZcwZzKelOv1PfZUmtA5tW/DHCcLSzVpSFXOTh8UTmi6e3AvE57iudkB5RiKF H6UaHM9RLWAr9JzY9viZ+Nj/iZ3mtPudAgoOFkdCXURDiHu1Q8j7pvxTk34hKIyPjxww 2uRFazzGusZ3cbCGQ165GdeHLBru+3fNBubxLeLY6/m9wcCPQjKKbg6X70B8O/YGZ1DJ 242qnP5NGYI+kX7vS1lLYyRcciyte5jaGs+9Vc2/oFUZiDEywFTx2bfxWSUaf5HYihZT xLVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=J4bbEbBNUsaJgNEoVwCTCqowq2NtEpNOt1dSNdu7Or4=; b=kUkF5TEA3wzapgpH5jLe9db0LE5xVnFgEsjue4Wb3qDtv8Va/gtE732KWti02cCOdi 6kmH0PcEsEvUJD+EfYPsxrTwmBWQb+I05E9KFapDL5zTKxUM83zglKyo3TzfAvb7TtyY itPn/f98tYiV4nGPiMatVRYkSD9D9nDccMKyFp8u3NtuEuohhZ/TPLPM5nNzbI4JNf7w ft8LfH5coTuY30FcORoROrz5F1jgyxZ3YJjsgxMqAmDpTaQEb7avPI2WAigzptBG3/QZ yHDfqvs3Lgl0qFDCi4Bbbl5ZmWmwhaQwam9tdGZRjjVXP0MtQJIq7FWVeBNS8YFBy5ew n53A==
X-Gm-Message-State: AG10YOQtaNunwVzjXTI3bZRvzsN5Qe9g1D97bWq8BWuLLZIR/DvQ8LpQ0sTWjDPNm+nvuvoV5p2UMd9G6aPjjoIk
MIME-Version: 1.0
X-Received: by 10.202.189.138 with SMTP id n132mr2955075oif.12.1453182384617; Mon, 18 Jan 2016 21:46:24 -0800 (PST)
Received: by 10.182.227.39 with HTTP; Mon, 18 Jan 2016 21:46:24 -0800 (PST)
Date: Mon, 18 Jan 2016 21:46:24 -0800
Message-ID: <CAAP42hD3vpwnBYzu6YZVXtTimVuFHzgQ9Pksn1RQNEwogPZRJw@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a113d6d5ed47cea0529a9636c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/0VQxo2SG7iBEKezBEtybi9yu4uM>
Subject: [OAUTH-WG] Google's OAuth endpoints now fully support PKCE (RFC7636)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2016 05:46:27 -0000

This month we rolled out full PKCE (RFC7636) support on our OAuth endpoints.

We'd previously implemented an earlier draft but were not conformant to the
final spec when it was published – now we are. Both "plain" and "S256"
transforms are supported. As always, get the latest endpoints from our
discovery document:
https://accounts.google.com/.well-known/openid-configuration

If you give it a spin, let me know how you go! The team monitors the Stack
Overflow google-oauth
<http://stackoverflow.com/questions/tagged/google-oauth> tag too, for any
implementation questions.

I'm keen to know what we should be putting in our discovery doc to declare
PKCE support (see the thread "Advertise PKCE support in OAuth 2.0
Discovery"), hope we can agree on that soon.

One implementation detail not covered in the spec: we error if you
send code_verifier to the token endpoint when exchanging a code that was
issued without a code_challenge being present. The assumption being that if
you are sending code_verifier on the token exchange, you are using PKCE and
should have sent code_challenge on the authorization request, so something
is amiss.

William