idnits 2.17.1 draft-ietf-oauth-spop-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 2) being 60 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 26, 2014) is 3470 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'A-Z' is mentioned on line 158, but not defined == Missing Reference: '0-9' is mentioned on line 158, but not defined ** Obsolete normative reference: RFC 4634 (Obsoleted by RFC 6234) -- Possible downref: Non-RFC (?) normative reference: ref. 'US-ASCII' Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OAuth Working Group N. Sakimura, Ed. 3 Internet-Draft Nomura Research Institute 4 Intended status: Standards Track J. Bradley 5 Expires: April 27, 2015 Ping Identity 6 N. Agarwal 7 Google 8 October 26, 2014 10 Symmetric Proof of Possession for the OAuth Authorization Code Grant 11 draft-ietf-oauth-spop-02 13 Abstract 15 The OAuth 2.0 public client utilizing Authorization Code Grant (RFC 16 6749 - 4.1) is susceptible to the code interception attack. This 17 specification describes a mechanism that acts as a control against 18 this threat. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on April 27, 2015. 37 Copyright Notice 39 Copyright (c) 2014 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents (http://trustee.ietf.org/ 44 license-info) in effect on the date of publication of this document. 45 Please review these documents carefully, as they describe your rights 46 and restrictions with respect to this document. Code Components 47 extracted from this document must include Simplified BSD License text 48 as described in Section 4.e of the Trust Legal Provisions and are 49 provided without warranty as described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 2 55 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 4. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 4.1. Client creates a code verifier . . . . . . . . . . . . . . 3 58 4.2. Client creates the code challenge . . . . . . . . . . . . 4 59 4.3. Client sends the code challenge with the authorization 60 request . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 4.4. Server returns the code . . . . . . . . . . . . . . . . . 4 62 4.5. Client sends the code and the secret to the token endpoint 5 63 4.6. Server verifies code_verifier before returning the tokens 5 64 5. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 5 65 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 66 6.1. OAuth Parameters Registry . . . . . . . . . . . . . . . . 6 67 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 68 7.1. Entropy of the code verifier . . . . . . . . . . . . . . . 6 69 7.2. Protection against eavesdroppers . . . . . . . . . . . . . 6 70 7.3. Checking the Server support . . . . . . . . . . . . . . . 7 71 7.4. OAuth security considerations . . . . . . . . . . . . . . 7 72 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 73 9. Revision History . . . . . . . . . . . . . . . . . . . . . . . 8 74 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 75 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 76 10.2. Informative References . . . . . . . . . . . . . . . . . 8 77 Appendix A. Notes on implementing base64url encoding without paddin 9 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 80 1. Introduction 82 Public clients in OAuth 2.0 [RFC6749] are susceptible to the 83 authorization "code" interception attack. A malicious client 84 intercepts the authorization code returned from the authorization 85 endpoint and uses it to obtain the access token. This is possible on 86 a public client as there is no client secret associated for it to be 87 sent to the token endpoint. This is especially true on Smartphone 88 applications where the authorization code can be returned through 89 custom URL Schemes where the same scheme can be registered by 90 multiple applications. Under this scenario, the mitigation strategy 91 stated in section 4.4.1 of [RFC6819] does not work as they rely on 92 per-client instance secret or per client instance redirect URI. 94 To mitigate this attack, this extension utilizes a dynamically 95 created cryptographically random key called 'code verifier'. The code 96 verifier is created for every authorization request and its 97 transformed value, called 'code challenge', is sent to the 98 authorization server to obtain the authorization code. The 99 authorization "code" obtained is then sent to the token endpoint with 100 the 'code verifier' and the server compares it with the previously 101 received request code so that it can perform the proof of possession 102 of the 'code verifier' by the client. This works as the mitigation 103 since the attacker would not know this one-time key. 105 2. Notational Conventions 106 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 107 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 108 "OPTIONAL" in this document are to be interpreted as described in Key 109 words for use in RFCs to Indicate Requirement Levels [RFC2119]. If 110 these words are used without being spelled in uppercase then they are 111 to be interpreted with their normal natural language meanings. 113 This specification uses the Augmented Backus-Naur Form (ABNF) 114 notation of [RFC5234]. 116 BASE64URL(OCTETS) denotes the base64url encoding of OCTETS, per 117 Section 3 producing a [US-ASCII] STRING. 119 BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING, 120 per Section 3, producing a UTF-8 sequence of octets. 122 SHA256(STRING) denotes a SHA2 256bit hash [RFC4634] of STRING. 124 UTF8(STRING) denotes the octets of the UTF-8 [RFC3629] representation 125 of STRING. 127 ASCII(STRING) denotes the octets of the ASCII [US-ASCII] 128 representation of STRING. 130 The concatenation of two values A and B is denoted as A || B. 132 3. Terminology 134 In addition to the terms defined in OAuth 2.0 [RFC6749], this 135 specification defines the following terms: 137 code verifier A cryptographically random string that is used to 138 correlate the authorization request to the token request. 140 code challenge A challenge derived from the code verifier that is 141 sent in the authorization request, to be verified against later. 143 Base64url Encoding Base64 encoding using the URL- and filename-safe 144 character set defined in Section 5 of RFC 4648 [RFC4648], with all 145 trailing '=' characters omitted (as permitted by Section 3.2) and 146 without the inclusion of any line breaks, whitespace, or other 147 additional characters. (See Appendix Appendix A for notes on 148 implementing base64url encoding without padding.) 150 4. Protocol 152 4.1. Client creates a code verifier 154 The client first creates a code verifier, "code_verifier", for each 155 OAuth 2.0 [RFC6749] Authorization Request, in the following manner: 157 code_verifier = high entropy cryptographic random [US-ASCII] sequence 158 using the url and filename safe Alphabet [A-Z] / [a-z] / [0-9] / "-" 159 / "_" from Sec 5 of RFC 4648 [RFC4648], with length less than 128 160 characters. 162 ABNF for "code_verifier" is as follows. 164 code_verifier = 42*128unreserved 165 unreserved = [A-Z] / [a-z] / [0-9] / "-" / "_" 167 NOTE: code verifier SHOULD have enough entropy to make it impractical 168 to guess the value. It is RECOMMENDED that the output of a suitable 169 random number generator be used to create a 32-octet sequence. The 170 Octet sequence is then BASE64URL encoded to produce a 42-octet URL 171 safe string to use as the code verifier. 173 4.2. Client creates the code challenge 175 The client then creates a code challenge, "code_challenge", derived 176 from the "code_verifier" by using one of the following 177 transformations on the "code_verifier": 179 plain "code_challenge" = "code_verifier" 181 S256 "code_challenge" = BASE64URL(SHA256("code_verifier")) 183 It is RECOMMENDED to use the S256 transformation when possible. 185 ABNF for "code_challenge" is as follows. 187 code_challenge = 42*128unreserved 188 unreserved = [A-Z] / [a-z] / [0-9] / "-" / "_" 190 4.3. Client sends the code challenge with the authorization request 192 The client sends the code challenge as part of the OAuth 2.0 193 [RFC6749] Authorization Request (Section 4.1.1.) using the following 194 additional parameters: 196 code_challenge REQUIRED. Code challenge. 198 code_challenge_method OPTIONAL, defaults to "plain". Code verifier 199 transformation method, "S256" or "plain". 201 4.4. Server returns the code 203 When the server issues the "code" in the Authorization Response, it 204 MUST associate the "code_challenge" and "code_challenge_method" 205 values with the "code" so it can be verified later. 207 Typically, the "code_challenge" and "code_challenge_method" values 208 are stored in encrypted form in the "code" itself, but could 209 alternatively be stored on the server, associated with the code. The 210 server MUST NOT include the "code_challenge" value in client requests 211 in a form that other entities can extract. 213 The exact method that the server uses to associate the 214 "code_challenge" with the issued "code" is out of scope for this 215 specification. 217 4.5. Client sends the code and the secret to the token endpoint 219 Upon receipt of the "code", the client sends the Access Token Request 220 to the token endpoint. In addition to the parameters defined in 221 OAuth 2.0 [RFC6749] Access Token Request (Section 4.1.3.), it sends 222 the following parameter: 224 code_verifier REQUIRED. Code verifier 226 4.6. Server verifies code_verifier before returning the tokens 228 Upon receipt of the request at the Access Token endpoint, the server 229 verifies it by calculating the code challenge from received 230 "code_verifier" and comparing it with the previously associated 231 "code_challenge", after first transforming it according to the 232 "code_challenge_method" method specified by the client. 234 If the "code_challenge_method" from 3.2 was "S256", the received 235 "code_verifier" is first hashed with SHA-256 then compared to the 236 base64url decoded "code_challenge". i.e., 238 SHA256("code_verifier" ) == BASE64URL-DECODE("code_challenge"). 240 If the "code_challenge_method" from 3.2 was "none", they are compared 241 directly. i.e., 243 "code_challenge" == "code_verifier". 245 If the values are equal, the Access Token endpoint MUST continue 246 processing as normal (as defined by OAuth 2.0 [RFC6749]). If the 247 values are not equal, an error response indicating "invalid_grant" as 248 described in section 5.2 of OAuth 2.0 [RFC6749] MUST be returned. 250 5. Compatibility 252 Server implementations of this specification MAY accept OAuth2.0 253 Clients that do not implement this extension. If the "code_verifier" 254 is not received from the client in the Authorization Request, servers 255 supporting backwards compatibility SHOULD revert to a normal OAuth 256 2.0 [RFC6749] protocol. 258 As the OAuth 2.0 [RFC6749] server responses are unchanged by this 259 specification, client implementations of this specification do not 260 need to know if the server has implemented this specification or not, 261 and SHOULD send the additional parameters as defined in Section 3. to 262 all servers. 264 6. IANA Considerations 266 This specification makes a registration request as follows: 268 6.1. OAuth Parameters Registry 270 This specification registers the following parameters in the IANA 271 OAuth Parameters registry defined in OAuth 2.0 [RFC6749]. 273 o Parameter name: code_verifier 275 o Parameter usage location: Access Token Request 277 o Change controller: IESG 279 o Specification document(s): this document 281 o Parameter name: code_challenge 283 o Parameter usage location: Authorization Request 285 o Change controller: IESG 287 o Specification document(s): this document 289 o Parameter name: code_challenge_method 291 o Parameter usage location: Authorization Request 293 o Change controller: IESG 295 o Specification document(s): this document 297 7. Security Considerations 299 7.1. Entropy of the code verifier 301 The security model relies on the fact that the code verifier is not 302 learned or guessed by the attacker. It is vitally important to 303 adhere to this principle. As such, the code verifier has to be 304 created in such a manner that it is cryptographically random and has 305 high entropy that it is not practical for the attacker to guess. It 306 is RECOMMENDED that the output of a suitable random number generator 307 be used to create a 32-octet sequence. 309 7.2. Protection against eavesdroppers 310 Unless there is a compelling reason, implementations SHOULD use 311 "S256" method to protect against eavesdroppers intercepting the 312 "code_challenge". If the no transformation algorithm, which is the 313 default algorithm, is used, the client SHOULD make sure that the 314 authorization request is adequately protected from an eavesdropper. 315 If "code_challenge" is to be returned inside authorization "code", it 316 has to be encrypted in such a manner that only the server can decrypt 317 and extract it. 319 7.3. Checking the Server support 321 Before starting the authorization process, the client SHOULD check if 322 the server supports this specification. Confirmation of the server 323 support may be obtained out-of-band or through some other mechanisms 324 such as the discovery document in OpenID Connect Discovery 325 [OpenID.Discovery]. The exact mechanism on how the client obtains 326 this information, or the action it takes as a result is out of scope 327 of this specification. 329 7.4. OAuth security considerations 331 All the OAuth security analysis presented in [RFC6819] applies so 332 readers SHOULD carefully follow it. 334 8. Acknowledgements 336 The initial draft of this specification was created by the OpenID AB/ 337 Connect Working Group of the OpenID Foundation, most notably by the 338 following people: 340 o Naveen Agarwal, Google 342 o Dirk Balfanz, Google 344 o Sergey Beryozkin 346 o John Bradley, Ping Identity 348 o Brian Campbell, Ping Identity 350 o William Denniss, Google 352 o Eduardo Gueiros, Jive Communications 354 o Phil Hunt, Oracle 356 o Ryo Ito, mixi 358 o Michael B. Jones, Microsoft 360 o Torsten Lodderstedt, Deutsche Telekom 362 o Breno de Medeiros, Google 363 o Prateek Mishra, Oracle 365 o Anthony Nadalin, Microsoft 367 o Axel Nenker, Deutsche Telekom 369 o Nat Sakimura, Nomura Research Institute 371 9. Revision History 373 -01 375 o Specified exactly two supported transformations 377 o Moved discovery steps to security considerations. 379 o Incorporated readability comments by Eduardo Gueiros. 381 o Changed MUST in 3.1 to SHOULD. 383 -00 385 o Initial IETF version. 387 10. References 389 10.1. Normative References 391 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 392 Requirement Levels", BCP 14, RFC 2119, March 1997. 394 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 395 10646", STD 63, RFC 3629, November 2003. 397 [RFC4634] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms 398 (SHA and HMAC-SHA)", RFC 4634, July 2006. 400 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 401 Encodings", RFC 4648, October 2006. 403 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 404 Specifications: ABNF", STD 68, RFC 5234, January 2008. 406 [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 407 6749, October 2012. 409 [US-ASCII] 410 American National Standards Institute, "Coded Character 411 Set -- 7-bit American Standard Code for Information 412 Interchange", ANSI X3.4, 1986. 414 10.2. Informative References 416 [OpenID.Discovery] 417 Sakimura, N., Bradley, J., Jones, M.B. and E. Jay, "OpenID 418 Connect Discovery 1.0", February 2014. 420 [RFC6819] Lodderstedt, T., McGloin, M. and P. Hunt, "OAuth 2.0 421 Threat Model and Security Considerations", RFC 6819, 422 January 2013. 424 Appendix A. Notes on implementing base64url encoding without padding 426 This appendix describes how to implement base64url encoding and 427 decoding functions without padding based upon standard base64 428 encoding and decoding functions that do use padding. 430 To be concrete, example C# code implementing these functions is shown 431 below. Similar code could be used in other languages. 433 static string base64urlencode(byte [] arg) 434 { 435 string s = Convert.ToBase64String(arg); // Regular base64 encoder 436 s = s.Split('=')[0]; // Remove any trailing '='s 437 s = s.Replace('+', '-'); // 62nd char of encoding 438 s = s.Replace('/', '_'); // 63rd char of encoding 439 return s; 440 } 442 static byte [] base64urldecode(string arg) 443 { 444 string s = arg; 445 s = s.Replace('-', '+'); // 62nd char of encoding 446 s = s.Replace('_', '/'); // 63rd char of encoding 447 switch (s.Length % 4) // Pad with trailing '='s 448 { 449 case 0: break; // No pad chars in this case 450 case 2: s += "=="; break; // Two pad chars 451 case 3: s += "="; break; // One pad char 452 default: throw new System.Exception( 453 "Illegal base64url string!"); 454 } 455 return Convert.FromBase64String(s); // Standard base64 decoder 456 } 458 As per the example code above, the number of '=' padding characters 459 that needs to be added to the end of a base64url encoded string 460 without padding to turn it into one with padding is a deterministic 461 function of the length of the encoded string. Specifically, if the 462 length mod 4 is 0, no padding is added; if the length mod 4 is 2, two 463 '=' padding characters are added; if the length mod 4 is 3, one '=' 464 padding character is added; if the length mod 4 is 1, the input is 465 malformed. 467 An example correspondence between unencoded and encoded values 468 follows. The octet sequence below encodes into the string below, 469 which when decoded, reproduces the octet sequence. 471 3 236 255 224 193 473 A-z_4ME 475 Authors' Addresses 477 Nat Sakimura, editor 478 Nomura Research Institute 479 1-6-5 Marunouchi, Marunouchi Kitaguchi Bldg. 480 Chiyoda-ku, Tokyo 100-0005 481 Japan 483 Phone: +81-3-5533-2111 484 Email: n-sakimura@nri.co.jp 485 URI: http://nat.sakimura.org/ 487 John Bradley 488 Ping Identity 489 Casilla 177, Sucursal Talagante 490 Talagante, RM 491 Chile 493 Phone: +44 20 8133 3718 494 Email: ve7jtb@ve7jtb.com 495 URI: http://www.thread-safe.com/ 497 Naveen Agarwal 498 Google 499 1600 Amphitheatre Pkwy 500 Mountain View, CA 94043 501 USA 503 Phone: +1 650-253-0000 504 Email: naa@google.com 505 URI: http://google.com/