Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Ambigious text around whether code_challenge is required #170

Open
SECtim opened this issue Feb 28, 2024 · 2 comments
Open

Ambigious text around whether code_challenge is required #170

SECtim opened this issue Feb 28, 2024 · 2 comments

Comments

@SECtim
Copy link

SECtim commented Feb 28, 2024

The following text snippets seem like a code_challenge is always required in the authorization request (for authZ code flows).

Description of the authZ code flow figure:

oauth-v2-1/draft-ietf-oauth-v2-1.md

Lines 1468 to 1470 in f79f588

user agent to the authorization endpoint. The client includes
its client identifier, code challenge (derived from a generated code verifier),
optional requested scope, optional local state, and a

oauth-v2-1/draft-ietf-oauth-v2-1.md

Lines 1485 to 1487 in f79f588

(4) The client requests an access token from the authorization
server's token endpoint by including the authorization code
received in the previous step, and including its code verifier.

oauth-v2-1/draft-ietf-oauth-v2-1.md

Lines 1493 to 1494 in f79f588

(5) The authorization server authenticates the client when possible, validates the
authorization code, validates the code verifier, and ensures that the redirect URI

Section 4.3.1:

oauth-v2-1/draft-ietf-oauth-v2-1.md

Lines 1863 to 1865 in f79f588

* If there was no `code_challenge` in the authorization request associated
with the authorization code in the token request, the authorization server MUST
reject the token request.

Whereas various other places, most prominently Section 7.5.2, state that code_challenge is (only) required unless some conditions are met:

oauth-v2-1/draft-ietf-oauth-v2-1.md

Lines 2743 to 2750 in f79f588

To prevent injection of authorization codes into the client, using `code_challenge` and
`code_verifier` is REQUIRED for clients, and authorization servers MUST enforce
their use, unless both of the following criteria are met:
* The client is a confidential client.
* In the specific deployment and the specific request, there is reasonable
assurance by the authorization server that the client implements the OpenID
Connect `nonce` mechanism properly.

@aaronpk
Copy link
Member

aaronpk commented May 11, 2024

This specific carve-out for the nonce protection is really an edge case, which could probably be made even more explicit. It is not meant to be the common case, which is why the narrative text describes the use of code_challenge. I could borrow some more language from the security BCP that talks about the specific conditions in which it's okay to use the nonce from here if that would make it more clear: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.5.3.2

@SECtim
Copy link
Author

SECtim commented May 21, 2024

In that case, my take would be to be very explicit in Section 7.5.2 about this being an edge case. And maybe add some sentence saying ASs are still recommended to require code_challenge and code_verifier even if these conditions are met.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aaronpk @SECtim