[Openid-specs-ab] PKCE/OAuth 2.1 & OIDC Certification (was Re: Spec Call Notes 2-Dec-21)

Joseph Heenan joseph at authlete.com
Fri Dec 3 11:21:58 UTC 2021 

Thanks Mike! I’m sorry I missed the end of the conversation on this.

I’ve done a longer write up on the PKCE issue here: https://gitlab.com/openid/conformance-suite/-/issues/1003

Note that in a large number of OAuth 2.1 cases, PKCE is required even when using OIDC (see the above issue where I quote the text). Where PKCE is not required, it is still ‘RECOMMENDED’.

So as OAuth 2.1 becomes common, we are going to see authorization servers begin to require PKCE in all cases.

I believe it would be wrong for OIDC certification to require servers to have an option that allows PKCE to be disabled. It unnecessarily increases code complexity, and increases the potential that deployments will accidentally be configured to be less secure than intended. i.e. as far as possible, we shouldn’t require a server to have options that weaken it’s security posture that were only added to pass certification. (This is particularly bad when these kind of options get added by implementors in a rush just to pass certification, as it’s in that kind of scenario that mistakes are made.)

(We already have a test that requires servers to accept valid PKCE, either by ignoring it as an unknown parameter or correctly processing it.)

Joseph


> On 3 Dec 2021, at 01:56, Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> Spec Call Notes 2-Dec-21
>  
> Torsten Lodderstedt
> Tom Jones
> Adam Lemmon
> Kristina Yasuda
> Mike Jones
> Thomas Bellebaum
> Joseph Heenan
> Brian Campbell
> John Bradley
> Domingos Creado
> Filip Skokan
> Chandan Bokka - Deloitte
> Giuseppe De Marco
>  
> OpenID Connect for Verifiable Credential Issuance Specification
>               Individual draft by Torsten Lodderstedt and Kristina Yasuda
> https://bitbucket.org/openid/connect/src/master/individual/draft-lodderstedt-openid-connect-4-credential-issuance-1_0.md <https://bitbucket.org/openid/connect/src/master/individual/draft-lodderstedt-openid-connect-4-credential-issuance-1_0.md>
>               Torsten gave an overview of the draft and its goals
>               Goal to specify profile of Connect used in SSI as interface between Issuer and Wallet
>                            Complementary to OpenID Connect for Verifiable Presentations specification
>               Based on implementation experience
>               OpenID Connect OPs can become credential issuers
>               Enables dynamic inline credential issuance in the context of a process where the credential is used
>               Can use OpenID Connect metadata
>               Introduces Credential Endpoint for issuance
>               Enables requesting issuance in different formats
>               Separates client authentication from message integrity protection
>               Thomas asked about the relationship to the Claims Aggregation draft
>                            Torsten said that Claims Aggregation is about the RP's relationships, where this is about the OP's
>               John asked about use in some additional scenarios
>               John moved that we adopt the draft as a working group document
>                            Tom asked a clarifying question about having OpenID Providers also be Credential Issuers
>                                          John said that Credential Issuers need authentication and Connect gives them that
>                                          Kristina said that Microsoft had reached the same conclusion
>                            No objections were raised to adoption
>                            The working group is asked to comment on the adoption proposal within a week
>  
> prompt=create Specification
>               https://openid.net/specs/openid-connect-prompt-create-1_0.html <https://openid.net/specs/openid-connect-prompt-create-1_0.html>
>               The attendees unanimously approved advancing it to Implementer's Draft status
>               Please thoroughly review the specification and send comments by next Friday, December 10th
>  
> PKCE and Certification
>               Joseph asked what actions the Certification team should take with respect to adding certification tests for PKCE
>               Mike said that Connect doesn't mention PKCE, so we shouldn't require it for certification
>               Mike said that it would be OK to have a test to verify that implementations don't blow up with PKCE is used
>                            John also supported that plan
>               Time was short for this discussion, so we may want to continue it in a future call
>  
> Open Pull Requests
>               https://bitbucket.org/openid/connect/pull-requests/ <https://bitbucket.org/openid/connect/pull-requests/>
>               We ran out of time to consider pull requests
>  
> Open Issues
>               https://bitbucket.org/openid/connect/issues?status=new&status=open <https://bitbucket.org/openid/connect/issues?status=new&status=open>
>               We ran out of time to consider open issues
>  
> Next Call
>               The next Working Group call is Monday, December 6th at 3pm Pacific Time
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20211203/c98cfb22/attachment.html>

More information about the Openid-specs-ab mailing list