[Openid-specs-fapi] The reasons behind requiring PKCE for confidential clients?
Nat Sakimura
nat at sakimura.org
Sat Aug 26 08:14:55 UTC 2017
Thanks, Torsten.
Right. So an attack scenario I guess is a privilege escalation using
code injection.
Environment
-------------
- RFC6749 code grant with a confidential client (e.g. web server client)
- The victim's front channel communication is somehow compromised (e.g.,
through WPAD attack, server log, etc.)
- The client is implementing RFC6749 properly with XSRF protection etc.
Attack Scenario
-----------------
1. The victim and the attacker are using the same web client.
2. The attacker gets the victim's `code` somehow, e.g., WPAD attack.
3. The attacker inserts the `code` into the session he started.
4. The client sends the `code` with its client secret to the token
endpoint.
5. The token endpoint verifies the client secret and that the code was
issued to the client.
6. The token endpoint sends the access token back to the client.
7. The client accesses the victim's protected resource successfully and
returns it to the attacker. SUCCESS.
Mitigation
-----------
Use PKCE with S256. By doing so, the above scenario changes to:
1. The victim and the attacker are using the same web client.
2. The attacker gets the victim's `code` somehow, e.g., WPAD attack.
3. The attacker inserts the `code` into the session he started.
4. The client sends the `code` with its client secret and the code
verifier to the token endpoint.
5. The token endpoint verifies the client secret and that the code was
issued to the client.
5a. The token endpoint verifies the code verifier matches the one tied
to the code. This fails.
6. The token endpoint sends the error back to the client.
7. The attack FAILED.
I will add the above explanation to the ticket #11. The ticket itself
was saying that we should document it, which we did not :-(
For Read&Write, we are mandating hybrid flow. However, for the Read
only, we are not.
Thus, for the Read Only (Part 1), we should still mandate the use of
PKCE.
That's why it is saying
* shall support [RFC7636] or the mechanisms defined in Financial API -
Part 2;
---
Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation
On 2017-08-25 18:15, Torsten Lodderstedt wrote:
> Hi Nat,
>
> just guessing - the new OAuth security BCP recommends use of PKCE for
> detecting/preventing code injection attacks. That might be the reason
> for adding the requirement to the FAPI profile.
>
> I know the hybrid flow („code id_token“) is an alternative
> countermeasure in the OIDC space. So my question is: will FAPI allow
> use of pure authz code flow? Then recommending PKCE for code injection
> makes a lot of sense.
>
> best regards,
> Torsten.
>
>> Am 24.08.2017 um 19:43 schrieb Nat Sakimura via Openid-specs-fapi
>> <openid-specs-fapi at lists.openid.net>:
>>
>> Hi.
>>
>> Current text reads like it is requiring PKCE support even for the
>> confidential client.
>> Do you remember the reason for it? Or is it just an editorial error?
>>
>> John may have mentioned a potential attack that PKCE could help but I
>> do not quite remember the details....
>>
>> If it is an error, then we should fix it for the final.
>>
>> Best,
>> --
>> Nat Sakimura
>> Research Fellow, Nomura Research Institute
>> Chairman of the Board, OpenID Foundation
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
More information about the Openid-specs-fapi
mailing list