rfc9700v2.txt   rfc9700.txt 
skipping to change at line 314 skipping to change at line 314
preventing the use of constant values for the PKCE challenge or preventing the use of constant values for the PKCE challenge or
OpenID Connect nonce. OpenID Connect nonce.
Note: Although PKCE was designed as a mechanism to protect native Note: Although PKCE was designed as a mechanism to protect native
apps, this advice applies to all kinds of OAuth clients, including apps, this advice applies to all kinds of OAuth clients, including
web applications. web applications.
When using PKCE, clients SHOULD use PKCE code challenge methods that When using PKCE, clients SHOULD use PKCE code challenge methods that
do not expose the PKCE verifier in the authorization request. do not expose the PKCE verifier in the authorization request.
Otherwise, attackers that can read the authorization request (cf. Otherwise, attackers that can read the authorization request (cf.
attacker (A4) in Section 3) can break the security provided by PKCE. Attacker (A4) in Section 3) can break the security provided by PKCE.
Currently, S256 is the only such method. Currently, S256 is the only such method.
Authorization servers MUST support PKCE [RFC7636]. Authorization servers MUST support PKCE [RFC7636].
If a client sends a valid PKCE code_challenge parameter in the If a client sends a valid PKCE code_challenge parameter in the
authorization request, the authorization server MUST enforce the authorization request, the authorization server MUST enforce the
correct usage of code_verifier at the token endpoint. correct usage of code_verifier at the token endpoint.
Authorization servers MUST mitigate PKCE downgrade attacks by Authorization servers MUST mitigate PKCE downgrade attacks by
ensuring that a token request containing a code_verifier parameter is ensuring that a token request containing a code_verifier parameter is
skipping to change at line 447 skipping to change at line 447
web origin. web origin.
2.5. Client Authentication 2.5. Client Authentication
Authorization servers SHOULD enforce client authentication if it is Authorization servers SHOULD enforce client authentication if it is
feasible, in the particular deployment, to establish a process for feasible, in the particular deployment, to establish a process for
issuance/registration of credentials for clients and ensuring the issuance/registration of credentials for clients and ensuring the
confidentiality of those credentials. confidentiality of those credentials.
It is RECOMMENDED to use asymmetric cryptography for client It is RECOMMENDED to use asymmetric cryptography for client
authentication, such as mTLS [RFC8705] or signed JWTs ("Private Key authentication, such as mutual TLS for OAuth 2.0 [RFC8705] or signed
JWT") in accordance with [RFC7521] and [RFC7523]. The latter is JWTs ("Private Key JWT") in accordance with [RFC7521] and [RFC7523].
defined in [OpenID.Core] as the client authentication method The latter is defined in [OpenID.Core] as the client authentication
private_key_jwt). When asymmetric cryptography for client method private_key_jwt). When asymmetric cryptography for client
authentication is used, authorization servers do not need to store authentication is used, authorization servers do not need to store
sensitive symmetric keys, making these methods more robust against sensitive symmetric keys, making these methods more robust against
leakage of keys. leakage of keys.
2.6. Other Recommendations 2.6. Other Recommendations
The use of OAuth Authorization Server Metadata [RFC8414] can help to The use of OAuth Authorization Server Metadata [RFC8414] can help to
improve the security of OAuth deployments: improve the security of OAuth deployments:
* It ensures that security features and other new OAuth features can * It ensures that security features and other new OAuth features can
skipping to change at line 606 skipping to change at line 606
authorization server. For example, a resource server may be authorization server. For example, a resource server may be
compromised by an attacker, an access token may be sent to an compromised by an attacker, an access token may be sent to an
attacker-controlled resource server due to a misconfiguration, attacker-controlled resource server due to a misconfiguration,
or social engineering may be used to get a resource owner to or social engineering may be used to get a resource owner to
use an attacker-controlled resource server. Also see use an attacker-controlled resource server. Also see
Section 4.9.2. Section 4.9.2.
(A3), (A4), and (A5) typically occur together with either (A1) or (A3), (A4), and (A5) typically occur together with either (A1) or
(A2). Attackers can collaborate to reach a common goal. (A2). Attackers can collaborate to reach a common goal.
Note that an attacker (A1) or (A2) can be a resource owner or act as Note that an Attacker (A1) or (A2) can be a resource owner or act as
one. For example, such an attacker can use their own browser to one. For example, such an attacker can use their own browser to
replay tokens or authorization codes obtained by any of the attacks replay tokens or authorization codes obtained by any of the attacks
described above at the client or resource server. described above at the client or resource server.
This document focuses on threats resulting from attackers (A1) to This document focuses on threats resulting from Attackers (A1) to
(A5). (A5).
4. Attacks and Mitigations 4. Attacks and Mitigations
This section gives a detailed description of attacks on OAuth This section gives a detailed description of attacks on OAuth
implementations, along with potential countermeasures. Attacks and implementations, along with potential countermeasures. Attacks and
mitigations already covered in [RFC6819] are not listed here, except mitigations already covered in [RFC6819] are not listed here, except
where new recommendations are made. where new recommendations are made.
This section further defines additional requirements (beyond those This section further defines additional requirements (beyond those
skipping to change at line 958 skipping to change at line 958
Countermeasures: Countermeasures:
* Clients MUST NOT pass access tokens in a URI query parameter in * Clients MUST NOT pass access tokens in a URI query parameter in
the way described in Section 2.3 of [RFC6750]. The authorization the way described in Section 2.3 of [RFC6750]. The authorization
code grant or alternative OAuth response modes like the form post code grant or alternative OAuth response modes like the form post
response mode [OAuth.Post] can be used to this end. response mode [OAuth.Post] can be used to this end.
4.4. Mix-Up Attacks 4.4. Mix-Up Attacks
Mix-up attacks are in scenarios where an OAuth client interacts with Mix-up attacks can occur in scenarios where an OAuth client interacts
two or more authorization servers and at least one authorization with two or more authorization servers and at least one authorization
server is under the control of the attacker. This can be the case, server is under the control of the attacker. This can be the case,
for example, if the attacker uses dynamic registration to register for example, if the attacker uses dynamic registration to register
the client at their own authorization server or if an authorization the client at their own authorization server or if an authorization
server becomes compromised. server becomes compromised.
The goal of the attack is to obtain an authorization code or an The goal of the attack is to obtain an authorization code or an
access token for an uncompromised authorization server. This is access token for an uncompromised authorization server. This is
achieved by tricking the client into sending those credentials to the achieved by tricking the client into sending those credentials to the
compromised authorization server (the attacker) instead of using them compromised authorization server (the attacker) instead of using them
at the respective endpoint of the uncompromised authorization/ at the respective endpoint of the uncompromised authorization/
skipping to change at line 1033 skipping to change at line 1033
code for an access token (for public clients) or perform an code for an access token (for public clients) or perform an
authorization code injection attack as described in Section 4.5. authorization code injection attack as described in Section 4.5.
Variants: Variants:
* Mix-Up with Interception: This variant works only if the attacker * Mix-Up with Interception: This variant works only if the attacker
can intercept and manipulate the first request/response pair from can intercept and manipulate the first request/response pair from
a user's browser to the client (in which the user selects a a user's browser to the client (in which the user selects a
certain authorization server and is then redirected by the client certain authorization server and is then redirected by the client
to that authorization server), as in Attacker (A2) (see to that authorization server), as in Attacker (A2) (see
Section 3). This capability can, for example, be the result of a Section 3). This capability can, for example, be the result of an
attacker-in-the-middle attack on the user's connection to the attacker-in-the-middle attack on the user's connection to the
client. In the attack, the user starts the flow with H-AS. The client. In the attack, the user starts the flow with H-AS. The
attacker intercepts this request and changes the user's selection attacker intercepts this request and changes the user's selection
to A-AS. The rest of the attack proceeds as in Step 2 and to A-AS. The rest of the attack proceeds as in Step 2 and
following above. following above.
* Implicit Grant: In the implicit grant, the attacker receives an * Implicit Grant: In the implicit grant, the attacker receives an
access token instead of the code in Step 4. The attacker's access token instead of the code in Step 4. The attacker's
authorization server receives the access token when the client authorization server receives the access token when the client
makes either a request to the A-AS userinfo endpoint or a request makes either a request to the A-AS userinfo endpoint or a request
to the attacker's resource server (since the client believes it to the attacker's resource server (since the client believes it
skipping to change at line 1147 skipping to change at line 1147
4.5. Authorization Code Injection 4.5. Authorization Code Injection
An attacker who has gained access to an authorization code contained An attacker who has gained access to an authorization code contained
in an authorization response (see Attacker (A3) in Section 3) can try in an authorization response (see Attacker (A3) in Section 3) can try
to redeem the authorization code for an access token or otherwise to redeem the authorization code for an access token or otherwise
make use of the authorization code. make use of the authorization code.
In the case that the authorization code was created for a public In the case that the authorization code was created for a public
client, the attacker can send the authorization code to the token client, the attacker can send the authorization code to the token
endpoint of the authorization server and thereby get an access token. endpoint of the authorization server and thereby get an access token.
This attack was described in Section 4.4.1.1. of [RFC6819]. This attack was described in Section 4.4.1.1 of [RFC6819].
For confidential clients, or in some special situations, the attacker For confidential clients, or in some special situations, the attacker
can execute an authorization code injection attack, as described in can execute an authorization code injection attack, as described in
the following. the following.
In an authorization code injection attack, the attacker attempts to In an authorization code injection attack, the attacker attempts to
inject a stolen authorization code into the attacker's own session inject a stolen authorization code into the attacker's own session
with the client. The aim is to associate the attacker's session at with the client. The aim is to associate the attacker's session at
the client with the victim's resources or identity, thereby giving the client with the victim's resources or identity, thereby giving
the attacker at least limited access to the victim's resources. the attacker at least limited access to the victim's resources.
skipping to change at line 1542 skipping to change at line 1542
servers (see Attackers (A1) and (A5) in Section 3). If the client servers (see Attackers (A1) and (A5) in Section 3). If the client
sends a valid access token to this counterfeit resource server, the sends a valid access token to this counterfeit resource server, the
attacker in turn may use that token to access other services on attacker in turn may use that token to access other services on
behalf of the resource owner. behalf of the resource owner.
This attack assumes the client is not bound to one specific resource This attack assumes the client is not bound to one specific resource
server (and its URL) at development time, but client instances are server (and its URL) at development time, but client instances are
provided with the resource server URL at runtime. This kind of late provided with the resource server URL at runtime. This kind of late
binding is typical in situations where the client uses a service binding is typical in situations where the client uses a service
implementing a standardized API (e.g., for email, calendaring, implementing a standardized API (e.g., for email, calendaring,
healthcare, or banking) and where the client is configured by a user eHealth, or open banking) and where the client is configured by a
or administrator. user or administrator.
4.9.2. Compromised Resource Server 4.9.2. Compromised Resource Server
An attacker may compromise a resource server to gain access to the An attacker may compromise a resource server to gain access to the
resources of the respective deployment. Such a compromise may range resources of the respective deployment. Such a compromise may range
from partial access to the system, e.g., its log files, to full from partial access to the system, e.g., its log files, to full
control over the respective server, in which case all controls can be control over the respective server, in which case all controls can be
circumvented and all resources can be accessed. The attacker would circumvented and all resources can be accessed. The attacker would
also be able to obtain other access tokens held on the compromised also be able to obtain other access tokens held on the compromised
system that would potentially be valid to access other resource system that would potentially be valid to access other resource
skipping to change at line 1628 skipping to change at line 1628
tied to specific material provided by the transport layer (e.g., tied to specific material provided by the transport layer (e.g.,
TLS). The resource server must also ensure that a replay of the TLS). The resource server must also ensure that a replay of the
proof of possession is not possible. proof of possession is not possible.
Two methods for sender-constrained access tokens using proof of Two methods for sender-constrained access tokens using proof of
possession have been defined by the OAuth working group and are in possession have been defined by the OAuth working group and are in
use in practice: use in practice:
* "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound * "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound
Access Tokens" [RFC8705]: The approach specified in this) document Access Tokens" [RFC8705]: The approach specified in this) document
allows the use of mutual TLS (mTLS) for both client authentication allows the use of mutual TLS for both client authentication and
and sender-constrained access tokens. For the purpose of sender- sender-constrained access tokens. For the purpose of sender-
constrained access tokens, the client is identified towards the constrained access tokens, the client is identified towards the
resource server by the fingerprint of its public key. During the resource server by the fingerprint of its public key. During the
processing of an access token request, the authorization server processing of an access token request, the authorization server
obtains the client's public key from the TLS stack and associates obtains the client's public key from the TLS stack and associates
its fingerprint with the respective access tokens. The resource its fingerprint with the respective access tokens. The resource
server in the same way obtains the public key from the TLS stack server in the same way obtains the public key from the TLS stack
and compares its fingerprint with the fingerprint associated with and compares its fingerprint with the fingerprint associated with
the access token. the access token.
* "OAuth 2.0 Demonstrating Proof of Possession (DPoP)" [RFC9449]: * "OAuth 2.0 Demonstrating Proof of Possession (DPoP)" [RFC9449]:
DPoP outlines an application-level mechanism for sender- DPoP outlines an application-level mechanism for sender-
skipping to change at line 1703 skipping to change at line 1703
benefit to hide the resource server URL from the authorization benefit to hide the resource server URL from the authorization
server. server.
Audience restriction may seem easier to use since it does not require Audience restriction may seem easier to use since it does not require
any cryptography on the client side. Still, since every access token any cryptography on the client side. Still, since every access token
is bound to a specific resource server, the client also needs to is bound to a specific resource server, the client also needs to
obtain a single resource server-specific access token when accessing obtain a single resource server-specific access token when accessing
several resource servers. (Resource indicators, as specified in several resource servers. (Resource indicators, as specified in
[RFC8707], can help to achieve this.) [TOKEN-BINDING] had the same [RFC8707], can help to achieve this.) [TOKEN-BINDING] had the same
property since different token-binding IDs must be associated with property since different token-binding IDs must be associated with
the access token. Using Mutual TLS for OAuth 2.0 [RFC8705], on the the access token. Using mutual TLS for OAuth 2.0 [RFC8705], on the
other hand, allows a client to use the access token at multiple other hand, allows a client to use the access token at multiple
resource servers. resource servers.
It should be noted that audience restrictions -- or, generally It should be noted that audience restrictions -- or, generally
speaking, an indication by the client to the authorization server speaking, an indication by the client to the authorization server
where it wants to use the access token -- have additional benefits where it wants to use the access token -- have additional benefits
beyond the scope of token leakage prevention. They allow the beyond the scope of token leakage prevention. They allow the
authorization server to create a different access token whose format authorization server to create a different access token whose format
and content are specifically minted for the respective server. This and content are specifically minted for the respective server. This
has huge functional and privacy advantages in deployments using has huge functional and privacy advantages in deployments using
 End of changes. 10 change blocks. 
16 lines changed or deleted 16 lines changed or added

This html diff was produced by rfcdiff 1.48.