Additional Hash Algorithms for OAuth 2.0 PKCE and Proof-of-Possession

Additional Hash Algorithms for OAuth 2.0 PKCE and Proof-of-Possession Okta

panva.ip@gmail.com

Security Web Authorization Protocol oauth pkce dpop mtls This document defines SHA-512 as an additional hash algorithm for OAuth 2.0 Proof Key for Code Exchange (PKCE), mutual-TLS certificate-bound access tokens, and Demonstrating Proof of Possession (DPoP), for use in deployments operating under security policies that prohibit the use of SHA-256, which is otherwise mandated or the only option in these mechanisms. About This Document Status information for this document may be found at . Source for this draft and an issue tracker can be found at .

Introduction Several OAuth 2.0 mechanisms exclusively mandate the use of SHA-256: Proof Key for Code Exchange (PKCE) , mutual-TLS certificate-bound access tokens , and Demonstrating Proof of Possession (DPoP) . Security policies, such as the US Commercial National Security Algorithm (CNSA 2.0) Suite , prohibit the use of SHA-256 and require SHA-384 or SHA-512. This prevents the deployment of these OAuth 2.0 mechanisms in such environments. This document addresses this gap by defining SHA-512 alternatives for each of these mechanisms, for use in deployments operating under such constrained policies. For PKCE, a new S512 code challenge method is defined. For mutual-TLS certificate-bound access tokens, a new x5t#S512 confirmation method is defined. For DPoP, this document defines SHA-512 alternatives for the JWK Thumbprint confirmation method (jkt#S512) and the access token hash claim (ath#S512), as well as an extensible framework for authorization code binding and access token hash algorithm negotiation. [[TODO: The hash algorithm chosen by this document is currently SHA-512. The working group should determine whether to define SHA-384 or SHA-512.]]

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. All references to "CNSA 2.0" in this document refer to CNSA 2.0 , unless stated otherwise.

Purpose and Scope The sole purpose of this document is to enable deployments operating under security policies that prohibit SHA-256 to use PKCE, mutual-TLS certificate-bound access tokens, and DPoP. In such constrained deployments, the SHA-512 alternatives defined herein are used in place of their SHA-256 counterparts, since those deployments cannot use SHA-256 at all. This document does not deprecate the SHA-256 based methods defined in existing specifications. The SHA-256 based methods remain the widely deployed, interoperable and recommended defaults for all mechanisms addressed by this document. Deployments that are not subject to such security policies SHOULD NOT offer or use the SHA-512 based methods defined herein. The negotiation mechanisms defined herein may however facilitate a broader transition away from SHA-256 in the future, should that become necessary.

PKCE Proof Key for Code Exchange (PKCE) defines plain and S256 as code challenge methods, with S256 being the only method that applies a cryptographic hash to the code verifier. The specification establishes the "PKCE Code Challenge Methods" registry, which this document uses to register the S512 code challenge method.

S512 Code Challenge Method This document defines a new code challenge method for use with PKCE . The client creates a code challenge derived from the code verifier by using the following transformation on the code verifier:

S512:: code_challenge = BASE64URL(SHA-512(ASCII(code_verifier)))

The server-side verification of the code verifier follows , using SHA-512 as the hash algorithm.

Authorization Server Metadata An Authorization Server that supports the S512 code challenge method MUST advertise its support in its Authorization Server metadata (e.g., or ) by including S512 in the code_challenge_methods_supported metadata parameter value as defined in .

Mutual-TLS OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens exclusively uses SHA-256 for certificate-bound access tokens via the x5t#S256 confirmation method. No alternative hash algorithms or extension points for hash algorithm negotiation are defined. This document defines the x5t#S512 confirmation method and a Resource Server metadata parameter for negotiating the confirmation method.

x5t#S512 Confirmation Method RFC 8705 defines the x5t#S256 confirmation method member for binding access tokens to a client certificate using a SHA-256 hash of the DER-encoded X.509 certificate. This document defines an analogous confirmation method member x5t#S512 that uses SHA-512 as the hash algorithm:

x5t#S512:: The value is a base64url-encoded SHA-512 hash of the DER encoding of the X.509 certificate.

When using x5t#S512, the Authorization Server computes the SHA-512 hash of the client certificate presented during mutual-TLS and includes the result as the x5t#S512 member of the cnf claim in the access token (for JWT access tokens) or associates it with the token for later retrieval via token introspection . The Resource Server MUST compute the SHA-512 hash of the client certificate presented during mutual-TLS and compare it with the x5t#S512 value in the cnf claim. If the values do not match, the Resource Server MUST reject the request. The choice of x5t#S512 over x5t#S256 is a deployment decision. It can be configured out of band or by the Authorization Server using the Resource Server's metadata (). [[TODO: does not preclude the presence of both x5t#S256 and x5t#S512 in the same cnf claim. Including both would not represent confirmations for two different keys but rather two different hash confirmations of the same certificate. This may actually be useful during a transition period in possible future non-constrained deployment scenarios. The working group should determine whether to prohibit or allow this.]]

Resource Server Metadata This document defines the mtls_confirmation_methods_supported Resource Server metadata parameter . Its value is a JSON array containing the mutual-TLS confirmation method names that the Resource Server supports. Defined values are x5t#S256 and x5t#S512. If omitted, the default is ["x5t#S256"].

DPoP OAuth 2.0 Demonstrating Proof of Possession (DPoP) exclusively uses SHA-256 for all of its hash operations: the jkt confirmation method, the ath access token hash claim, and the dpop_jkt authorization code binding parameter. No alternative hash algorithms or extension points for hash algorithm negotiation are defined. anticipated the need for hash algorithm agility and foresaw that a future specification would define a new confirmation method, JWT claim, and authorization request parameter for use as alternatives to their SHA-256 counterparts. This document defines those DPoP mechanisms: the dpop_jkt_method authorization request parameter, the jkt#S512 confirmation method, and the ath#S512 JWT claim. In constrained deployments where SHA-256 is prohibited, these are used in place of their SHA-256 counterparts rather than alongside them.

Authorization Code Binding Methods

dpop_jkt_method Authorization Request Parameter RFC 9449 defines the dpop_jkt authorization request parameter as the JWK Thumbprint of the DPoP public key using SHA-256. This document changes the definition of dpop_jkt to allow alternative hash algorithms indicated by the dpop_jkt_method parameter. This document defines the dpop_jkt_method authorization request parameter, sent alongside dpop_jkt, to indicate the hash algorithm used to compute the JWK Thumbprint. The following method values are defined:

S256:: JWK Thumbprint using SHA-256, as originally defined in .
S512:: JWK Thumbprint using SHA-512.

For backwards compatibility, when dpop_jkt_method is absent from the authorization request, the Authorization Server MUST assume the value S256. The value of dpop_jkt MUST be computed using the hash algorithm indicated by dpop_jkt_method.

Authorization Server Metadata This document defines the dpop_jkt_methods_supported Authorization Server metadata parameter. Its value is a JSON array containing the dpop_jkt_method values that the Authorization Server supports. An Authorization Server that supports dpop_jkt_method values beyond S256 MUST advertise its support by including the supported values in the dpop_jkt_methods_supported metadata parameter.

SHA-512 Hash Algorithms

jkt#S512 Confirmation Method RFC 9449 defines the jkt confirmation method member for binding access tokens to a DPoP public key using a SHA-256 JWK Thumbprint . This document defines an analogous confirmation method member jkt#S512 that uses SHA-512 as the hash algorithm:

jkt#S512:: The value is the base64url encoding of the JWK Thumbprint computed using SHA-512 of the DPoP public key (in JWK format) to which the access token is bound.

When using jkt#S512, the Authorization Server computes the SHA-512 JWK Thumbprint of the DPoP public key and includes the result as the jkt#S512 member of the cnf claim in the access token (for JWT access tokens) or associates it with the token for later retrieval via token introspection . The Resource Server MUST compute the SHA-512 JWK Thumbprint of the DPoP public key and compare it with the jkt#S512 value in the cnf claim. If the values do not match, the Resource Server MUST reject the request. The choice of jkt#S512 over jkt is a deployment decision. It can be configured out of band or by the Authorization Server using the Resource Server's metadata (). [[TODO: does not preclude the presence of both jkt and jkt#S512 in the same cnf claim. Including both would not represent confirmations for two different keys but rather two different hash confirmations of the same key. This may actually be useful during a transition period in possible future non-constrained deployment scenarios. The working group should determine whether to prohibit or allow this.]]

ath#S512 Access Token Hash RFC 9449 defines the ath claim in the DPoP proof JWT as the base64url-encoded SHA-256 hash of the ASCII encoding of the access token value. This document defines an analogous claim ath#S512 that uses SHA-512 as the hash algorithm:

ath#S512:: The value is the base64url encoding of the SHA-512 hash of the ASCII encoding of the associated access token's value.

[[TODO: Including both ath and ath#S512 in the same DPoP proof JWT would not represent hashes of two different access tokens but rather two different hash confirmations of the same access token. This may actually be useful during a transition period in possible future non-constrained deployment scenarios. The working group should determine whether to prohibit or allow this.]] The Resource Server MUST compute the SHA-512 hash of the ASCII encoding of the access token value and compare it with the ath#S512 value in the DPoP proof JWT. If the values do not match, the Resource Server MUST reject the request. A Resource Server MAY signal the acceptable access token hash methods by including the ath_methods parameter in the WWW-Authenticate: DPoP challenge. The value of ath_methods is a space-delimited list of access token hash claim names that the Resource Server supports, analogous to the algs parameter defined in . When ath_methods is absent, the Client MUST use ath. When ath_methods is present, the Client MUST use one of the listed methods. Additionally, Resource Server metadata for the supported access token hash methods is defined in . The following is a non-normative example of an HTTP response signalling the client to use ath#S512:

Resource Server Metadata This document defines the following Resource Server metadata parameters :

dpop_confirmation_methods_supported:: JSON array containing the DPoP confirmation method names that the Resource Server supports. Defined values are jkt and jkt#S512. If omitted, the default is ["jkt"].
dpop_access_token_hash_methods_supported:: JSON array containing the access token hash claim names that the Resource Server supports. Defined values are ath and ath#S512. If omitted, the default is ["ath"].

Security Considerations The S512 code challenge method provides the same structural security properties as S256. It is a one-way transformation of the code verifier that prevents an attacker who intercepts the authorization code from computing the code verifier needed to exchange it for tokens. The x5t#S512 confirmation method provides the same structural security properties as x5t#S256 defined in . The jkt#S512 confirmation method, dpop_jkt combined with dpop_jkt_method parameter, and ath#S512 claim provide the same structural security properties as their SHA-256 counterparts defined in DPoP . SHA-512 provides a 256-bit collision resistance and 512-bit preimage resistance, exceeding the 128-bit and 256-bit levels provided by SHA-256. The use of SHA-512 is suitable for deployments with elevated security requirements. Deployments that do not have restrictions on use of SHA-256 do not need to migrate away from the established SHA-256 based mechanisms.

IANA Considerations

PKCE Code Challenge Method Registration This document requests registration of the following value in the "PKCE Code Challenge Methods" registry established by :

Code Challenge Method Parameter Name:: S512
Change Controller:: IETF
Specification Document(s):: of this document

DPoP Authorization Code Binding Methods Registry This document establishes the "DPoP Authorization Code Binding Methods" registry for dpop_jkt_method values. New entries are registered using the Specification Required policy . The initial contents of the registry are:

Method Name:: S256
Change Controller:: IETF
Specification Document(s):
Method Name:: S512
Change Controller:: IETF
Specification Document(s):: of this document

OAuth Parameters Registrations This document requests registration of the following value in the "OAuth Parameters" registry established by :

Parameter Name:: dpop_jkt_method
Parameter Usage Location:: authorization request
Change Controller:: IETF
Specification Document(s):: of this document

OAuth Authorization Server Metadata Registration This document requests registration of the following value in the "OAuth Authorization Server Metadata" registry established by :

Metadata Name:: dpop_jkt_methods_supported
Metadata Description:: JSON array containing a list of the dpop_jkt_method values supported by the Authorization Server
Change Controller:: IETF
Specification Document(s):: of this document

JWT Claims Registration This document requests registration of the following value in the "JSON Web Token Claims" registry established by :

Claim Name:: ath#S512
Claim Description:: The base64url-encoded SHA-512 hash of the ASCII encoding of the associated access token's value
Change Controller:: IETF
Specification Document(s):: of this document

OAuth Protected Resource Metadata Registrations This document requests registration of the following values in the "OAuth Protected Resource Metadata" registry established by :

Metadata Name:: dpop_confirmation_methods_supported
Metadata Description:: JSON array containing a list of the DPoP confirmation method names supported by the Resource Server
Change Controller:: IETF
Specification Document(s):: of this document
Metadata Name:: dpop_access_token_hash_methods_supported
Metadata Description:: JSON array containing a list of the access token hash claim names supported by the Resource Server
Change Controller:: IETF
Specification Document(s):: of this document
Metadata Name:: mtls_confirmation_methods_supported
Metadata Description:: JSON array containing a list of the mutual-TLS confirmation method names supported by the Resource Server
Change Controller:: IETF
Specification Document(s):: of this document

JWT Confirmation Methods Registrations This document requests registration of the following values in the "JWT Confirmation Methods" registry established by :

Confirmation Method Value:: x5t#S512
Confirmation Method Description:: X.509 Certificate SHA-512 Thumbprint
Change Controller:: IETF
Specification Document(s):: of this document
Confirmation Method Value:: jkt#S512
Confirmation Method Description:: JWK SHA-512 Thumbprint
Change Controller:: IETF
Specification Document(s):: of this document

References Normative References Proof Key for Code Exchange by OAuth Public Clients OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy"). JSON Web Key (JWK) Thumbprint This specification defines a method for computing a hash value over a JSON Web Key (JWK). It defines which fields in a JWK are used in the hash computation, the method of creating a canonical form for those fields, and how to convert the resulting Unicode string into a byte sequence to be hashed. The resulting hash value can be used for identifying or selecting the key represented by the JWK that is the subject of the thumbprint. OAuth 2.0 Authorization Server Metadata This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities. OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens This document describes OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual-TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token. OAuth 2.0 Demonstrating Proof of Possession (DPoP) This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. OAuth 2.0 Protected Resource Metadata This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource. OpenID Connect Discovery 1.0 incorporating errata set 2 Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Guidelines for Writing an IANA Considerations Section in RFCs Many protocols make use of identifiers consisting of constants and other well-known values. Even after a protocol has been defined and deployment has begun, new values may need to be assigned (e.g., for a new option type in DHCP, or a new encryption or authentication transform for IPsec). To ensure that such quantities have consistent values and interpretations across all implementations, their assignment must be administered by a central authority. For IETF protocols, that role is provided by the Internet Assigned Numbers Authority (IANA). In order for IANA to manage a given namespace prudently, it needs guidelines describing the conditions under which new values can be assigned or when modifications to existing values can be made. If IANA is expected to play a role in the management of a namespace, IANA must be given clear and concise instructions describing that role. This document discusses issues that should be considered in formulating a policy for assigning values to a namespace and provides guidelines for authors on the specific text that must be included in documents that place demands on IANA. This document obsoletes RFC 2434. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. The OAuth 2.0 Authorization Framework The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK] JSON Web Token (JWT) JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) This specification describes how to declare in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular proof-of- possession key and how the recipient can cryptographically confirm proof of possession of the key by the presenter. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. Informative References OAuth 2.0 Token Introspection This specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource. The Commercial National Security Algorithm Suite 2.0 and Quantum Computing FAQ National Security Agency

Acknowledgments TODO acknowledge.

Document History draft-skokan-oauth-additional-hashes-03

Added Document History
Changed ath_method to ath_methods (plural, space-delimited list), analogous to the algs parameter in
Removed premature "in place of ath" language for ath#S512, pending resolution of the dual-hash coexistence TODO

draft-skokan-oauth-additional-hashes-02

Removed client-side MUST NOT requirements for using unadvertised PKCE and DPoP authorization code binding methods

draft-skokan-oauth-additional-hashes-01

Changed hash algorithm from SHA-384 to SHA-512
Added Purpose and Scope section
Added Mutual-TLS section with x5t#S512 confirmation method and mtls_confirmation_methods_supported RS metadata
Added dpop_confirmation_methods_supported RS metadata for DPoP
Added WWW-Authenticate challenge parameter for access token hash method signalling
Added TODO notes for dual-hash coexistence questions
Expanded Security Considerations

draft-skokan-oauth-additional-hashes-00

Initial draft