Pro Yearly is on sale from $80 to $50! »

How to Think about OAuth Security - Disclosure 2020

11954e59b49809173d48133ec4047fce?s=47 Aaron Parecki
September 02, 2020

How to Think about OAuth Security - Disclosure 2020

Slides from my talk at Disclosure Conference

https://disclosureconference.com/

11954e59b49809173d48133ec4047fce?s=128

Aaron Parecki

September 02, 2020
Tweet

Transcript

  1. How to Think About OAuth Security AARON PARECKI @aaronpk Disclosure

    Conference • September 2020
  2. @aaronpk September 2020 oauth.net/2

  3. @aaronpk THE PASSWORD ANTI-PATTERN

  4. @aaronpk THE PASSWORD ANTI-PATTERN facebook.com ~2010

  5. @aaronpk

  6. @aaronpk so... how can I let an app access my

    data without giving it my password?
  7. None
  8. @aaronpk A HOTEL KEY CARD, FOR APPS Authorization Server Access

    Token Resource (API)
  9. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials Grant Types
  10. User: I’d like to use this great app App: Please

    go to the authorization server to grant me access User: I’d like to log in to “Yelp”, it wants to access my contacts AS: Here is a temporary code the app can use App: Here is the temporary code, and my secret, please give me a token User: Here is the temporary code, please use this to get a token AS: Here is an access token! App: Please let me access this user’s data with this access token! User Agent App OAuth Server API ?
  11. @aaronpk September 2020

  12. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials Grant Types RFC6750 Bearer Tokens Token Usage Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  13. @aaronpk POST /resource/1/update HTTP/1.1 Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia Host: api.authorization-server.com description=Hello+World

  14. @aaronpk GET /resource/1?access_token=RsT5OjbzRn430zq Host: api.authorization-server.com

  15. @aaronpk September 2020

  16. @aaronpk 2013

  17. @aaronpk

  18. @aaronpk DON'T PUT SECRETS
 IN NATIVE APPS! https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps

  19. @aaronpk PKCE PROOF-KEY FOR CODE EXCHANGE RFC 7636 (pronounced "pixie")

  20. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  21. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  22. @aaronpk September 2020

  23. @aaronpk September 2020 https://example.com https://app.example.com https://auth.example GET / HTML, CSS,

    etc POST /token access token CORS
  24. User: I’d like to use this great app App: Please

    go to the authorization server to grant me access User: I’d like to log in to “Yelp”, it wants to access my contacts AS: Here is a temporary code the app can use App: Here is the temporary code, and my secret, please give me a token User: Here is the temporary code, please use this to get a token AS: Here is an access token! App: Please let me access this user’s data with this access token! User Agent App OAuth Server API ?
  25. Front Channel Back Channel https://accounts.google.com/?... Passing data via the browser's

    address bar The user, or malicious software, can modify the requests and responses Sent from client to server HTTPS request from client to server, so requests cannot be tampered with
  26. OAuth Server OAuth Client Passing Data via the Back Channel

  27. @aaronpk September 2020 OAuth Server OAuth Client Passing Data via

    the Front Channel Did they catch 
 it? Did someone else 
 steal it? Is this really 
 from the real 
 OAuth server?
  28. @aaronpk September 2020 caniuse.com/cors

  29. oauth.net/implicit Implicit Flow Detector

  30. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  31. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  32. @aaronpk September 2020 OAuth 2.0 for Browser-Based Apps

  33. @aaronpk September 2020 OAuth 2.0 for Browser-Based Apps

  34. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP
  35. @aaronpk September 2020 OAuth 2.0 Security BCP • All OAuth

    clients MUST use PKCE with the authorization code flow • Password grant MUST NOT be used • Use exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens for single page apps must be 
 sender-constrained or one-time use oauth.net/2/oauth-best-practice
  36. @aaronpk September 2020 Use PKCE! https://youtu.be/1ot45WwQWJE

  37. @aaronpk September 2020 OAuth 2.0 Security BCP • All OAuth

    clients MUST use PKCE with the authorization code flow • Password grant MUST NOT be used • Use exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens for single page apps must be 
 sender-constrained or one-time use oauth.net/2/oauth-best-practice
  38. @aaronpk September 2020 Password oauth.net/2/oauth-best-practice

  39. @aaronpk September 2020 Password oauth.net/2/oauth-best-practice • Added to OAuth to

    enable migrating applications from HTTP Basic Auth or using a stored password to OAuth
  40. @aaronpk September 2020 Password • Exposes the username and password

    to the application • Even for first-party / trusted clients, this increases the attack surface • Trains users that it's okay to enter their password in more than one place • Difficult or impossible to extend to support multifactor or passwordless authentication (WebCrypto, WebAuthn)
  41. @aaronpk September 2020 OAuth 2.0 Security BCP • All OAuth

    clients MUST use PKCE with the authorization code flow • Password grant MUST NOT be used • Use exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens for single page apps must be 
 sender-constrained or one-time use oauth.net/2/oauth-best-practice
  42. @aaronpk September 2020

  43. RFC6749 RFC6750 CLIENT TYPE AUTH METHOD GRANT TYPE RFC6819 RFC7009

    RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 BUILDING YOUR APPLICATION RFC8252 OIDC RFC8414 STATE PARAM TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN BINDING POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN EXCHANGE DPOP
  44. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP
  45. @aaronpk September 2020 OAuth 2.1 Authorization Code Client Credentials +PKCE

    Tokens in HTTP Header Tokens in POST Form Body
  46. OAuth 2.1 oauth.net/2.1

  47. @aaronpk September 2020 OAuth 2.1 Consolidate the OAuth 2.0 specs,


    adding best practices, 
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name Add references to extensions that didn't exist when OAuth 2.0 was published
  48. @aaronpk September 2020 OAuth 2.1 No new behavior defined by

    OAuth 2.1 Non-Goals: Don't include anything experimental, 
 in progress or not widely implemented
  49. @aaronpk September 2020 OAuth 2.1 Authors: Dick Hardt, Aaron Parecki,

    Torsten Lodderstedt • OAuth 2.1 is a consolidation of: 
 OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps BCP (draft), Security BCP (draft), 
 Bearer Tokens (RFC6750) • Grant types defined: Authorization Code with PKCE, Client Credentials • Exact redirect URI matching • No Bearer tokens in query strings • Refresh tokens for SPAs must be sender-constrained or one-time use • Implicit and password grants are omitted
  50. @aaronpk September 2020 OAuth 2.1 Client Types Public Confidential

  51. @aaronpk September 2020 OAuth 2.1 Client Types Public Confidential Credentialed

  52. @aaronpk September 2020 Credentialed Client This distinction already exists in

    OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials, the client MUST authenticate... OAuth 2.1: Confidential or credentialed clients MUST authenticate...
  53. @aaronpk September 2020 Credentialed Client • A client that has

    credentials, but whose identity is not confirmed • e.g. a client that obtains a client secret via dynamic client registration
  54. @aaronpk September 2020 OAuth 2.1 Client Types Public Confidential Credentialed

    Confirmed Identity Can Authenticate Confirmed Identity Can Authenticate Confirmed Identity Can Authenticate
  55. https://accounts.google.com/oauth/authorize?response_ty

  56. @aaronpk 2017

  57. @aaronpk September 2020 OAuth 2.1 oauth.net/2.1 tools.ietf.org/html/draft-ietf-oauth-v2-1 Recently adopted by

    the OAuth Working Group
  58. Thank You! @aaronpk aaronpk.com oauth2simplified.com