IIW 39 - OAuth 101

Transcript

1. Aaron Parecki • October 2024 oauth2simpli fi ed.com OAuth 101

   Internet Identity Workshop

2. Specs are not good tutorials!

3. RFC6749 RFC6750 CLIENT TYPE AUTH METHOD GRANT TYPE RFC6819 RFC7009

   RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 RFC8252 OIDC RFC8414 STATE PARAM TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN BINDING POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN EXCHANGE DPOP

4. https://yelp.com/

5. The Password Anti-Pattern

6. The Password Anti-Pattern facebook.com ~2010

7. The Password Anti-Pattern • How do you revoke this app’s

   access? • Do you trust the app to not store your password? • Do you trust the app to access only the things it says it needs? • Do you trust the app to not do things like change your password or delete your account?
8. None

9. how can I let an app access my data without

   giving it my password?

10. Authorization Server Access Token Resource (API)

11. https://unsplash.com/photos/GJY1eAw6tn8

12. None

13. Application OAuth Server

14. None

15. @oktadev WHAT ABOUT FIRST PARTY APPS?

16. None
17. None

18. @oktadev

19. None

20. https://krausefx.com/blog/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking

21. @oktadev

22. @oktadev

23. @oktadev

24. @oktadev DOES MFA SOLVE THIS?

25. Phishable MFA Phishing-Resistant MFA

26. https://google.com

27. https://google.com https://apple.com

28. https://accounts.google.com https://gmail.com https://youtube.com https://google.com

29. Application OAuth Server

30. OAuth doesn't tell the app who logged in

31. Identification Accessing APIs Tells the application about the user authenticating

    Gives the application a way to make API requests

32. Tells the application about the user authenticating Gives the application

    a way to make API requests ID Token Access Token

33. ID Token Access Token

34. OAuth Server Application API

35. ID Token Access Token Read by the App Read by

    the API

36. How OAuth Works

37. Authorization Code OAuth Flows Device Flow Client Credentials Implicit Password

    web mobile SPA browserless devices server-to-server CLI CLI >_ >_

38. POST /resource/1/update HTTP/1.1 Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia Host: api.authorization-server.com description=Hello+World USING

    AN ACCESS TOKEN

39. User Agent App OAuth Server API ? Authorization Request Authorization

    Code Response Token Request Token Response "Log In"

40. User Agent App OAuth Server API ? Authorization Request Authorization

    Code Response Token Request Token Response "Log In" Front Channel Back Channel

41. https://authorization-server.com/auth? response_type=code& client_id=[CLIENT_ID]& redirect_uri=[REDIRECT_URI]& scope=photos& state=dd624a841f5& code_challenge=[CODE_CHALLENGE]& code_challenge_method=S256 Front Channel

    Redirect

42. https://example-app.com/redirect? code=bLvgTm0vjQLo08gxCreLcxrJwyFq0KnKBH& state=dd624a841f5 Front Channel Redirect

43. POST /token Host: authorization-server.com grant_type=authorization_code& client_id=[CLIENT_ID]& redirect_uri=[REDIRECT_URI]& code_verifier=[CODE_VERIFIER]& code=bLvgTm0vjQLo08gxCreLcxrJwyFq0KnKBH Back

    Channel POST Request

44. Content-type: application/json { "token_type": "Bearer" "expires_in": 86400, "access_token": "eyJraWQiOiJHSDZmqr...", "scope":

    "photos" } Back Channel POST Response

45. Front Channel Back Channel https://accounts.google.com/?... Passing data via the browser's

    address bar The user, or malicious software, can modify the requests and responses Sent from client to server HTTPS request from client to server, so requests cannot be tampered with

46. Back Channel

47. Front Channel

48. PKCE Ensures the app that receives the authorization code is

    the same one that started the exchange

49. OAuth 2.1 Consolidate the OAuth 2.0 specs,
 adding best practices,

    
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name

50. OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client

    Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for con fi dential clients Security BCP

51. OAuth 2.1 Authorization Code Client Credentials +PKCE Tokens in HTTP

    Header Tokens in POST Form Body

52. OAuth 2.1 oauth.net/2.1 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11

53. RECENT OAUTH EXTENSIONS

54. User Agent (Browser) Authorization Server Resource Server (API) Client (App)

    Pushed Authorization Requests (PAR) RFC9126

55. oauth.net/2/pushed-authorization-requests PUSHED AUTHORIZATION REQUESTS (PAR) Typically, the authorization request is

    sent in the front channel Front channel is susceptible to inspection and modi f ication PAR initiates the OAuth f low from the back channel RFC9126

56. PUSHED AUTHORIZATION REQUESTS (PAR) oauth.net/2/pushed-authorization-requests RFC9126

57. User Agent (Browser) Authorization Server Resource Server (API) Client (App)

    Rich Authorization Requests (RAR) RFC 9396

58. oauth.net/2/rich-authorization-requests RICH AUTHORIZATION REQUESTS OAuth “scope” is limited to strings

    Need a way to authorize f ine-grained transactions or resources And present that to the user in the authorization interface RFC 9396

59. oauth.net/2/rich-authorization-requests RICH AUTHORIZATION REQUESTS RFC 9396

60. User Agent (Browser) Authorization Server Resource Server (API) Client (App)

    Step-Up Authentication Challenge RFC 9470

61. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-step-up-authn-challenge STEP-UP AUTHENTICATION CHALLENGE A Resource Server can respond with

    an error telling the client to re-authenticate the user or get a higher level authentication The client sends the user through the OAuth f low again to get a new access token RFC 9470

62. User Agent (Browser) Authorization Server Resource Server (API) Client (App)

    JWT Profile for Access Tokens RFC9068

63. oauth.net/2/jwt-access-tokens JWT PROFILE FOR ACCESS TOKENS eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2 F1dGhvcml6YXRpb24tc2VydmVyLmV4YW1wbGUuY29tLyIsInN1YiI6IiA1Y mE1NTJkNjciLCJhdWQiOiJodHRwczovL3JzLmV4YW1wbGUuY29tLyIsImV4 cCI6MTU5MzQ4NjY0OCwiY2xpZW50X2lkIjoiczZCaGRSa3F0M18iLCJzY29

    wZSI6Im9wZW5pZCBwcm9maWxlIHJlYWRlbWFpbCIsImp0aSI6IjAxODEwMm E1LTkzYmQtNDE0OC05ODI2LThlYTE3NTBjMjMyNiIsImlhdCI6MTU5MzQ4M zA0OH0.lWWmEU2kxTtlwu5TOTkXa7e7ZUNd0WbKtsef7EuJyB8 RFC9068

64. User Agent (Browser) Authorization Server Resource Server (API) Client (App)

    OAuth for Browser-Based Applications (Best Current Practice) https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/

65. authorization token Pure SPA Access token is obtained by JS

    in the browser. No backend, browser JS makes API requests directly.

66. TMI-BFF Token Mediating Backend Access token is obtained by the

    backend, but then retrieved by the frontend. Browser JS makes API calls directly.

67. BFF Backend-for-Frontend Access token is never sent to the browser.

    All API requests are proxied through the BFF. XSS is limited to the attacker telling your app server to make requests.

68. Specs Built on OAuth • OpenID Connect (openid.net) • FAPI

    (High-Security OAuth Pro fi le) • UMA (User-Managed Access) • IndieAuth (indieauth.net)

69. aaronpk.com oauth.wtf oauth.net