Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 2.1 - OAuth Security Workshop

11954e59b49809173d48133ec4047fce?s=47 Aaron Parecki
July 22, 2020
Technology
0
420

OAuth 2.1 - OAuth Security Workshop

https://aaronparecki.com/2020/07/22/9/

11954e59b49809173d48133ec4047fce?s=128

Aaron Parecki

July 22, 2020
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
31
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
240
11954e59b49809173d48133ec4047fce?s=48 aaronpk
1
84
11954e59b49809173d48133ec4047fce?s=48 aaronpk
1
86
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
210
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
96
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
40
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
160
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
160

Other Decks in Technology

See All in Technology
A5fed8c15d016c2a42d7d9f830326045?s=48 takuros
2
1.5k
Cb88f765dd38cd942c39aacb5abbea06?s=48 ufoo68
0
110
C8b3d5eaa8c8a490a1530b9b5256a2a9?s=48 kaojiri
7
3.6k
Eeac2f3b51b69b3cd6fb14ed348f0c6e?s=48 limes2018
0
110
A07bf430b58349d4c0c88dabcd4c21f3?s=48 iam326
0
220
928b1395afedebb5ee48d44ab917c5f1?s=48 ryusa
1
140
3f848c0c0b9a6603894e157da93e4655?s=48 sadayoshitada0919
0
1.2k
19fc8f6113c5c3d86e6176362ff29479?s=48 kanaugust
PRO
0
280
Ce65a0ab3a68718d409e4007da16e141?s=48 todatomohiro
0
1.4k
86b08b89a4ccfc0847046d1abe60824a?s=48 yo41sawada
0
410
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
5
760
Ea29e2b19d11b48f867ae71d6a6de5df?s=48 opelab
3
490

Featured

See All Featured
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
287
47k
1b8ad785acdd1ce1c99914b1c2a4e10e?s=48 sugarenia
235
930k
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
342
16k
F716e5f737fcfb03f2cf8d1a184f1dbe?s=48 nonsquared
83
3.6k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
97
15k
1f74b13f1e5c6c69cb5d7fbaabb1e2cb?s=48 sferik
612
55k
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
117
26k
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
64
10k
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
260
20k
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
225
48k
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
24
4k
E76911cbe088e5b850d966de3fc7435b?s=48 robhawkes
55
3k

Transcript

  1. OAuth 2.1 Aaron Parecki OAuth Security Workshop July 22, 2020

    https://tools.ietf.org/html/draft-parecki-oauth-v2-1

  2. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types

  3. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  4. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types RFC6750 Bearer Tokens Token Usage Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  5. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  6. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  7. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  8. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  9. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    https://example.com https://app.example.com https://auth.example GET / HTML, CSS, etc POST /token access token Cross-Origin Resource Sharing

  10. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  11. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  12. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  13. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  14. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

  15. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    RFC6749 RFC6750 CLIENT TYPE AUTH GRANT TYPE RFC6819 RFC7009 RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 BUILDING YOUR APPLICATION RFC8252 OIDC RFC8414 STATE TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN DPOP PAR

  16. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

  17. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Authorization Code Client Credentials +PKCE Tokens in HTTP Header Tokens in POST Form Body

  18. OAuth 2.1 oauth.net/2.1

  19. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Consolidate the OAuth 2.0 specs,
 adding best practices, 
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name Add references to extensions that didn't exist when OAuth 2.0 was published

  20. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 No new behavior defined by OAuth 2.1 Non-Goals: Don't include anything experimental, 
 in progress or not widely implemented

  21. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Summary Authors: Dick Hardt, Aaron Parecki, Torsten Lodderstedt • OAuth 2.1 is a consolidation of: 
 OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps BCP (draft), Security BCP (draft), 
 Bearer Tokens (RFC6750) • Grant types defined: Authorization Code with PKCE, Client Credentials • Exact redirect URI matching • No Bearer tokens in query strings • Refresh tokens must be sender-constrained or one-time use • Implicit and password grants are omitted

  22. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Client Types Public Confidential

  23. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Client Types Public Confidential Credentialed

  24. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client This distinction already exists in OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials, the client MUST authenticate... OAuth 2.1: Confidential or credentialed clients MUST authenticate...

  25. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client This distinction already exists in OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements)... OAuth 2.1: Confidential or credentialed clients...

  26. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client • A client that has credentials, but whose identity is not confirmed • e.g. a client that obtains a client secret via dynamic client registration

  27. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 oauth.net/2.1 tools.ietf.org/html/draft-parecki-oauth-v2-1

  28. Thank you! @aaronpk aaronpk.com oauth.wtf