$30 off During Our Annual Pro Sale. View Details »

OAuth 2.1 - OAuth Security Workshop

Aaron Parecki
July 22, 2020
Technology
0
670

OAuth 2.1 - OAuth Security Workshop

https://aaronparecki.com/2020/07/22/9/

Aaron Parecki

July 22, 2020
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
App Integrity Attestations for OAuth - OAuth Security Workshop 2022
aaronpk
0
260
Intro to OAuth - IETF 110
aaronpk
0
110
OAuth 101 - Internet Identity Workshop XXXI
aaronpk
0
460
What's New with OAuth and OpenID Connect - API Days Australia
aaronpk
2
250
How to Think about OAuth Security - Disclosure 2020
aaronpk
1
160
Protecting Single-Page Apps using OAuth
aaronpk
0
350
The State of OAuth
aaronpk
0
170
OAuth 2.0 Client Intermediary Metadata - IETF 107
aaronpk
0
77
How to Hack OAuth - Goto Chicago 2020
aaronpk
0
260

Other Decks in Technology

See All in Technology
Container Replatform 101
shkitayama
4
390
Microsoft 365 による情報保護 ~ DLP 編
sophiakunii
0
630
runnによるAPIのシナリオテストの導入と自動化 / stac2022
k1low
3
390
APN AWS Top Engineersが語るAWSの最新セキュリティ
cmusudakeisuke
0
880
Oracle Content Management サービス概要 (2022年12月版)
oracle4engineer
PRO
0
620
一人でも小さく始められるGoogle Cloudで実現するほぼサーバレスなデータ基盤 / Serverless Dataplatform for Google Cloud
shinyorke
0
140
ユーザー理解は、自組織理解から!インナーリサーチのススメ / SDC_okusa
recruitengineers
PRO
0
280
IFCによるアプリケーションのマイクロサービス化
ktaroabobon
0
110
Webパフォーマンス高速化とこれからのアーキテクチャ
narirou
9
2.4k
バンドルカードの クレジットカード決済システムの 泥臭い運用
hiroakis
6
4.8k
OCI Streaming ご紹介
oracle4engineer
PRO
0
540
Sports Analyst Meetup #13 (2022/11/26)
keisuke198619
0
250

Featured

See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
116
15k
Building a Scalable Design System with Sketch
lauravandoore
451
30k
Practical Orchestrator
shlominoach
178
8.9k
Support Driven Design
roundedbygravity
87
8.8k
Code Review Best Practice
trishagee
48
11k
Adopting Sorbet at Scale
ufuk
65
7.8k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
196
9.7k
The Invisible Side of Design
smashingmag
292
48k
Web development in the modern age
philhawksworth
197
9.5k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
15
1.1k
A better future with KSS
kneath
228
16k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k

Transcript

  1. OAuth 2.1 Aaron Parecki OAuth Security Workshop July 22, 2020

    https://tools.ietf.org/html/draft-parecki-oauth-v2-1

  2. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types

  3. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  4. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types RFC6750 Bearer Tokens Token Usage Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  5. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  6. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  7. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  8. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  9. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    https://example.com https://app.example.com https://auth.example GET / HTML, CSS, etc POST /token access token Cross-Origin Resource Sharing

  10. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  11. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  12. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  13. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  14. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

  15. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    RFC6749 RFC6750 CLIENT TYPE AUTH GRANT TYPE RFC6819 RFC7009 RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 BUILDING YOUR APPLICATION RFC8252 OIDC RFC8414 STATE TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN DPOP PAR

  16. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

  17. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Authorization Code Client Credentials +PKCE Tokens in HTTP Header Tokens in POST Form Body

  18. OAuth 2.1 oauth.net/2.1

  19. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Consolidate the OAuth 2.0 specs,
 adding best practices, 
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name Add references to extensions that didn't exist when OAuth 2.0 was published

  20. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 No new behavior defined by OAuth 2.1 Non-Goals: Don't include anything experimental, 
 in progress or not widely implemented

  21. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Summary Authors: Dick Hardt, Aaron Parecki, Torsten Lodderstedt • OAuth 2.1 is a consolidation of: 
 OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps BCP (draft), Security BCP (draft), 
 Bearer Tokens (RFC6750) • Grant types defined: Authorization Code with PKCE, Client Credentials • Exact redirect URI matching • No Bearer tokens in query strings • Refresh tokens must be sender-constrained or one-time use • Implicit and password grants are omitted

  22. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Client Types Public Confidential

  23. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Client Types Public Confidential Credentialed

  24. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client This distinction already exists in OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials, the client MUST authenticate... OAuth 2.1: Confidential or credentialed clients MUST authenticate...

  25. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client This distinction already exists in OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements)... OAuth 2.1: Confidential or credentialed clients...

  26. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client • A client that has credentials, but whose identity is not confirmed • e.g. a client that obtains a client secret via dynamic client registration

  27. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 oauth.net/2.1 tools.ietf.org/html/draft-parecki-oauth-v2-1

  28. Thank you! @aaronpk aaronpk.com oauth.wtf