Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 2.1 - OAuth Security Workshop

11954e59b49809173d48133ec4047fce?s=47 Aaron Parecki
July 22, 2020
Technology
0
310

OAuth 2.1 - OAuth Security Workshop

https://aaronparecki.com/2020/07/22/9/

11954e59b49809173d48133ec4047fce?s=128

Aaron Parecki

July 22, 2020
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
150
11954e59b49809173d48133ec4047fce?s=48 aaronpk
1
49
11954e59b49809173d48133ec4047fce?s=48 aaronpk
1
61
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
140
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
68
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
27
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
120
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
120
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
190

Other Decks in Technology

See All in Technology
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
160
03858bb7b6debdd69ea0531b0f57c612?s=48 con_mame
4
2k
A8f0494d61f79b35ff8a4902c7decb73?s=48 iqbocchi
0
520
4365312f9f662ab058e50d1459165e5f?s=48 y0hgi
1
370
3009eedce0d0f7ae45987a7bd8f57b85?s=48 nkjzm
1
820
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
920
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
0
120
3420e65cb2d008af23ec2ca10afe0aef?s=48 yuuturn
1
130
19fc8f6113c5c3d86e6176362ff29479?s=48 kanaugust
PRO
0
150
5825781c988a48130bb0db577f5c0e09?s=48 soachr
1
150
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
0
110
3bd2c1eac6c4d0852c6a788dd835db44?s=48 awsbelaraby
4
1.2k

Featured

See All Featured
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
437
28k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
119
16k
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
358
62k
4262b9cfacfb6b2c77f23e1d0310cd3e?s=48 myddelton
109
11k
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
111
9.9k
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
626
42k
5b6a2bd86ef643786a381a212e0ef2f1?s=48 geoffreycrofte
18
770
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
229
18k
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
125
21k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
200
19k
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
225
8.5k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
55
5.4k

Transcript

  1. OAuth 2.1 Aaron Parecki OAuth Security Workshop July 22, 2020

    https://tools.ietf.org/html/draft-parecki-oauth-v2-1

  2. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types

  3. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  4. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types RFC6750 Bearer Tokens Token Usage Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  5. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  6. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  7. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  8. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  9. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    https://example.com https://app.example.com https://auth.example GET / HTML, CSS, etc POST /token access token Cross-Origin Resource Sharing

  10. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  11. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  12. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  13. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  14. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

  15. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    RFC6749 RFC6750 CLIENT TYPE AUTH GRANT TYPE RFC6819 RFC7009 RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 BUILDING YOUR APPLICATION RFC8252 OIDC RFC8414 STATE TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN DPOP PAR

  16. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

  17. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Authorization Code Client Credentials +PKCE Tokens in HTTP Header Tokens in POST Form Body

  18. OAuth 2.1 oauth.net/2.1

  19. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Consolidate the OAuth 2.0 specs,
 adding best practices, 
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name Add references to extensions that didn't exist when OAuth 2.0 was published

  20. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 No new behavior defined by OAuth 2.1 Non-Goals: Don't include anything experimental, 
 in progress or not widely implemented

  21. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Summary Authors: Dick Hardt, Aaron Parecki, Torsten Lodderstedt • OAuth 2.1 is a consolidation of: 
 OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps BCP (draft), Security BCP (draft), 
 Bearer Tokens (RFC6750) • Grant types defined: Authorization Code with PKCE, Client Credentials • Exact redirect URI matching • No Bearer tokens in query strings • Refresh tokens must be sender-constrained or one-time use • Implicit and password grants are omitted

  22. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Client Types Public Confidential

  23. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Client Types Public Confidential Credentialed

  24. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client This distinction already exists in OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials, the client MUST authenticate... OAuth 2.1: Confidential or credentialed clients MUST authenticate...

  25. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client This distinction already exists in OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements)... OAuth 2.1: Confidential or credentialed clients...

  26. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client • A client that has credentials, but whose identity is not confirmed • e.g. a client that obtains a client secret via dynamic client registration

  27. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 oauth.net/2.1 tools.ietf.org/html/draft-parecki-oauth-v2-1

  28. Thank you! @aaronpk aaronpk.com oauth.wtf