Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 2.1 - OAuth Security Workshop

11954e59b49809173d48133ec4047fce?s=47 Aaron Parecki
July 22, 2020
Technology
0
580

OAuth 2.1 - OAuth Security Workshop

https://aaronparecki.com/2020/07/22/9/

11954e59b49809173d48133ec4047fce?s=128

Aaron Parecki

July 22, 2020
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
App Integrity Attestations for OAuth - OAuth Security Workshop 2022
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
63
Intro to OAuth - IETF 110
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
94
OAuth 101 - Internet Identity Workshop XXXI
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
390
What's New with OAuth and OpenID Connect - API Days Australia
11954e59b49809173d48133ec4047fce?s=48 aaronpk
2
190
How to Think about OAuth Security - Disclosure 2020
11954e59b49809173d48133ec4047fce?s=48 aaronpk
1
130
Protecting Single-Page Apps using OAuth
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
310
The State of OAuth
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
130
OAuth 2.0 Client Intermediary Metadata - IETF 107
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
65
How to Hack OAuth - Goto Chicago 2020
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
220

Other Decks in Technology

See All in Technology
長年運用されてきたモノリシックアプリケーションをコンテナ化しようとするとどんな問題に遭遇するか? / SRE NEXT 2022
3e77f9dbec6a87756d1dbdddab283aee?s=48 nulabinc
PRO
15
7.9k
アルプでのAgile Testing / Alp Agile Testing
1b7098127bb4872f5fa10415d88479b7?s=48 nametake
0
190
次期LTSに備えよ!AOS 6.1 HCI Core 編
A4d5b3aae2e67f31b513c88c726514c2?s=48 smzksts
0
180
一人から始めるプロダクトSRE / How to start SRE in a product team, all by yourself
12a5cec7a54018170b1a009731acf477?s=48 vtryo
4
2.9k
SRENEXT2022 組織にSREを実装していくまでの道のり
9cd2d753636f4849c881ccf2381228ee?s=48 marnie0301
1
650
エンタープライズにおけるSRE立ち上げとNew Relic選定に至った背景とは / SRE Startup and New Relic in the Enterprise
Aa0d25b0254ef311ed8177b5275577f4?s=48 tomoyakitaura
2
160
Spotify物理コントローラーがほしい
1dceaa2dcea41c16004f430c1723b20e?s=48 miso
0
170
LIFF Deep Dive 2022
A3966f193f4bef226a0d3e3c1f728d7f?s=48 line_developers
PRO
1
590
Building smarter apps with machine learning, from magic to reality
7e6a435700dda6cdb22105d601f20892?s=48 picardparis
4
3.1k
220521_SFN_品質文化試論と『LEADING QUALITY』/220521_SFN_Essay_of_Quality_Culture_and_LEADING_QUALITY
C8cde92274f0ca1ff9b046673d4f2d29?s=48 mkwrd
0
290
読者のことを考えて書いてみよう / Write with your reader in mind
A3966f193f4bef226a0d3e3c1f728d7f?s=48 line_developers
PRO
3
360
Steps toward self-service operations in eureka
71929a476c581dd754e4e1f355ac07d0?s=48 fukubaka0825
0
840

Featured

See All Featured
Clear Off the Table
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
79
280k
Support Driven Design
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
86
8.5k
GraphQLの誤解/rethinking-graphql
3cb4e761dbdb7aebd1ffd85f752e1e3e?s=48 sonatard
24
6.2k
Principles of Awesome APIs and How to Build Them.
B47b288784fda77a94aeb234ca743c24?s=48 keavy
113
15k
A Tale of Four Properties
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
149
20k
Navigating Team Friction
245cee81a9c424266e5e401d844ea881?s=48 lara
175
11k
How New CSS Is Changing Everything About Graphic Design on the Web
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
212
11k
5 minutes of I Can Smell Your CMS
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
196
18k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
19
1.4k
How To Stay Up To Date on Web Technology
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
780
250k
JavaScript: Past, Present, and Future - NDC Porto 2020
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
37
3.2k
jQuery: Nuts, Bolts and Bling
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
56
6.4k

Transcript

  1. OAuth 2.1 Aaron Parecki OAuth Security Workshop July 22, 2020

    https://tools.ietf.org/html/draft-parecki-oauth-v2-1

  2. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types

  3. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  4. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types RFC6750 Bearer Tokens Token Usage Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  5. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  6. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  7. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  8. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  9. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    https://example.com https://app.example.com https://auth.example GET / HTML, CSS, etc POST /token access token Cross-Origin Resource Sharing

  10. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  11. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  12. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  13. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  14. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

  15. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    RFC6749 RFC6750 CLIENT TYPE AUTH GRANT TYPE RFC6819 RFC7009 RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 BUILDING YOUR APPLICATION RFC8252 OIDC RFC8414 STATE TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN DPOP PAR

  16. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

  17. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Authorization Code Client Credentials +PKCE Tokens in HTTP Header Tokens in POST Form Body

  18. OAuth 2.1 oauth.net/2.1

  19. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Consolidate the OAuth 2.0 specs,
 adding best practices, 
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name Add references to extensions that didn't exist when OAuth 2.0 was published

  20. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 No new behavior defined by OAuth 2.1 Non-Goals: Don't include anything experimental, 
 in progress or not widely implemented

  21. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Summary Authors: Dick Hardt, Aaron Parecki, Torsten Lodderstedt • OAuth 2.1 is a consolidation of: 
 OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps BCP (draft), Security BCP (draft), 
 Bearer Tokens (RFC6750) • Grant types defined: Authorization Code with PKCE, Client Credentials • Exact redirect URI matching • No Bearer tokens in query strings • Refresh tokens must be sender-constrained or one-time use • Implicit and password grants are omitted

  22. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Client Types Public Confidential

  23. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Client Types Public Confidential Credentialed

  24. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client This distinction already exists in OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials, the client MUST authenticate... OAuth 2.1: Confidential or credentialed clients MUST authenticate...

  25. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client This distinction already exists in OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements)... OAuth 2.1: Confidential or credentialed clients...

  26. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client • A client that has credentials, but whose identity is not confirmed • e.g. a client that obtains a client secret via dynamic client registration

  27. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 oauth.net/2.1 tools.ietf.org/html/draft-parecki-oauth-v2-1

  28. Thank you! @aaronpk aaronpk.com oauth.wtf