OAuth 2.1 - OAuth Security Workshop

Transcript

1. OAuth 2.1
   Aaron Parecki
   OAuth Security Workshop
   
   July 22, 2020
   https://tools.ietf.org/html/draft-parecki-oauth-v2-1
   

   View Slide

2. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
   OAuth 2.0
   RFC6749 OAuth Core
   Authorization Code
   Implicit
   Password
   Client Credentials
   Grant Types
   

   View Slide

3. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
   

   View Slide

4. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
   OAuth 2.0
   RFC6749 OAuth Core
   Authorization Code
   Implicit
   Password
   Client Credentials
   Grant Types
   RFC6750 Bearer Tokens
   Token Usage
   Tokens in HTTP Header
   Tokens in POST Form Body
   Tokens in GET Query String
   

   View Slide

5. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
   

   View Slide

6. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
   OAuth 2.0
   RFC6749 OAuth Core
   Authorization Code
   Implicit
   Password
   Client Credentials
   RFC6750 Bearer Tokens
   RFC7636
   +PKCE
   Tokens in HTTP Header
   Tokens in POST Form Body
   Tokens in GET Query String
   

   View Slide

7. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
   OAuth 2.0
   RFC6749 OAuth Core
   Authorization Code
   Implicit
   Password
   Client Credentials
   RFC6750 Bearer Tokens
   RFC7636
   +PKCE
   RFC8252
   PKCE for mobile
   Tokens in HTTP Header
   Tokens in POST Form Body
   Tokens in GET Query String
   

   View Slide

8. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
   

   View Slide

9. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
   https://example.com
   https://app.example.com
   https://auth.example
   GET /
   HTML, CSS, etc
   POST /token
   access token
   Cross-Origin Resource Sharing
   

   View Slide

10. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    

    View Slide

11. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    

    View Slide

12. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    

    View Slide

13. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    

    View Slide

14. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    PKCE for
    confidential
    clients
    Security BCP
    

    View Slide

15. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    RFC6749
    RFC6750
    CLIENT TYPE
    AUTH
    GRANT TYPE
    RFC6819
    RFC7009
    RFC7592
    RFC7662
    RFC7636
    RFC7591
    RFC7519
    BUILDING YOUR APPLICATION
    RFC8252
    OIDC
    RFC8414
    STATE
    TLS
    CSRF
    UMA 2
    FAPI
    RFC7515
    RFC7516
    RFC7517
    RFC7518
    TOKEN
    POP
    SECURITY BCP
    CIBA
    HTTP SIGNING
    MUTUAL TLS SPA BCP
    JARM
    JAR
    TOKEN
    DPOP
    PAR
    

    View Slide

16. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    PKCE for
    confidential
    clients
    Security BCP
    

    View Slide

17. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.1
    Authorization Code
    Client Credentials
    +PKCE
    Tokens in HTTP Header
    Tokens in POST Form Body
    

    View Slide

18. OAuth 2.1
    oauth.net/2.1
    

    View Slide

19. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.1
    Consolidate the OAuth 2.0 specs,

    adding best practices, 

    removing deprecated features
    
    Capture current best practices in OAuth 2.0
    under a single name
    
    Add references to extensions that didn't
    exist when OAuth 2.0 was published
    

    View Slide

20. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.1
    No new behavior defined by OAuth 2.1
    Non-Goals:
    Don't include anything experimental, 

    in progress or not widely implemented
    

    View Slide

21. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.1 Summary
    Authors: Dick Hardt, Aaron Parecki, Torsten Lodderstedt
    
    • OAuth 2.1 is a consolidation of: 

    OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps
    BCP (draft), Security BCP (draft), 

    Bearer Tokens (RFC6750)
    
    • Grant types defined: Authorization Code with PKCE, Client Credentials
    
    • Exact redirect URI matching
    
    • No Bearer tokens in query strings
    
    • Refresh tokens must be sender-constrained or one-time use
    
    • Implicit and password grants are omitted
    

    View Slide

22. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.1 Client Types
    Public
    
    Confidential
    
    

    View Slide

23. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.1 Client Types
    Public
    
    Confidential
    
    Credentialed
    
    

    View Slide

24. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    Credentialed Client
    This distinction already exists in OAuth 2.0!
    
    OAuth 2.0:
    
    If the client type is confidential or the client was
    issued client credentials, the client MUST
    authenticate...
    OAuth 2.1:
    
    Confidential or credentialed clients MUST authenticate...
    

    View Slide

25. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    Credentialed Client
    This distinction already exists in OAuth 2.0!
    
    OAuth 2.0:
    
    If the client type is confidential or the client was
    issued client credentials (or assigned other
    authentication requirements)...
    OAuth 2.1:
    
    Confidential or credentialed clients...
    

    View Slide

26. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    Credentialed Client
    • A client that has credentials, but whose identity is not confirmed
    
    • e.g. a client that obtains a client secret via dynamic client registration
    

    View Slide

27. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.1
    oauth.net/2.1
    tools.ietf.org/html/draft-parecki-oauth-v2-1
    

    View Slide

28. Thank you!
    @aaronpk
    aaronpk.com
    
    oauth.wtf
    

    View Slide