OAuth 2.1 - OAuth Security Workshop

11954e59b49809173d48133ec4047fce?s=47 Aaron Parecki
July 22, 2020
Technology
0
200

OAuth 2.1 - OAuth Security Workshop

https://aaronparecki.com/2020/07/22/9/

11954e59b49809173d48133ec4047fce?s=128

Aaron Parecki

July 22, 2020
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
72
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
32
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
22
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
77
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
76
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
160
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
11
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
290
11954e59b49809173d48133ec4047fce?s=48 aaronpk
1
580

Other Decks in Technology

See All in Technology
332f89cc697355902a817506b6995f2b?s=48 ytaka23
8
1.8k
7843111608e155f89877c4faca12697e?s=48 shuntafurukawa
1
310
A645e7c3a6635ead8fa323c583769591?s=48 hololab
0
280
A38e9ebe0e62fd6753f555c005ea6551?s=48 tarukosu
0
840
4c179cd6250ba8459f278a1440d7f610?s=48 dach
0
260
Be5b446b2cf48702721bbd428388af52?s=48 satoshishibata0108
0
260
470bbf16e3547a17e40c34da937be921?s=48 kikmysy4
0
150
783718ebd2faaa896d4cb347835c07fb?s=48 tarotaro0
0
450
Ad22fcf5773b906c08330f4d57242212?s=48 inductor
3
800
5b392dc79d5b6d1dab580bf60e26fb7c?s=48 nitya
0
210
53850955f15249a1a9dc49df6113e400?s=48 line_developers
0
150
835671ae91e49b2637313b91dacda1db?s=48 tdys13
2
2k

Featured

See All Featured
C157b16234f1e75e8eac3698c1d4414a?s=48 ddemaree
274
31k
Aff5641764408271f7bc398f2097edd0?s=48 denniskardys
218
110k
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
581
190k
5f83ef806155b403c3393160ce51f955?s=48 jlugia
215
16k
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
190
8.6k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
266
16k
Ded01cdab114abe4ec13511e4c25b9bb?s=48 andyhume
60
2.4k
7fa6101cd43067653cf4ac6c7ca54305?s=48 akmur
252
19k
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
123
21k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
281
46k
79acae287842acf29084005533a7fb3b?s=48 hursman
103
9k
24fc194843a71f10949be18d5a692682?s=48 gr2m
82
11k

Transcript

  1. OAuth 2.1 Aaron Parecki OAuth Security Workshop July 22, 2020

    https://tools.ietf.org/html/draft-parecki-oauth-v2-1

  2. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types

  3. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  4. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types RFC6750 Bearer Tokens Token Usage Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  5. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  6. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  7. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  8. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

  9. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    https://example.com https://app.example.com https://auth.example GET / HTML, CSS, etc POST /token access token Cross-Origin Resource Sharing

  10. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  11. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  12. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  13. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  14. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

  15. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    RFC6749 RFC6750 CLIENT TYPE AUTH GRANT TYPE RFC6819 RFC7009 RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 BUILDING YOUR APPLICATION RFC8252 OIDC RFC8414 STATE TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN DPOP PAR

  16. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

  17. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Authorization Code Client Credentials +PKCE Tokens in HTTP Header Tokens in POST Form Body

  18. OAuth 2.1 oauth.net/2.1

  19. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Consolidate the OAuth 2.0 specs,
 adding best practices, 
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name Add references to extensions that didn't exist when OAuth 2.0 was published

  20. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 No new behavior defined by OAuth 2.1 Non-Goals: Don't include anything experimental, 
 in progress or not widely implemented

  21. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Summary Authors: Dick Hardt, Aaron Parecki, Torsten Lodderstedt • OAuth 2.1 is a consolidation of: 
 OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps BCP (draft), Security BCP (draft), 
 Bearer Tokens (RFC6750) • Grant types defined: Authorization Code with PKCE, Client Credentials • Exact redirect URI matching • No Bearer tokens in query strings • Refresh tokens must be sender-constrained or one-time use • Implicit and password grants are omitted

  22. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Client Types Public Confidential

  23. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 Client Types Public Confidential Credentialed

  24. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client This distinction already exists in OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials, the client MUST authenticate... OAuth 2.1: Confidential or credentialed clients MUST authenticate...

  25. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client This distinction already exists in OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements)... OAuth 2.1: Confidential or credentialed clients...

  26. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    Credentialed Client • A client that has credentials, but whose identity is not confirmed • e.g. a client that obtains a client secret via dynamic client registration

  27. OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

    OAuth 2.1 oauth.net/2.1 tools.ietf.org/html/draft-parecki-oauth-v2-1

  28. Thank you! @aaronpk aaronpk.com oauth.wtf