Protecting Single-Page Apps using OAuth

Protecting Single-Page Apps using OAuth

11954e59b49809173d48133ec4047fce?s=128

Aaron Parecki

July 22, 2020
Tweet

Transcript

  1. OAuth 2.0 for Browser-Based Apps draft-ietf-oauth-browser-based-apps-06 Aaron Parecki OAuth Security

    Workshop July 22, 2020
  2. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Native Apps https://tools.ietf.org/html/rfc8252
  3. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps
  4. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020
  5. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps • Includes recommendations for implementors building 
 browser-based apps using OAuth 2.0 • "Browser-based apps" are defined as applications running in a browser, aka "SPA" or "single-page apps"
  6. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps Build off the Security BCP, adding specifics that are unique to the browser environment GOAL
  7. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Recommendations • MUST NOT return access tokens in the front channel 
 (e.g. no Implicit flow) • MUST use only exact registered redirect URIs • The AS MUST require an exact match of the redirect URI • The AS MUST issue one-time-use refresh tokens • The AS MUST either set a max lifetime on refresh tokens or expire if they are not used after some time
  8. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Architecture Options • Same-domain apps • JS apps with a dynamic app server backend • JS apps without a backend (e.g. static file hosting)
  9. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Same-Domain Applications • Details of this section still TBD • There are still benefits of OAuth such as easier MFA, 
 avoiding passwords in apps, etc • Thoughts and opinions welcome
  10. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App with a Backend
  11. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App without a Backend
  12. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Another architectural option? • Performing the OAuth flow within a Web Worker to isolate the tokens from the main JavaScript global scope • https://gitlab.com/jimdigriz/oauth2-worker
  13. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Outstanding Work • Collect feedback on the architectural recommendations from people who have deployment experience • Remove details and reference sections that duplicate the Security BCP
  14. Thank you! @aaronpk aaronpk.com oauth.wtf