Protecting Single-Page Apps using OAuth

11954e59b49809173d48133ec4047fce?s=47 Aaron Parecki
July 22, 2020
Technology
0
120

Protecting Single-Page Apps using OAuth

https://aaronparecki.com/2020/07/22/7/

11954e59b49809173d48133ec4047fce?s=128

Aaron Parecki

July 22, 2020
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
67
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
35
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
42
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
280
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
58
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
25
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
100
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
100
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
180

Other Decks in Technology

See All in Technology
F0ec1a6cb9e7be1911ed97b6561ed5ac?s=48 k1nakayama
0
140
C265a1a7dadb2713ff2262025e91d133?s=48 akabekobeko
0
460
40301c0affdf359eaca771713e22b71a?s=48 harshbothra
0
570
0620564f0125b8b3b7f4fe40c10b8b4e?s=48 tattn
4
870
2102a6b8760bd6f57f672805723dd83a?s=48 line_developers_tw
0
750
0479057e04d0dbef40692b5f171f60e4?s=48 takanakahiko
0
510
Ecad9d801d79f6c6e5df93094690685e?s=48 sinsoku
6
2.2k
E783e2d26dc6388730b73ced1348c638?s=48 vkbaba
0
220
Cc8a208e174943d1da814783841abd50?s=48 shinodogg
0
180
9ae4f3862d4cb0771cfd36e43252f755?s=48 kurotanshi
0
1.6k
11d3072d628a7b976cd2f4e6a3cf750f?s=48 yuyaabo
0
710
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
1.1k

Featured

See All Featured
32de0bd2ba869609d26fd052a4622778?s=48 cromwellryan
101
5.8k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
144
6.5k
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
296
39k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
408
57k
282d599b414022eba5096510f675b6e2?s=48 chrislema
231
16k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
682
180k
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
155
11k
6804f1775cb4babfcc3851298566fbce?s=48 tanoku
257
24k
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
82
4.6k
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
84
7.7k
1f74b13f1e5c6c69cb5d7fbaabb1e2cb?s=48 sferik
608
54k
79acae287842acf29084005533a7fb3b?s=48 hursman
104
9.1k

Transcript

  1. OAuth 2.0 for Browser-Based Apps draft-ietf-oauth-browser-based-apps-06 Aaron Parecki OAuth Security

    Workshop July 22, 2020

  2. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Native Apps https://tools.ietf.org/html/rfc8252

  3. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps

  4. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020

  5. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps • Includes recommendations for implementors building 
 browser-based apps using OAuth 2.0 • "Browser-based apps" are defined as applications running in a browser, aka "SPA" or "single-page apps"

  6. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps Build off the Security BCP, adding specifics that are unique to the browser environment GOAL

  7. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Recommendations • MUST NOT return access tokens in the front channel 
 (e.g. no Implicit flow) • MUST use only exact registered redirect URIs • The AS MUST require an exact match of the redirect URI • The AS MUST issue one-time-use refresh tokens • The AS MUST either set a max lifetime on refresh tokens or expire if they are not used after some time

  8. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Architecture Options • Same-domain apps • JS apps with a dynamic app server backend • JS apps without a backend (e.g. static file hosting)

  9. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Same-Domain Applications • Details of this section still TBD • There are still benefits of OAuth such as easier MFA, 
 avoiding passwords in apps, etc • Thoughts and opinions welcome

  10. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App with a Backend

  11. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App without a Backend

  12. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Another architectural option? • Performing the OAuth flow within a Web Worker to isolate the tokens from the main JavaScript global scope • https://gitlab.com/jimdigriz/oauth2-worker

  13. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Outstanding Work • Collect feedback on the architectural recommendations from people who have deployment experience • Remove details and reference sections that duplicate the Security BCP

  14. Thank you! @aaronpk aaronpk.com oauth.wtf