Protecting Single-Page Apps using OAuth

11954e59b49809173d48133ec4047fce?s=47 Aaron Parecki
July 22, 2020
Technology
0
72

Protecting Single-Page Apps using OAuth

https://aaronparecki.com/2020/07/22/7/

11954e59b49809173d48133ec4047fce?s=128

Aaron Parecki

July 22, 2020
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
200
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
32
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
22
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
77
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
76
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
160
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
11
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
290
11954e59b49809173d48133ec4047fce?s=48 aaronpk
1
580

Other Decks in Technology

See All in Technology
6557f271a0b301f453f773be43cf876f?s=48 miyamoto_hiroki
1
220
80c79a9d024d1e1a253893a78189ce6d?s=48 ujnak
1
150
Be5b446b2cf48702721bbd428388af52?s=48 satoshishibata0108
0
260
Dacd98e0fcfc478b24f9cd7ec9208904?s=48 manabusakai
0
990
35e0df23d7ed5bf6c37dce3551bc5c18?s=48 thangngn
0
210
A857277d74d4719f7f7751dca5ed553e?s=48 cmusudakeisuke
0
1.4k
Ac099b28fee346b831ba8afcdb9e7d06?s=48 ericgpks
0
130
664b6e8ebe272fcfa5dbd6070eaf3cd4?s=48 wadayusuke
2
690
470bbf16e3547a17e40c34da937be921?s=48 kikmysy4
0
150
881b1b57f1cbe3b66b017203f7cb2efb?s=48 nplusone
0
260
0251532f4fb413ea1a026efe6eb16b87?s=48 stajima
0
260
Dd672f13e7e17714700544cb355cbaba?s=48 kyoshimoto
2
350

Featured

See All Featured
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
83
4.5k
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
477
150k
11c84dff30266b907714802088852677?s=48 jasonvnalue
80
7.8k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
407
57k
E76911cbe088e5b850d966de3fc7435b?s=48 robhawkes
51
2.6k
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
256
10k
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
121
20k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
144
6.4k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
281
46k
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
87
3.2k
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
49
3.2k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
69
1.2k

Transcript

  1. OAuth 2.0 for Browser-Based Apps draft-ietf-oauth-browser-based-apps-06 Aaron Parecki OAuth Security

    Workshop July 22, 2020

  2. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Native Apps https://tools.ietf.org/html/rfc8252

  3. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps

  4. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020

  5. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps • Includes recommendations for implementors building 
 browser-based apps using OAuth 2.0 • "Browser-based apps" are defined as applications running in a browser, aka "SPA" or "single-page apps"

  6. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps Build off the Security BCP, adding specifics that are unique to the browser environment GOAL

  7. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Recommendations • MUST NOT return access tokens in the front channel 
 (e.g. no Implicit flow) • MUST use only exact registered redirect URIs • The AS MUST require an exact match of the redirect URI • The AS MUST issue one-time-use refresh tokens • The AS MUST either set a max lifetime on refresh tokens or expire if they are not used after some time

  8. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Architecture Options • Same-domain apps • JS apps with a dynamic app server backend • JS apps without a backend (e.g. static file hosting)

  9. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Same-Domain Applications • Details of this section still TBD • There are still benefits of OAuth such as easier MFA, 
 avoiding passwords in apps, etc • Thoughts and opinions welcome

  10. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App with a Backend

  11. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App without a Backend

  12. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Another architectural option? • Performing the OAuth flow within a Web Worker to isolate the tokens from the main JavaScript global scope • https://gitlab.com/jimdigriz/oauth2-worker

  13. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Outstanding Work • Collect feedback on the architectural recommendations from people who have deployment experience • Remove details and reference sections that duplicate the Security BCP

  14. Thank you! @aaronpk aaronpk.com oauth.wtf