Protecting Single-Page Apps using OAuth

Transcript

1. OAuth 2.0 for Browser-Based Apps draft-ietf-oauth-browser-based-apps-06 Aaron Parecki OAuth Security

   Workshop July 22, 2020

2. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

   Security Workshop 2020 OAuth 2.0 for Native Apps https://tools.ietf.org/html/rfc8252

3. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

   Security Workshop 2020 OAuth 2.0 for Browser-Based Apps https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps

4. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

   Security Workshop 2020

5. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

   Security Workshop 2020 OAuth 2.0 for Browser-Based Apps • Includes recommendations for implementors building 
 browser-based apps using OAuth 2.0 • "Browser-based apps" are defined as applications running in a browser, aka "SPA" or "single-page apps"

6. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

   Security Workshop 2020 OAuth 2.0 for Browser-Based Apps Build off the Security BCP, adding specifics that are unique to the browser environment GOAL

7. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

   Security Workshop 2020 Recommendations • MUST NOT return access tokens in the front channel 
 (e.g. no Implicit flow) • MUST use only exact registered redirect URIs • The AS MUST require an exact match of the redirect URI • The AS MUST issue one-time-use refresh tokens • The AS MUST either set a max lifetime on refresh tokens or expire if they are not used after some time

8. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

   Security Workshop 2020 Architecture Options • Same-domain apps • JS apps with a dynamic app server backend • JS apps without a backend (e.g. static file hosting)

9. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

   Security Workshop 2020 Same-Domain Applications • Details of this section still TBD • There are still benefits of OAuth such as easier MFA, 
 avoiding passwords in apps, etc • Thoughts and opinions welcome

10. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App with a Backend

11. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App without a Backend

12. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Another architectural option? • Performing the OAuth flow within a Web Worker to isolate the tokens from the main JavaScript global scope • https://gitlab.com/jimdigriz/oauth2-worker

13. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Outstanding Work • Collect feedback on the architectural recommendations from people who have deployment experience • Remove details and reference sections that duplicate the Security BCP

14. Thank you! @aaronpk aaronpk.com oauth.wtf