Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Protecting Single-Page Apps using OAuth

Aaron Parecki
July 22, 2020
Technology
0
520

Protecting Single-Page Apps using OAuth

https://aaronparecki.com/2020/07/22/7/

Aaron Parecki

July 22, 2020
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
IIW 39 - OAuth 101
aaronpk
0
38
Targeted Logout - OAuth Security Workshop 2023
aaronpk
0
160
Enterprise-Ready: Going Beyond MVP
aaronpk
0
900
App Integrity Attestations for OAuth - OAuth Security Workshop 2022
aaronpk
1
1k
Intro to OAuth - IETF 110
aaronpk
0
230
OAuth 101 - Internet Identity Workshop XXXI
aaronpk
0
820
What's New with OAuth and OpenID Connect - API Days Australia
aaronpk
2
520
How to Think about OAuth Security - Disclosure 2020
aaronpk
1
280
OAuth 2.1 - OAuth Security Workshop
aaronpk
0
1.2k

Other Decks in Technology

See All in Technology
バックオフィス向け toB SaaS バクラクにおけるレコメンド技術活用 / recommender-systems-in-layerx-bakuraku
yuya4
5
390
YOLOv10~v12
tenten0727
4
900
DuckDB MCPサーバーを使ってAWSコストを分析させてみた / AWS cost analysis with DuckDB MCP server
masahirokawahara
0
1.1k
古き良き Laravel のシステムは関数型スタイルでリファクタできるのか
leveragestech
1
650
Devinで模索する AIファースト開発〜ゼロベースから始めるDevOpsの進化〜
potix2
PRO
7
3k
Рекомендации с нуля: как мы в Lamoda превратили главную страницу в ключевую точку входа для персонализированного шоппинга. Данил Комаров, Data Scientist, Lamoda Tech
lamodatech
0
540
AI Agentを「期待通り」に動かすために:設計アプローチの模索と現在地
kworkdev
PRO
2
400
MCPを活用した検索システムの作り方/How to implement search systems with MCP #catalks
quiver
11
5.2k
CBになったのでEKSのこともっと知ってもらいたい!
daitak
1
160
7,000名規模の​ 人材サービス企業における​ プロダクト戦略・戦術と課題​ / Product strategy, tactics and challenges for a 7,000-employee staffing company
techtekt
0
270
Spring Bootで実装とインフラをこれでもかと分離するための試み
shintanimoto
7
640
OSSコントリビュートをphp-srcメンテナの立場から語る / OSS Contribute
sakitakamachi
0
1.3k

Featured

See All Featured
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Fontdeck: Realign not Redesign
paulrobertlloyd
83
5.5k
Site-Speed That Sticks
csswizardry
5
480
How to Ace a Technical Interview
jacobian
276
23k
Docker and Python
trallard
44
3.3k
Being A Developer After 40
akosma
91
590k
Visualization
eitanlees
146
16k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
30k
Making the Leap to Tech Lead
cromwellryan
133
9.2k
RailsConf 2023
tenderlove
30
1.1k
Done Done
chrislema
183
16k
4 Signs Your Business is Dying
shpigford
183
22k

Transcript

  1. OAuth 2.0 for Browser-Based Apps draft-ietf-oauth-browser-based-apps-06 Aaron Parecki OAuth Security

    Workshop July 22, 2020

  2. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Native Apps https://tools.ietf.org/html/rfc8252

  3. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps

  4. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020

  5. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps • Includes recommendations for implementors building 
 browser-based apps using OAuth 2.0 • "Browser-based apps" are defined as applications running in a browser, aka "SPA" or "single-page apps"

  6. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps Build off the Security BCP, adding specifics that are unique to the browser environment GOAL

  7. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Recommendations • MUST NOT return access tokens in the front channel 
 (e.g. no Implicit flow) • MUST use only exact registered redirect URIs • The AS MUST require an exact match of the redirect URI • The AS MUST issue one-time-use refresh tokens • The AS MUST either set a max lifetime on refresh tokens or expire if they are not used after some time

  8. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Architecture Options • Same-domain apps • JS apps with a dynamic app server backend • JS apps without a backend (e.g. static file hosting)

  9. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Same-Domain Applications • Details of this section still TBD • There are still benefits of OAuth such as easier MFA, 
 avoiding passwords in apps, etc • Thoughts and opinions welcome

  10. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App with a Backend

  11. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App without a Backend

  12. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Another architectural option? • Performing the OAuth flow within a Web Worker to isolate the tokens from the main JavaScript global scope • https://gitlab.com/jimdigriz/oauth2-worker

  13. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Outstanding Work • Collect feedback on the architectural recommendations from people who have deployment experience • Remove details and reference sections that duplicate the Security BCP

  14. Thank you! @aaronpk aaronpk.com oauth.wtf