$30 off During Our Annual Pro Sale. View Details »

Protecting Single-Page Apps using OAuth

Aaron Parecki
July 22, 2020
Technology
0
400

Protecting Single-Page Apps using OAuth

https://aaronparecki.com/2020/07/22/7/

Aaron Parecki

July 22, 2020
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
Targeted Logout - OAuth Security Workshop 2023
aaronpk
0
83
Enterprise-Ready: Going Beyond MVP
aaronpk
0
300
App Integrity Attestations for OAuth - OAuth Security Workshop 2022
aaronpk
0
690
Intro to OAuth - IETF 110
aaronpk
0
160
OAuth 101 - Internet Identity Workshop XXXI
aaronpk
0
580
What's New with OAuth and OpenID Connect - API Days Australia
aaronpk
2
350
How to Think about OAuth Security - Disclosure 2020
aaronpk
1
210
OAuth 2.1 - OAuth Security Workshop
aaronpk
0
830
The State of OAuth
aaronpk
0
220

Other Decks in Technology

See All in Technology
re:Invent2023で登場した運用開発用の可視化ツールたちを実際に見てみよう
yoshimi0227
0
350
2023년의 딥러닝과 LLM 생태계
inureyes
PRO
0
1k
AWS Security Hubを有効化したけど見てない人に向けたDevSecOpsの実現方法 / #kayac_andpad_event
muziyoshiz
0
210
18行のLinuxカーネルモジュールを 作ってみる
sat
PRO
1
110
朝起こしてくれるメイドさんが欲しい (LT) - NIFTY Tech Day 2023
niftycorp
1
120
AWS re:Invent 2023の期間中に出たコンテナアップデート集
yoshiitaka
3
320
10分でわかる株式会社ログラス − エンジニア向け会社説明資料 / Loglass in 10 min for Engineers
loglass2019
2
870
継続的なコツコツ技術広報とブランディング磨き込みの過程と課題/engineering-brand
nishiuma
0
110
分散ストレージはすごいぞ
sat
PRO
1
440
DMMオンラインサロン エンジニア採用資料/ for-software-engineers
onlinesalon
0
3.6k
生成AIでシステム開発はどう変わるか
etaroid
18
7.8k
GoのProtocプラグインを活用した効率的な負荷試験戦略 / Efficient Load Testing Strategies Utilizing the Go Protoc Plugin
biwashi
0
120

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
236
10k
Designing the Hi-DPI Web
ddemaree
274
33k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
900
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
Visualization
eitanlees
131
13k
The Mythical Team-Month
searls
214
41k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
750
Gamification - CAS2011
davidbonilla
75
4.4k
Three Pipe Problems
jasonvnalue
89
9.3k
How STYLIGHT went responsive
nonsquared
89
4.5k
Scaling GitHub
holman
455
140k

Transcript

  1. OAuth 2.0 for Browser-Based Apps
    draft-ietf-oauth-browser-based-apps-06
    Aaron Parecki
    OAuth Security Workshop

    July 22, 2020

    View Slide

  2. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.0 for Native Apps
    https://tools.ietf.org/html/rfc8252

    View Slide

  3. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.0 for Browser-Based Apps
    https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps

    View Slide

  4. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020

    View Slide

  5. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.0 for Browser-Based Apps
    • Includes recommendations for implementors building 

    browser-based apps using OAuth 2.0

    • "Browser-based apps" are defined as applications running in a browser,
    aka "SPA" or "single-page apps"

    View Slide

  6. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020
    OAuth 2.0 for Browser-Based Apps
    Build off the Security BCP, adding specifics that are
    unique to the browser environment
    GOAL

    View Slide

  7. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020
    Recommendations
    • MUST NOT return access tokens in the front channel 

    (e.g. no Implicit flow)

    • MUST use only exact registered redirect URIs

    • The AS MUST require an exact match of the redirect URI

    • The AS MUST issue one-time-use refresh tokens

    • The AS MUST either set a max lifetime on refresh tokens or expire if they
    are not used after some time

    View Slide

  8. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020
    Architecture Options
    • Same-domain apps

    • JS apps with a dynamic app server backend

    • JS apps without a backend (e.g. static file hosting)

    View Slide

  9. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020
    Same-Domain Applications
    • Details of this section still TBD

    • There are still benefits of OAuth such as easier MFA, 

    avoiding passwords in apps, etc

    • Thoughts and opinions welcome

    View Slide

  10. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020
    JavaScript App with a Backend

    View Slide

  11. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020
    JavaScript App without a Backend

    View Slide

  12. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020
    Another architectural option?
    • Performing the OAuth flow within a Web Worker to isolate the tokens from
    the main JavaScript global scope

    • https://gitlab.com/jimdigriz/oauth2-worker

    View Slide

  13. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020
    Outstanding Work
    • Collect feedback on the architectural recommendations from people who
    have deployment experience

    • Remove details and reference sections that duplicate the Security BCP

    View Slide

  14. Thank you!
    @aaronpk
    aaronpk.com

    oauth.wtf

    View Slide