Presented at the OAuth Security Workshop
https://events.oauth.net/2023/08/oauth-security-workshop-2023-2gZNVdvPH0XS
TARGETED LOGOUTFOR OAUTH AND OPENID CONNECTAARON PARECKIOAUTH SECURITY WORKSHOPAUGUST 2023
View Slide
LOGGING IN
************user12Sign Inpasswordstrength
LOGGING OUT
EXISTING LOGOUT-RELATED SPECSSpecOIDC Backchannel LogoutToken RevocationCAEP "Session Revoked" Signal
OIDC BACKCHANNEL LOGOUTAuthorizationServerWeb AppServerWeb AppServerLogout TokenLogout Token
TOKEN REVOCATIONAuthorizationServerOAuthClientToken to revoke
CAEP "SESSION REVOKED"IdentityProviderRelyingPartySubject Identifier
EXISTING LOGOUT-RELATED SPECSSpec LimitationOIDC Backchannel Logout"Refresh tokens issued with offline_access SHOULDNOT be revoked"Token Revocation Requires a token as inputCAEP "Session Revoked" SignalIs only a signal, not a command, does not guarantee any outcome
TYPICAL SOCIALLOGIN FLOW
WHAT SESSIONS + TOKENS ARE CREATED?Web login session onaccounts.google.com Google ID Token
HOW DOES THE APP TALK TO ITS OWN BACKEND??
https://developers.google.com/identity/sign-in/ios/backend-auth
1. ID Token2. Access Token
GoogleID TokenApp ServerAccess TokenSession
ENTERPRISE
ENTERPRISE APP ECOSYSTEMEnterpriseIdPChat App Video Conferencing AppOpenID Connect OpenID ConnectWiki AppSAMLPayroll AppSAML
ENTERPRISE APP ECOSYSTEMEnterpriseIdPChat AppWeb ServerID TokeniPhone iPad LaptopAccess Tokens+ Refresh TokensVideo ConferencingApp Web ServerID TokenAccess Tokens+ Refresh TokensNativeChat AppNativeVideo AppNativeChat AppNativeChat AppNativeVideo App
TYPICAL ENTERPRISELOGIN FLOW
Web login session onokta.okta.com Slack access + refresh tokens?
FROM THE SAAS DEVELOPER POVENTERPRISE IDPSEnterpriseIdPChat AppOpenID ConnectOpenID ConnectSAMLSAMLEnterpriseIdPEnterpriseIdP EnterpriseIdPGoogleLoginOpenID Connect
FROM THE SAAS DEVELOPER POVENTERPRISE IDPSEnterpriseIdPChat AppBackend APIOpenID ConnectOpenID ConnectSAMLSAMLEnterpriseIdPEnterpriseIdP EnterpriseIdPGoogleLoginOpenID ConnectChat AppiOSChat AppDesktopChat AppWeb
OpenID ConnectOpenID ConnectOpenID Connect/SAMLOpenID Connect/SAMLApp App Backend/API Enterprise IdP
USE CASES
END-USERUSE CASE GAPS• User lost a device• User wants to revoke all sessions and tokens issued to everyapplication on only that device, while retaining sessions andtokens on other devices
END-USERUSE CASE GAPS• User discovers suspicious activity from an app• User wants to revoke all tokens issued to that applicationacross all their devices
ENTERPRISE ADMINUSE CASE GAPS• User is removed from a group or is terminated• Given a subject (user) identifier, revoke all sessions andtokens for that user, at the IdP and across all apps• Optionally distinguish between revoking sessions andrevoking offline_access tokens
ENTERPRISE ADMINUSE CASE GAPS• Application is deprovisioned• Given a client (application) identifier, revoke all sessionsand tokens for all users of the application
ENTERPRISE ADMINUSE CASE GAPS• User lost a device• Given a device identifier, revoke all sessions and tokens foronly that device, across all applications that are logged inon that device
WHY CAN'T WE DO THIS TODAY?iPhone App Backend/API Enterprise IdP
WHY CAN'T WE DO THIS TODAY?iPhoneApp Backend/API Enterprise IdPAndroidLaptop
WHY CAN'T WE DO THIS TODAY?iPhone Chat App Backend/API Enterprise IdPVideo App Backend/API
POSSIBLESOLUTIONS
CLIENT INSTANCEIDENTIFIER
OpenID ConnectOpenID ConnectOpenID Connect/SAMLChat App App Backend/API Enterprise IdP/authorize?client_id=iphone&client_instance=123456OpenID Connect/SAML/authorize?client_id=chat_app&client_instance=123456
TOKEN EXCHANGE
OpenID ConnectAccess Token + Refresh TokenID TokenChat App App Backend/API Enterprise IdPToken Exchange
OpenID ConnectAccess Token + Refresh TokenID Token ( + optional Refresh Token)Chat App App Backend/API Enterprise IdPToken ExchangeConfiguration Query[email protected]IDP Configissuer, client_id, redirect_uri
CONTEXT IS NOW AVAILABLE AT THE ENTERPRISE IDP
USE CASE GAPS• User lost a device• Revoke all sessions and tokens issued to every application ononly that device, while retaining sessions and tokens onother devices• POST /revoke client_instance=123456
REVOKE ALL APPS FOR A USERiPhoneApp Backend/API Enterprise IdPAndroidLaptopclient_instance
USE CASE GAPS• Application is deprovisioned• Revoke all sessions and tokens for all users of a specificapplication• POST authorization-server.com/revoke client_id=chat_app POST example-app.com/revoke client_id=ios
REVOKE AN APPiPhoneApp Backend/API Enterprise IdPAndroidLaptopclient_id
NEEDSClient Instance IdentifierManagement API(provides confirmation of revocation)ID Token Exchange
LET'S TALK!Unconference session!Contact:[email protected]https://linkedin.com/in/aaronparecki