Targeted Logout - OAuth Security Workshop 2023

Transcript

1. TARGETED LOGOUT FOR OAUTH AND OPENID CONNECT AARON PARECKI OAUTH

   SECURITY WORKSHOP AUGUST 2023

2. LOGGING IN

3. ************ user12 Sign In password strength

4. None
5. None
6. None
7. None
8. None

9. LOGGING IN

10. LOGGING OUT

11. EXISTING LOGOUT-RELATED SPECS Spec OIDC Backchannel Logout Token Revocation CAEP

    "Session Revoked" Signal

12. OIDC BACKCHANNEL LOGOUT Authorization Server Web App Server Web App

    Server Logout Token Logout Token

13. TOKEN REVOCATION Authorization Server OAuth Client Token to revoke

14. CAEP "SESSION REVOKED" Identity Provider Relying Party Subject Identi f

    ier

15. EXISTING LOGOUT-RELATED SPECS Spec OIDC Backchannel Logout Token Revocation CAEP

    "Session Revoked" Signal

16. EXISTING LOGOUT-RELATED SPECS Spec Limitation OIDC Backchannel Logout "Refresh tokens

    issued with o ff line_access SHOULD NOT be revoked" Token Revocation Requires a token as input CAEP "Session Revoked" Signal Is only a signal, not a command, 
 does not guarantee any outcome

17. TYPICAL SOCIAL LOGIN FLOW

18. None
19. None
20. None
21. None
22. None
23. None

24. WHAT SESSIONS + TOKENS ARE CREATED? Web login session on

    accounts.google.com Google ID Token

25. HOW DOES THE APP TALK TO ITS OWN BACKEND? ?

26. https://developers.google.com/identity/sign-in/ios/backend-auth

27. 1. ID Token 2. Access Token

28. Google ID Token App Server Access Token Session

29. Google ID Token App Server Access Token Session

30. Google ID Token App Server Access Token Session

31. ENTERPRISE

32. ENTERPRISE APP ECOSYSTEM Enterprise IdP Chat App Video Conferencing App

    OpenID Connect OpenID Connect Wiki App SAML Payroll App SAML

33. ENTERPRISE APP ECOSYSTEM Enterprise IdP Chat App Web Server ID

    Token iPhone iPad Laptop Access Tokens + Refresh Tokens Video Conferencing App Web Server ID Token Access Tokens + Refresh Tokens Native Chat App Native Video App Native Chat App Native Chat App Native Video App

34. TYPICAL ENTERPRISE LOGIN FLOW

35. None
36. None
37. None
38. None
39. None

40. Web login session on okta.okta.com Slack access + refresh tokens

    ?

41. FROM THE SAAS DEVELOPER POV ENTERPRISE IDPS Enterprise IdP Chat

    App OpenID Connect OpenID Connect SAML SAML Enterprise IdP Enterprise IdP Enterprise IdP Google Login OpenID Connect

42. FROM THE SAAS DEVELOPER POV ENTERPRISE IDPS Enterprise IdP Chat

    App Backend API OpenID Connect OpenID Connect SAML SAML Enterprise IdP Enterprise IdP Enterprise IdP Google Login OpenID Connect Chat App iOS Chat App Desktop Chat App Web

43. OpenID Connect OpenID Connect OpenID Connect/SAML OpenID Connect/SAML App App

    Backend/API Enterprise IdP

44. OpenID Connect OpenID Connect OpenID Connect/SAML OpenID Connect/SAML App App

    Backend/API Enterprise IdP

45. USE CASES

46. END-USER USE CASE GAPS • User lost a device •

    User wants to revoke all sessions and tokens issued to every application on only that device, while retaining sessions and tokens on other devices

47. END-USER USE CASE GAPS • User discovers suspicious activity from

    an app • User wants to revoke all tokens issued to that application across all their devices

48. ENTERPRISE ADMIN USE CASE GAPS • User is removed from

    a group or is terminated • Given a subject (user) identi f ier, revoke all sessions and tokens for that user, at the IdP and across all apps • Optionally distinguish between revoking sessions and revoking o ff line_access tokens

49. ENTERPRISE ADMIN USE CASE GAPS • Application is deprovisioned •

    Given a client (application) identi f ier, revoke all sessions and tokens for all users of the application

50. ENTERPRISE ADMIN USE CASE GAPS • User lost a device

    • Given a device identi f ier, revoke all sessions and tokens for only that device, across all applications that are logged in on that device

51. WHY CAN'T WE DO THIS TODAY? iPhone App Backend/API Enterprise

    IdP

52. WHY CAN'T WE DO THIS TODAY? iPhone App Backend/API Enterprise

    IdP Android Laptop

53. WHY CAN'T WE DO THIS TODAY? iPhone Chat App Backend/API

    Enterprise IdP Video App Backend/API

54. POSSIBLE SOLUTIONS

55. CLIENT INSTANCE IDENTIFIER

56. OpenID Connect OpenID Connect OpenID Connect/SAML Chat App App Backend/API

    Enterprise IdP /authorize?client_id=iphone&client_instance=123456 OpenID Connect/SAML /authorize?client_id=chat_app&client_instance=123456

57. TOKEN EXCHANGE

58. OpenID Connect Access Token + Refresh Token ID Token Chat

    App App Backend/API Enterprise IdP Token Exchange

59. OpenID Connect Access Token + Refresh Token ID Token (

    + optional Refresh Token) Chat App App Backend/API Enterprise IdP Token Exchange Con f iguration Query [email protected] IDP Con f ig issuer, client_id, redirect_uri

60. CONTEXT IS NOW AVAILABLE AT THE ENTERPRISE IDP

61. USE CASE GAPS • User lost a device • Revoke

    all sessions and tokens issued to every application on only that device, while retaining sessions and tokens on other devices • POST /revoke 
 client_instance=123456

62. REVOKE ALL APPS FOR A USER iPhone App Backend/API Enterprise

    IdP Android Laptop client_instance

63. USE CASE GAPS • Application is deprovisioned • Revoke all

    sessions and tokens for all users of a speci f ic application • POST authorization-server.com/revoke 
 client_id=chat_app 
 
 POST example-app.com/revoke 
 client_id=ios

64. REVOKE AN APP iPhone App Backend/API Enterprise IdP Android Laptop

    client_id

65. NEEDS Client Instance 
 Identi f ier Management API (provides

    con f irmation 
 of revocation) ID Token 
 Exchange

66. LET'S TALK! Unconference session! Contact: [email protected] https://linkedin.com/in/aaronparecki