$30 off During Our Annual Pro Sale. View Details »

Targeted Logout - OAuth Security Workshop 2023

Targeted Logout - OAuth Security Workshop 2023

Aaron Parecki

August 24, 2023
Tweet

More Decks by Aaron Parecki

Other Decks in Technology

Transcript

  1. TARGETED LOGOUT
    FOR OAUTH AND OPENID CONNECT
    AARON PARECKI


    OAUTH SECURITY WORKSHOP


    AUGUST 2023

    View Slide

  2. LOGGING IN

    View Slide

  3. ************
    user12
    Sign In
    password


    strength

    View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. LOGGING IN

    View Slide

  10. LOGGING OUT

    View Slide

  11. EXISTING LOGOUT-RELATED SPECS
    Spec
    OIDC Backchannel Logout
    Token Revocation
    CAEP "Session Revoked" Signal

    View Slide

  12. OIDC BACKCHANNEL LOGOUT
    Authorization


    Server
    Web App


    Server
    Web App


    Server
    Logout Token
    Logout Token

    View Slide

  13. TOKEN REVOCATION
    Authorization


    Server
    OAuth


    Client
    Token to revoke

    View Slide

  14. CAEP "SESSION REVOKED"
    Identity


    Provider
    Relying


    Party
    Subject Identi
    f
    ier

    View Slide

  15. EXISTING LOGOUT-RELATED SPECS
    Spec
    OIDC Backchannel Logout
    Token Revocation
    CAEP "Session Revoked" Signal

    View Slide

  16. EXISTING LOGOUT-RELATED SPECS
    Spec Limitation
    OIDC Backchannel Logout
    "Refresh tokens issued with o
    ff
    line_access SHOULD
    NOT be revoked"
    Token Revocation Requires a token as input
    CAEP "Session Revoked" Signal
    Is only a signal, not a command,

    does not guarantee any outcome

    View Slide

  17. TYPICAL SOCIAL
    LOGIN FLOW

    View Slide

  18. View Slide

  19. View Slide

  20. View Slide

  21. View Slide

  22. View Slide

  23. View Slide

  24. WHAT SESSIONS + TOKENS ARE CREATED?
    Web login session on


    accounts.google.com Google ID Token

    View Slide

  25. HOW DOES THE APP TALK TO ITS OWN BACKEND?
    ?

    View Slide

  26. https://developers.google.com/identity/sign-in/ios/backend-auth

    View Slide

  27. 1. ID Token
    2. Access Token

    View Slide

  28. Google


    ID Token
    App Server


    Access Token
    Session

    View Slide

  29. Google


    ID Token
    App Server


    Access Token
    Session

    View Slide

  30. Google


    ID Token
    App Server


    Access Token
    Session

    View Slide

  31. ENTERPRISE

    View Slide

  32. ENTERPRISE APP ECOSYSTEM
    Enterprise


    IdP
    Chat App Video Conferencing App
    OpenID Connect OpenID Connect
    Wiki App
    SAML
    Payroll App
    SAML

    View Slide

  33. ENTERPRISE APP ECOSYSTEM
    Enterprise


    IdP
    Chat App


    Web Server
    ID Token
    iPhone iPad Laptop
    Access Tokens


    + Refresh Tokens
    Video Conferencing


    App Web Server
    ID Token
    Access Tokens


    + Refresh Tokens
    Native


    Chat App
    Native


    Video App
    Native


    Chat App
    Native


    Chat App
    Native


    Video App

    View Slide

  34. TYPICAL ENTERPRISE
    LOGIN FLOW

    View Slide

  35. View Slide

  36. View Slide

  37. View Slide

  38. View Slide

  39. View Slide

  40. Web login session on


    okta.okta.com Slack access + refresh tokens
    ?

    View Slide

  41. FROM THE SAAS DEVELOPER POV
    ENTERPRISE IDPS
    Enterprise


    IdP
    Chat App
    OpenID Connect
    OpenID Connect
    SAML
    SAML
    Enterprise


    IdP
    Enterprise


    IdP Enterprise


    IdP
    Google


    Login
    OpenID Connect

    View Slide

  42. FROM THE SAAS DEVELOPER POV
    ENTERPRISE IDPS
    Enterprise


    IdP
    Chat App


    Backend API
    OpenID Connect
    OpenID Connect
    SAML
    SAML
    Enterprise


    IdP
    Enterprise


    IdP Enterprise


    IdP
    Google


    Login
    OpenID Connect
    Chat App


    iOS
    Chat App


    Desktop
    Chat App


    Web

    View Slide

  43. OpenID Connect
    OpenID Connect
    OpenID Connect/SAML
    OpenID Connect/SAML
    App App Backend/API Enterprise IdP

    View Slide

  44. OpenID Connect
    OpenID Connect
    OpenID Connect/SAML
    OpenID Connect/SAML
    App App Backend/API Enterprise IdP

    View Slide

  45. USE CASES

    View Slide

  46. END-USER
    USE CASE GAPS
    • User lost a device


    • User wants to revoke all sessions and tokens issued to every
    application on only that device, while retaining sessions and
    tokens on other devices

    View Slide

  47. END-USER
    USE CASE GAPS
    • User discovers suspicious activity from an app


    • User wants to revoke all tokens issued to that application
    across all their devices

    View Slide

  48. ENTERPRISE ADMIN
    USE CASE GAPS
    • User is removed from a group or is terminated


    • Given a subject (user) identi
    f
    ier, revoke all sessions and
    tokens for that user, at the IdP and across all apps


    • Optionally distinguish between revoking sessions and
    revoking o
    ff
    line_access tokens

    View Slide

  49. ENTERPRISE ADMIN
    USE CASE GAPS
    • Application is deprovisioned


    • Given a client (application) identi
    f
    ier, revoke all sessions
    and tokens for all users of the application

    View Slide

  50. ENTERPRISE ADMIN
    USE CASE GAPS
    • User lost a device


    • Given a device identi
    f
    ier, revoke all sessions and tokens for
    only that device, across all applications that are logged in
    on that device

    View Slide

  51. WHY CAN'T WE DO THIS TODAY?
    iPhone App Backend/API Enterprise IdP

    View Slide

  52. WHY CAN'T WE DO THIS TODAY?
    iPhone
    App Backend/API Enterprise IdP
    Android
    Laptop

    View Slide

  53. WHY CAN'T WE DO THIS TODAY?
    iPhone Chat App Backend/API Enterprise IdP
    Video App Backend/API

    View Slide

  54. POSSIBLE
    SOLUTIONS

    View Slide

  55. CLIENT INSTANCE


    IDENTIFIER

    View Slide

  56. OpenID Connect
    OpenID Connect
    OpenID Connect/SAML
    Chat App App Backend/API Enterprise IdP
    /authorize?client_id=iphone&client_instance=123456
    OpenID Connect/SAML
    /authorize?client_id=chat_app&client_instance=123456

    View Slide

  57. TOKEN EXCHANGE

    View Slide

  58. OpenID Connect
    Access Token + Refresh Token
    ID Token
    Chat App App Backend/API Enterprise IdP
    Token Exchange

    View Slide

  59. OpenID Connect
    Access Token + Refresh Token
    ID Token ( + optional Refresh Token)
    Chat App App Backend/API Enterprise IdP
    Token Exchange
    Con
    f
    iguration Query
    [email protected]
    IDP Con
    f
    ig
    issuer, client_id, redirect_uri

    View Slide

  60. CONTEXT IS NOW AVAILABLE AT THE ENTERPRISE IDP

    View Slide

  61. USE CASE GAPS
    • User lost a device


    • Revoke all sessions and tokens issued to every application on
    only that device, while retaining sessions and tokens on
    other devices


    • POST /revoke

    client_instance=123456

    View Slide

  62. REVOKE ALL APPS FOR A USER
    iPhone
    App Backend/API Enterprise IdP
    Android
    Laptop
    client_instance

    View Slide

  63. USE CASE GAPS
    • Application is deprovisioned


    • Revoke all sessions and tokens for all users of a speci
    f
    ic
    application


    • POST authorization-server.com/revoke

    client_id=chat_app


    POST example-app.com/revoke

    client_id=ios

    View Slide

  64. REVOKE AN APP
    iPhone
    App Backend/API Enterprise IdP
    Android
    Laptop
    client_id

    View Slide

  65. NEEDS
    Client Instance

    Identi
    f
    ier
    Management API
    (provides con
    f
    irmation

    of revocation)
    ID Token

    Exchange

    View Slide

  66. LET'S TALK!
    Unconference session!


    Contact:


    [email protected]


    https://linkedin.com/in/aaronparecki

    View Slide