The State of OAuth

Transcript

1. The State of OAuth
   Aaron Parecki
   Senior Security Architect, Okta
   
   Interface API Days • June 2020
   

   View Slide

2. @aaronpk
   June 2020
   oauth.net/2
   

   View Slide

3. @aaronpk
   June 2020
   The State of OAuth 2.0
   RFC6749 OAuth Core
   Authorization Code
   Implicit
   Password
   Client Credentials
   Grant Types
   

   View Slide

4. @aaronpk
   June 2020
   

   View Slide

5. @aaronpk
   June 2020
   The State of OAuth 2.0
   RFC6749 OAuth Core
   Authorization Code
   Implicit
   Password
   Client Credentials
   Grant Types
   RFC6750 Bearer Tokens
   Token Usage
   Tokens in HTTP Header
   Tokens in POST Form Body
   Tokens in GET Query String
   

   View Slide

6. @aaronpk
   June 2020
   

   View Slide

7. @aaronpk
   June 2020
   OAuth Server OAuth Client
   Passing Data via the Front Channel
   Did they catch 

   it? Did someone else 

   steal it?
   Is this really 

   from the real 

   OAuth server?
   

   View Slide

8. @aaronpk
   June 2020
   The State of OAuth 2.0
   RFC6749 OAuth Core
   Authorization Code
   Implicit
   Password
   Client Credentials
   RFC6750 Bearer Tokens
   RFC7636
   +PKCE
   Tokens in HTTP Header
   Tokens in POST Form Body
   Tokens in GET Query String
   

   View Slide

9. @aaronpk
   June 2020
   The State of OAuth 2.0
   RFC6749 OAuth Core
   Authorization Code
   Implicit
   Password
   Client Credentials
   RFC6750 Bearer Tokens
   RFC7636
   +PKCE
   RFC8252
   PKCE for mobile
   Tokens in HTTP Header
   Tokens in POST Form Body
   Tokens in GET Query String
   

   View Slide

10. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    

    View Slide

11. @aaronpk
    June 2020
    

    View Slide

12. @aaronpk
    June 2020
    https://example.com
    https://app.example.com
    https://auth.example
    GET /
    HTML, CSS, etc
    POST /token
    access token
    CORS
    

    View Slide

13. @aaronpk
    June 2020
    caniuse.com/cors
    

    View Slide

14. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    

    View Slide

15. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    

    View Slide

16. @aaronpk
    June 2020
    OAuth 2.0 for Browser-Based Apps
    

    View Slide

17. @aaronpk
    June 2020
    OAuth 2.0 for Browser-Based Apps
    

    View Slide

18. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    PKCE for
    confidential
    clients
    Security BCP
    

    View Slide

19. @aaronpk
    June 2020
    Password
    oauth.net/2/oauth-best-practice
    

    View Slide

20. @aaronpk
    June 2020
    Password
    oauth.net/2/oauth-best-practice
    • Added to OAuth to enable migrating applications from HTTP Basic Auth or using
    a stored password to OAuth
    

    View Slide

21. @aaronpk
    June 2020
    Password
    • Exposes the username and password to the application
    
    • Even for first-party / trusted clients, this increases the attack surface
    
    • Trains users that it's okay to enter their password in more than one place
    
    • Difficult or impossible to extend to support multifactor or passwordless
    authentication (WebCrypto, WebAuthn)
    

    View Slide

22. @aaronpk
    June 2020
    OAuth 2.0 Security BCP
    • All OAuth clients MUST use PKCE with the authorization code flow
    
    • Password grant MUST NOT be used
    
    • Use exact string matching for redirect URIs
    
    • No access tokens in query strings
    
    • Refresh tokens for public clients must be 

    sender-constrained or one-time use
    oauth.net/2/oauth-best-practice
    

    View Slide

23. @aaronpk
    June 2020
    In-Progress Work
    • JWT Profile for Access Tokens
    
    • DPoP (Proof of Possession)
    

    View Slide

24. @aaronpk
    June 2020
    JWT Profile for Access Tokens
    oauth.net/2/jwt-access-tokens
    eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiO
    iJodHRwczovL2F1dGhvcml6YXRpb24tc2VydmVyLmV4YW1
    wbGUuY29tLyIsInN1YiI6IiA1YmE1NTJkNjciLCJhdWQiO
    iJodHRwczovL3JzLmV4YW1wbGUuY29tLyIsImV4cCI6MTU
    5MzQ4NjY0OCwiY2xpZW50X2lkIjoiczZCaGRSa3F0M18iL
    CJzY29wZSI6Im9wZW5pZCBwcm9maWxlIHJlYWRlbWFpbCI
    sImp0aSI6IjAxODEwMmE1LTkzYmQtNDE0OC05ODI2LThlY
    TE3NTBjMjMyNiIsImlhdCI6MTU5MzQ4MzA0OH0.lWWmEU2
    kxTtlwu5TOTkXa7e7ZUNd0WbKtsef7EuJyB8
    

    View Slide

25. @aaronpk
    June 2020
    JWT Profile for Access Tokens
    oauth.net/2/jwt-access-tokens
    {"typ":"at+JWT","alg":"RS256","kid":"RjEwOwOA"}
    {
    "iss": "https://authorization-server.example.com/",
    "sub": " 5ba552d67",
    "aud": "https://rs.example.com/",
    "exp": 1544645174,
    "client_id": "s6BhdRkqt3_",
    "scope": "openid profile reademail"
    }
    

    View Slide

26. @aaronpk
    June 2020
    DPoP
    oauth.net/2/dpop
    POST /token HTTP/1.1
    Host: server.example.com
    Content-Type: application/x-www-form-urlencoded;charset=UTF-8
    DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7Imt0eSI6Ik
    VDIiwieCI6Imw4dEZyaHgtMzR0VjNoUklDUkRZOXpDa0RscEJoRjQyVVFVZldWQVdCR
    nMiLCJ5IjoiOVZFNGpmX09rX282NHpiVFRsY3VOSmFqSG10NnY5VERWclUwQ2R2R1JE
    QSIsImNydiI6IlAtMjU2In19.eyJqdGkiOiItQndDM0VTYzZhY2MybFRjIiwiaHRtIj
    oiUE9TVCIsImh0dSI6Imh0dHBzOi8vc2VydmVyLmV4YW1wbGUuY29tL3Rva2VuIiwia
    WF0IjoxNTYyMjYyNjE2fQ.2-GxA6T8lP4vfrg8v-FdWP0A0zdrj8igiMLvqRMUvwnQg
    4PtFLbdLXiOSsX0x7NVY-FNyJK70nfbV37xRZT3Lg
    grant_type=authorization_code
    &code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
    &code_verifier=bEaL42izcC-o-xBk0K2vuJ6U-y1p9r_wW2dFWIWgjz-
    

    View Slide

27. @aaronpk
    June 2020
    New OAuth Extensions
    • Rich Authorization Requests (RAR)
    
    • Pushed Authorization Requests (PAR)
    
    • JWT Authorization Requests (JAR)
    

    View Slide

28. @aaronpk
    June 2020
    Rich Authorization Requests (RAR)
    • OAuth "scope" is limited to fixed lists of scopes
    
    • Need a way to authorize fine-grained transactions or resources
    
    • and present that to the user in the authorization interface
    oauth.net/2/rich-authorization-requests
    

    View Slide

29. @aaronpk
    June 2020
    Pay Merchant123 €123.50 

    from your account ending in 8603
    

    View Slide

30. @aaronpk
    June 2020
    Rich Authorization Requests (RAR)
    oauth.net/2/rich-authorization-requests
    

    View Slide

31. @aaronpk
    June 2020
    Pushed Authorization Requests (PAR)
    • Currently, the authorization request is sent in the front-channel
    
    • Front-channel is susceptible to inspection and modification
    
    • PAR initiates the OAuth flow from the back-channel
    oauth.net/2/pushed-authorization-requests
    

    View Slide

32. @aaronpk
    June 2020
    Pushed Authorization Requests (PAR)
    GET /authorize?response_type=code
    &client_id=s6BhdRkqt3&state=af0ifjsldkj
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1
    Host: as.example.com
    POST /as/par HTTP/1.1
    Host: as.example.com
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
    response_type=code
    &client_id=s6BhdRkqt3&state=af0ifjsldkj
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
    Instead of:
    Push the request to the AS:
    oauth.net/2/pushed-authorization-requests
    

    View Slide

33. @aaronpk
    June 2020
    Pushed Authorization Requests (PAR)
    {
    "request_uri": "urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2",
    "expires_in": 90
    }
    GET /authorize?request_uri=
    urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2 HTTP/1.1
    AS responds with a URL:
    User visits that URL, authorization request details are hidden!
    oauth.net/2/pushed-authorization-requests
    

    View Slide

34. @aaronpk
    June 2020
    JWT Authorization Requests (JAR)
    • Create a signed JWT with the authorization request details
    
    • Prevents front-channel tampering with the request, similar to PAR
    
    • Authenticates the request so the AS knows the client really did initiate it
    tools.ietf.org/html/draft-ietf-oauth-jwsreq
    

    View Slide

35. @aaronpk
    June 2020
    JWT Authorization Requests (JAR)
    {
    "iss": "s6BhdRkqt3",
    "aud": "https://server.example.com",
    "response_type": "code id_token",
    "client_id": "s6BhdRkqt3",
    "redirect_uri": "https://client.example.org/cb",
    "scope": "openid",
    "state": "af0ifjsldkj",
    "nonce": "n-0S6_WzA2Mj",
    "max_age": 86400
    }
    eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ewogICAgImlzcyI6ICJzNkJoZF
    JrcXQzIiwKICAgICJhdWQiOiAiaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLAog
    ICAgInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsCiAgICAiY2xpZW50X2
    lkIjogInM2QmhkUmtxdDMiLAogICAgInJlZGlyZWN0X3VyaSI6ICJodHRwczovL2Ns
    aWVudC5leGFtcGxlLm9yZy9jYiIsCiAgICAic2NvcGUiOiAib3BlbmlkIiwKICAgIC
    JzdGF0ZSI6ICJhZjBpZmpzbGRraiIsCiAgICAibm9uY2UiOiAibi0wUzZfV3pBMk1q
    IiwKICAgICJtYXhfYWdlIjogODY0MDAKfQ.Nsxa_18VUElVaPjqW_ToI1yrEJ67BgK
    b5xsuZRVqzGkfKrOIX7BCx0biSxYGmjK9KJPctH1OC0iQJwXu5YVY-vnW0_PLJb1C2
    HG-ztVzcnKZC2gE4i0vgQcpkUOCpW3SEYXnyWnKzuKzqSb1wAZALo5f89B_p6QA6j6
    JwBSRvdVsDPdulW8lKxGTbH82czCaQ50rLAg3EYLYaCb4ik4I1zGXE4fvim9FIMs8O
    CMmzwIB5S-ujFfzwFjoyuPEV4hJnoVUmXR_W9typPf846lGwA8h9G9oNTIuX8Ft2jf
    pnZdFmLg3_wr3Wa5q3a-lfbgF3S9H_8nN3j1i7tLR_5Nz-g
    tools.ietf.org/html/draft-ietf-oauth-jwsreq
    

    View Slide

36. @aaronpk
    June 2020
    JWT Authorization Requests (JAR)
    https://server.example.com/authorize?request=eyJhbGciOiJS...
    Either passed by value in the URL:
    https://server.example.com/authorize?request_uri=https://example.org/r...
    ...by reference in the URL:
    POST https://server.example.com/authorize
    request=eyJhbGciOiJS...
    ...or pushed using PAR:
    tools.ietf.org/html/draft-ietf-oauth-jwsreq
    

    View Slide

37. @aaronpk
    June 2020
    RFC6749
    RFC6750
    CLIENT TYPE
    AUTH
    GRANT TYPE
    RFC6819
    RFC7009
    RFC7592
    RFC7662
    RFC7636
    RFC7591
    RFC7519
    BUILDING YOUR APPLICATION
    RFC8252
    OIDC
    RFC8414
    STATE
    TLS
    CSRF
    UMA 2
    FAPI
    RFC7515
    RFC7516
    RFC7517
    RFC7518
    TOKEN
    POP
    SECURITY BCP
    CIBA
    HTTP SIGNING
    MUTUAL TLS SPA BCP
    JARM
    JAR
    TOKEN
    DPOP
    PAR
    

    View Slide

38. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    PKCE for
    confidential
    clients
    Security BCP
    

    View Slide

39. @aaronpk
    June 2020
    OAuth 2.1
    Authorization Code
    Client Credentials
    +PKCE
    Tokens in HTTP Header
    Tokens in POST Form Body
    

    View Slide

40. OAuth 2.1
    oauth.net/2.1
    

    View Slide

41. @aaronpk
    June 2020
    OAuth 2.1
    Consolidate the OAuth 2.0 specs,

    adding best practices, 

    removing deprecated features
    
    Capture current best practices in OAuth
    2.0 under a single name
    
    Add references to extensions that didn't
    exist when OAuth 2.0 was published
    

    View Slide

42. @aaronpk
    June 2020
    OAuth 2.1
    No new behavior defined by OAuth 2.1
    Non-Goals:
    Don't include anything experimental, 

    in progress or not widely implemented
    

    View Slide

43. @aaronpk
    June 2020
    OAuth 2.1
    RFC6749 - OAuth 2.0 Core
    
    RFC6750 - Bearer Token Usage
    
    RFC7636 - PKCE
    
    Native App & Browser-Based App BCPs
    
    Security BCP
    
    • MUST support PKCE for all OAuth clients
    
    • No password grant
    
    • No implicit flow
    
    • Exact string matching for redirect URIs
    
    • No access tokens in query strings
    
    • Refresh tokens must be sender-constrained or one-time use
    

    View Slide

44. @aaronpk
    June 2020
    OAuth 2.1
    oauth.net/2.1
    tools.ietf.org/html/draft-parecki-oauth-v2-1
    

    View Slide

45. @aaronpk
    June 2020
    oauth.net/3
    ?
    ? ?
    

    View Slide

46. OAuth 3
    aka XYZ aka XAuth
    

    View Slide

47. @aaronpk
    June 2020
    OAuth 3
    • In development under a new IETF working group (GNAP)
    
    • Re-thinking OAuth from the ground up
    
    • Not backwards compatible
    
    • Consolidate all the various use cases in OAuth into a new framework
    

    View Slide

48. @aaronpk
    June 2020
    GNAP / TxAuth
    very much in progress!
    

    View Slide

49. Thank you!
    @aaronpk
    aaronpk.com
    
    oauth.wtf
    

    View Slide