Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The State of OAuth

The State of OAuth

Presented at Interface by API Days

Aaron Parecki

June 30, 2020
Tweet

More Decks by Aaron Parecki

Other Decks in Technology

Transcript

  1. The State of OAuth
    Aaron Parecki
    Senior Security Architect, Okta

    Interface API Days • June 2020

    View Slide

  2. @aaronpk
    June 2020
    oauth.net/2

    View Slide

  3. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    Grant Types

    View Slide

  4. @aaronpk
    June 2020

    View Slide

  5. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    Grant Types
    RFC6750 Bearer Tokens
    Token Usage
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String

    View Slide

  6. @aaronpk
    June 2020

    View Slide

  7. @aaronpk
    June 2020
    OAuth Server OAuth Client
    Passing Data via the Front Channel
    Did they catch 

    it? Did someone else 

    steal it?
    Is this really 

    from the real 

    OAuth server?

    View Slide

  8. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String

    View Slide

  9. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String

    View Slide

  10. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String

    View Slide

  11. @aaronpk
    June 2020

    View Slide

  12. @aaronpk
    June 2020
    https://example.com
    https://app.example.com
    https://auth.example
    GET /
    HTML, CSS, etc
    POST /token
    access token
    CORS

    View Slide

  13. @aaronpk
    June 2020
    caniuse.com/cors

    View Slide

  14. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String

    View Slide

  15. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String

    View Slide

  16. @aaronpk
    June 2020
    OAuth 2.0 for Browser-Based Apps

    View Slide

  17. @aaronpk
    June 2020
    OAuth 2.0 for Browser-Based Apps

    View Slide

  18. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    PKCE for
    confidential
    clients
    Security BCP

    View Slide

  19. @aaronpk
    June 2020
    Password
    oauth.net/2/oauth-best-practice

    View Slide

  20. @aaronpk
    June 2020
    Password
    oauth.net/2/oauth-best-practice
    • Added to OAuth to enable migrating applications from HTTP Basic Auth or using
    a stored password to OAuth

    View Slide

  21. @aaronpk
    June 2020
    Password
    • Exposes the username and password to the application

    • Even for first-party / trusted clients, this increases the attack surface

    • Trains users that it's okay to enter their password in more than one place

    • Difficult or impossible to extend to support multifactor or passwordless
    authentication (WebCrypto, WebAuthn)

    View Slide

  22. @aaronpk
    June 2020
    OAuth 2.0 Security BCP
    • All OAuth clients MUST use PKCE with the authorization code flow

    • Password grant MUST NOT be used

    • Use exact string matching for redirect URIs

    • No access tokens in query strings

    • Refresh tokens for public clients must be 

    sender-constrained or one-time use
    oauth.net/2/oauth-best-practice

    View Slide

  23. @aaronpk
    June 2020
    In-Progress Work
    • JWT Profile for Access Tokens

    • DPoP (Proof of Possession)

    View Slide

  24. @aaronpk
    June 2020
    JWT Profile for Access Tokens
    oauth.net/2/jwt-access-tokens
    eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiO
    iJodHRwczovL2F1dGhvcml6YXRpb24tc2VydmVyLmV4YW1
    wbGUuY29tLyIsInN1YiI6IiA1YmE1NTJkNjciLCJhdWQiO
    iJodHRwczovL3JzLmV4YW1wbGUuY29tLyIsImV4cCI6MTU
    5MzQ4NjY0OCwiY2xpZW50X2lkIjoiczZCaGRSa3F0M18iL
    CJzY29wZSI6Im9wZW5pZCBwcm9maWxlIHJlYWRlbWFpbCI
    sImp0aSI6IjAxODEwMmE1LTkzYmQtNDE0OC05ODI2LThlY
    TE3NTBjMjMyNiIsImlhdCI6MTU5MzQ4MzA0OH0.lWWmEU2
    kxTtlwu5TOTkXa7e7ZUNd0WbKtsef7EuJyB8

    View Slide

  25. @aaronpk
    June 2020
    JWT Profile for Access Tokens
    oauth.net/2/jwt-access-tokens
    {"typ":"at+JWT","alg":"RS256","kid":"RjEwOwOA"}
    {
    "iss": "https://authorization-server.example.com/",
    "sub": " 5ba552d67",
    "aud": "https://rs.example.com/",
    "exp": 1544645174,
    "client_id": "s6BhdRkqt3_",
    "scope": "openid profile reademail"
    }

    View Slide

  26. @aaronpk
    June 2020
    DPoP
    oauth.net/2/dpop
    POST /token HTTP/1.1
    Host: server.example.com
    Content-Type: application/x-www-form-urlencoded;charset=UTF-8
    DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7Imt0eSI6Ik
    VDIiwieCI6Imw4dEZyaHgtMzR0VjNoUklDUkRZOXpDa0RscEJoRjQyVVFVZldWQVdCR
    nMiLCJ5IjoiOVZFNGpmX09rX282NHpiVFRsY3VOSmFqSG10NnY5VERWclUwQ2R2R1JE
    QSIsImNydiI6IlAtMjU2In19.eyJqdGkiOiItQndDM0VTYzZhY2MybFRjIiwiaHRtIj
    oiUE9TVCIsImh0dSI6Imh0dHBzOi8vc2VydmVyLmV4YW1wbGUuY29tL3Rva2VuIiwia
    WF0IjoxNTYyMjYyNjE2fQ.2-GxA6T8lP4vfrg8v-FdWP0A0zdrj8igiMLvqRMUvwnQg
    4PtFLbdLXiOSsX0x7NVY-FNyJK70nfbV37xRZT3Lg
    grant_type=authorization_code
    &code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
    &code_verifier=bEaL42izcC-o-xBk0K2vuJ6U-y1p9r_wW2dFWIWgjz-

    View Slide

  27. @aaronpk
    June 2020
    New OAuth Extensions
    • Rich Authorization Requests (RAR)

    • Pushed Authorization Requests (PAR)

    • JWT Authorization Requests (JAR)

    View Slide

  28. @aaronpk
    June 2020
    Rich Authorization Requests (RAR)
    • OAuth "scope" is limited to fixed lists of scopes

    • Need a way to authorize fine-grained transactions or resources

    • and present that to the user in the authorization interface
    oauth.net/2/rich-authorization-requests

    View Slide

  29. @aaronpk
    June 2020
    Pay Merchant123 €123.50 

    from your account ending in 8603

    View Slide

  30. @aaronpk
    June 2020
    Rich Authorization Requests (RAR)
    oauth.net/2/rich-authorization-requests

    View Slide

  31. @aaronpk
    June 2020
    Pushed Authorization Requests (PAR)
    • Currently, the authorization request is sent in the front-channel

    • Front-channel is susceptible to inspection and modification

    • PAR initiates the OAuth flow from the back-channel
    oauth.net/2/pushed-authorization-requests

    View Slide

  32. @aaronpk
    June 2020
    Pushed Authorization Requests (PAR)
    GET /authorize?response_type=code
    &client_id=s6BhdRkqt3&state=af0ifjsldkj
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1
    Host: as.example.com
    POST /as/par HTTP/1.1
    Host: as.example.com
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
    response_type=code
    &client_id=s6BhdRkqt3&state=af0ifjsldkj
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
    Instead of:
    Push the request to the AS:
    oauth.net/2/pushed-authorization-requests

    View Slide

  33. @aaronpk
    June 2020
    Pushed Authorization Requests (PAR)
    {
    "request_uri": "urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2",
    "expires_in": 90
    }
    GET /authorize?request_uri=
    urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2 HTTP/1.1
    AS responds with a URL:
    User visits that URL, authorization request details are hidden!
    oauth.net/2/pushed-authorization-requests

    View Slide

  34. @aaronpk
    June 2020
    JWT Authorization Requests (JAR)
    • Create a signed JWT with the authorization request details

    • Prevents front-channel tampering with the request, similar to PAR

    • Authenticates the request so the AS knows the client really did initiate it
    tools.ietf.org/html/draft-ietf-oauth-jwsreq

    View Slide

  35. @aaronpk
    June 2020
    JWT Authorization Requests (JAR)
    {
    "iss": "s6BhdRkqt3",
    "aud": "https://server.example.com",
    "response_type": "code id_token",
    "client_id": "s6BhdRkqt3",
    "redirect_uri": "https://client.example.org/cb",
    "scope": "openid",
    "state": "af0ifjsldkj",
    "nonce": "n-0S6_WzA2Mj",
    "max_age": 86400
    }
    eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ewogICAgImlzcyI6ICJzNkJoZF
    JrcXQzIiwKICAgICJhdWQiOiAiaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLAog
    ICAgInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsCiAgICAiY2xpZW50X2
    lkIjogInM2QmhkUmtxdDMiLAogICAgInJlZGlyZWN0X3VyaSI6ICJodHRwczovL2Ns
    aWVudC5leGFtcGxlLm9yZy9jYiIsCiAgICAic2NvcGUiOiAib3BlbmlkIiwKICAgIC
    JzdGF0ZSI6ICJhZjBpZmpzbGRraiIsCiAgICAibm9uY2UiOiAibi0wUzZfV3pBMk1q
    IiwKICAgICJtYXhfYWdlIjogODY0MDAKfQ.Nsxa_18VUElVaPjqW_ToI1yrEJ67BgK
    b5xsuZRVqzGkfKrOIX7BCx0biSxYGmjK9KJPctH1OC0iQJwXu5YVY-vnW0_PLJb1C2
    HG-ztVzcnKZC2gE4i0vgQcpkUOCpW3SEYXnyWnKzuKzqSb1wAZALo5f89B_p6QA6j6
    JwBSRvdVsDPdulW8lKxGTbH82czCaQ50rLAg3EYLYaCb4ik4I1zGXE4fvim9FIMs8O
    CMmzwIB5S-ujFfzwFjoyuPEV4hJnoVUmXR_W9typPf846lGwA8h9G9oNTIuX8Ft2jf
    pnZdFmLg3_wr3Wa5q3a-lfbgF3S9H_8nN3j1i7tLR_5Nz-g
    tools.ietf.org/html/draft-ietf-oauth-jwsreq

    View Slide

  36. @aaronpk
    June 2020
    JWT Authorization Requests (JAR)
    https://server.example.com/authorize?request=eyJhbGciOiJS...
    Either passed by value in the URL:
    https://server.example.com/authorize?request_uri=https://example.org/r...
    ...by reference in the URL:
    POST https://server.example.com/authorize
    request=eyJhbGciOiJS...
    ...or pushed using PAR:
    tools.ietf.org/html/draft-ietf-oauth-jwsreq

    View Slide

  37. @aaronpk
    June 2020
    RFC6749
    RFC6750
    CLIENT TYPE
    AUTH
    GRANT TYPE
    RFC6819
    RFC7009
    RFC7592
    RFC7662
    RFC7636
    RFC7591
    RFC7519
    BUILDING YOUR APPLICATION
    RFC8252
    OIDC
    RFC8414
    STATE
    TLS
    CSRF
    UMA 2
    FAPI
    RFC7515
    RFC7516
    RFC7517
    RFC7518
    TOKEN
    POP
    SECURITY BCP
    CIBA
    HTTP SIGNING
    MUTUAL TLS SPA BCP
    JARM
    JAR
    TOKEN
    DPOP
    PAR

    View Slide

  38. @aaronpk
    June 2020
    The State of OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    PKCE for
    confidential
    clients
    Security BCP

    View Slide

  39. @aaronpk
    June 2020
    OAuth 2.1
    Authorization Code
    Client Credentials
    +PKCE
    Tokens in HTTP Header
    Tokens in POST Form Body

    View Slide

  40. OAuth 2.1
    oauth.net/2.1

    View Slide

  41. @aaronpk
    June 2020
    OAuth 2.1
    Consolidate the OAuth 2.0 specs,

    adding best practices, 

    removing deprecated features

    Capture current best practices in OAuth
    2.0 under a single name

    Add references to extensions that didn't
    exist when OAuth 2.0 was published

    View Slide

  42. @aaronpk
    June 2020
    OAuth 2.1
    No new behavior defined by OAuth 2.1
    Non-Goals:
    Don't include anything experimental, 

    in progress or not widely implemented

    View Slide

  43. @aaronpk
    June 2020
    OAuth 2.1
    RFC6749 - OAuth 2.0 Core

    RFC6750 - Bearer Token Usage

    RFC7636 - PKCE

    Native App & Browser-Based App BCPs

    Security BCP

    • MUST support PKCE for all OAuth clients

    • No password grant

    • No implicit flow

    • Exact string matching for redirect URIs

    • No access tokens in query strings

    • Refresh tokens must be sender-constrained or one-time use

    View Slide

  44. @aaronpk
    June 2020
    OAuth 2.1
    oauth.net/2.1
    tools.ietf.org/html/draft-parecki-oauth-v2-1

    View Slide

  45. @aaronpk
    June 2020
    oauth.net/3
    ?
    ? ?

    View Slide

  46. OAuth 3
    aka XYZ aka XAuth

    View Slide

  47. @aaronpk
    June 2020
    OAuth 3
    • In development under a new IETF working group (GNAP)

    • Re-thinking OAuth from the ground up

    • Not backwards compatible

    • Consolidate all the various use cases in OAuth into a new framework

    View Slide

  48. @aaronpk
    June 2020
    GNAP / TxAuth
    very much in progress!

    View Slide

  49. Thank you!
    @aaronpk
    aaronpk.com

    oauth.wtf

    View Slide