What's New with OAuth and OpenID Connect - API Days Australia

Transcript

1. What's New in OAuth 2.1
   Aaron Parecki
   Senior Security Architect, Okta
   
   API Days Australia • September 2020
   

   View Slide

2. @aaronpk
   September 2020
   oauth.net/2
   

   View Slide

3. @aaronpk
   September 2020
   OAuth 2.0
   RFC6749 OAuth Core
   Authorization Code
   Implicit
   Password
   Client Credentials
   Grant Types
   

   View Slide

4. @aaronpk
   September 2020
   

   View Slide

5. @aaronpk
   September 2020
   OAuth 2.0
   RFC6749 OAuth Core
   Authorization Code
   Implicit
   Password
   Client Credentials
   Grant Types
   RFC6750 Bearer Tokens
   Token Usage
   Tokens in HTTP Header
   Tokens in POST Form Body
   Tokens in GET Query String
   

   View Slide

6. @aaronpk
   September 2020
   

   View Slide

7. @aaronpk
   September 2020
   OAuth Server OAuth Client
   Passing Data via the Front Channel
   Did they catch 

   it? Did someone else 

   steal it?
   Is this really 

   from the real 

   OAuth server?
   

   View Slide

8. @aaronpk
   September 2020
   OAuth 2.0
   RFC6749 OAuth Core
   Authorization Code
   Implicit
   Password
   Client Credentials
   RFC6750 Bearer Tokens
   RFC7636
   +PKCE
   Tokens in HTTP Header
   Tokens in POST Form Body
   Tokens in GET Query String
   

   View Slide

9. @aaronpk
   September 2020
   OAuth 2.0
   RFC6749 OAuth Core
   Authorization Code
   Implicit
   Password
   Client Credentials
   RFC6750 Bearer Tokens
   RFC7636
   +PKCE
   RFC8252
   PKCE for mobile
   Tokens in HTTP Header
   Tokens in POST Form Body
   Tokens in GET Query String
   

   View Slide

10. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    

    View Slide

11. @aaronpk
    September 2020
    

    View Slide

12. @aaronpk
    September 2020
    https://example.com
    https://app.example.com
    https://auth.example
    GET /
    HTML, CSS, etc
    POST /token
    access token
    CORS
    

    View Slide

13. @aaronpk
    September 2020
    caniuse.com/cors
    

    View Slide

14. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    

    View Slide

15. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    

    View Slide

16. @aaronpk
    September 2020
    OAuth 2.0 for Browser-Based Apps
    

    View Slide

17. @aaronpk
    September 2020
    OAuth 2.0 for Browser-Based Apps
    

    View Slide

18. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    PKCE for
    confidential
    clients
    Security BCP
    

    View Slide

19. @aaronpk
    September 2020
    Password
    oauth.net/2/oauth-best-practice
    

    View Slide

20. @aaronpk
    September 2020
    Password
    oauth.net/2/oauth-best-practice
    • Added to OAuth to enable migrating applications from HTTP Basic Auth or using
    a stored password to OAuth
    

    View Slide

21. @aaronpk
    September 2020
    OAuth 2.0 Security BCP
    • All OAuth clients MUST use PKCE with the authorization code flow
    
    • Password grant MUST NOT be used
    
    • Use exact string matching for redirect URIs
    
    • No access tokens in query strings
    
    • Refresh tokens for public clients must be 

    sender-constrained or one-time use
    oauth.net/2/oauth-best-practice
    

    View Slide

22. @aaronpk
    September 2020
    RFC6749
    RFC6750
    CLIENT TYPE
    AUTH
    GRANT TYPE
    RFC6819
    RFC7009
    RFC7592
    RFC7662
    RFC7636
    RFC7591
    RFC7519
    BUILDING YOUR APPLICATION
    RFC8252
    OIDC
    RFC8414
    STATE
    TLS
    CSRF
    UMA 2
    FAPI
    RFC7515
    RFC7516
    RFC7517
    RFC7518
    TOKEN
    POP
    SECURITY BCP
    CIBA
    HTTP SIGNING
    MUTUAL TLS SPA BCP
    JARM
    JAR
    TOKEN
    DPOP
    PAR
    

    View Slide

23. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    PKCE for
    confidential
    clients
    Security BCP
    

    View Slide

24. @aaronpk
    September 2020
    OAuth 2.1
    Authorization Code
    Client Credentials
    +PKCE
    Tokens in HTTP Header
    Tokens in POST Form Body
    

    View Slide

25. OAuth 2.1
    oauth.net/2.1
    

    View Slide

26. @aaronpk
    September 2020
    OAuth 2.1
    Consolidate the OAuth 2.0 specs,

    adding best practices, 

    removing deprecated features
    
    Capture current best practices in OAuth
    2.0 under a single name
    
    Add references to extensions that didn't
    exist when OAuth 2.0 was published
    

    View Slide

27. @aaronpk
    September 2020
    OAuth 2.1
    No new behavior defined by OAuth 2.1
    Non-Goals:
    Don't include anything experimental, 

    in progress or not widely implemented
    

    View Slide

28. @aaronpk
    September 2020
    OAuth 2.1
    Authors: Dick Hardt, Aaron Parecki, Torsten Lodderstedt
    
    • OAuth 2.1 is a consolidation of: 

    OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps
    BCP (draft), Security BCP (draft), 

    Bearer Tokens (RFC6750)
    
    • Grant types defined: Authorization Code with PKCE, Client Credentials
    
    • Exact redirect URI matching
    
    • No Bearer tokens in query strings
    
    • Refresh tokens for SPAs must be sender-constrained or one-time use
    
    • Implicit and password grants are omitted
    

    View Slide

29. @aaronpk
    September 2020
    OAuth 2.1 Client Types
    Public
    
    Confidential
    
    

    View Slide

30. @aaronpk
    September 2020
    OAuth 2.1 Client Types
    Public
    
    Confidential
    
    Credentialed
    
    

    View Slide

31. @aaronpk
    September 2020
    Credentialed Client
    This distinction already exists in OAuth 2.0!
    
    OAuth 2.0:
    
    If the client type is confidential or the client was
    issued client credentials, the client MUST
    authenticate...
    OAuth 2.1:
    
    Confidential or credentialed clients MUST authenticate...
    

    View Slide

32. @aaronpk
    September 2020
    Credentialed Client
    • A client that has credentials, but whose identity is not confirmed
    
    • e.g. a client that obtains a client secret via dynamic client registration
    

    View Slide

33. @aaronpk
    September 2020
    OAuth 2.1
    oauth.net/2.1
    tools.ietf.org/html/draft-ietf-oauth-v2-1
    Recently adopted by the OAuth Working Group
    

    View Slide

34. Thank you!
    @aaronpk
    aaronpk.com
    
    oauth.wtf
    

    View Slide