Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's New with OAuth and OpenID Connect - API Days Australia

Aaron Parecki
September 15, 2020

What's New with OAuth and OpenID Connect - API Days Australia

Aaron Parecki

September 15, 2020
Tweet

More Decks by Aaron Parecki

Other Decks in Technology

Transcript

  1. What's New in OAuth 2.1
    Aaron Parecki
    Senior Security Architect, Okta

    API Days Australia • September 2020

    View Slide

  2. @aaronpk
    September 2020
    oauth.net/2

    View Slide

  3. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    Grant Types

    View Slide

  4. @aaronpk
    September 2020

    View Slide

  5. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    Grant Types
    RFC6750 Bearer Tokens
    Token Usage
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String

    View Slide

  6. @aaronpk
    September 2020

    View Slide

  7. @aaronpk
    September 2020
    OAuth Server OAuth Client
    Passing Data via the Front Channel
    Did they catch 

    it? Did someone else 

    steal it?
    Is this really 

    from the real 

    OAuth server?

    View Slide

  8. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String

    View Slide

  9. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String

    View Slide

  10. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String

    View Slide

  11. @aaronpk
    September 2020

    View Slide

  12. @aaronpk
    September 2020
    https://example.com
    https://app.example.com
    https://auth.example
    GET /
    HTML, CSS, etc
    POST /token
    access token
    CORS

    View Slide

  13. @aaronpk
    September 2020
    caniuse.com/cors

    View Slide

  14. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String

    View Slide

  15. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String

    View Slide

  16. @aaronpk
    September 2020
    OAuth 2.0 for Browser-Based Apps

    View Slide

  17. @aaronpk
    September 2020
    OAuth 2.0 for Browser-Based Apps

    View Slide

  18. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    PKCE for
    confidential
    clients
    Security BCP

    View Slide

  19. @aaronpk
    September 2020
    Password
    oauth.net/2/oauth-best-practice

    View Slide

  20. @aaronpk
    September 2020
    Password
    oauth.net/2/oauth-best-practice
    • Added to OAuth to enable migrating applications from HTTP Basic Auth or using
    a stored password to OAuth

    View Slide

  21. @aaronpk
    September 2020
    OAuth 2.0 Security BCP
    • All OAuth clients MUST use PKCE with the authorization code flow

    • Password grant MUST NOT be used

    • Use exact string matching for redirect URIs

    • No access tokens in query strings

    • Refresh tokens for public clients must be 

    sender-constrained or one-time use
    oauth.net/2/oauth-best-practice

    View Slide

  22. @aaronpk
    September 2020
    RFC6749
    RFC6750
    CLIENT TYPE
    AUTH
    GRANT TYPE
    RFC6819
    RFC7009
    RFC7592
    RFC7662
    RFC7636
    RFC7591
    RFC7519
    BUILDING YOUR APPLICATION
    RFC8252
    OIDC
    RFC8414
    STATE
    TLS
    CSRF
    UMA 2
    FAPI
    RFC7515
    RFC7516
    RFC7517
    RFC7518
    TOKEN
    POP
    SECURITY BCP
    CIBA
    HTTP SIGNING
    MUTUAL TLS SPA BCP
    JARM
    JAR
    TOKEN
    DPOP
    PAR

    View Slide

  23. @aaronpk
    September 2020
    OAuth 2.0
    RFC6749 OAuth Core
    Authorization Code
    Implicit
    Password
    Client Credentials
    RFC6750 Bearer Tokens
    Tokens in HTTP Header
    Tokens in POST Form Body
    Tokens in GET Query String
    RFC7636
    +PKCE
    RFC8252
    PKCE for mobile
    Browser App BCP
    PKCE for SPAs
    PKCE for
    confidential
    clients
    Security BCP

    View Slide

  24. @aaronpk
    September 2020
    OAuth 2.1
    Authorization Code
    Client Credentials
    +PKCE
    Tokens in HTTP Header
    Tokens in POST Form Body

    View Slide

  25. OAuth 2.1
    oauth.net/2.1

    View Slide

  26. @aaronpk
    September 2020
    OAuth 2.1
    Consolidate the OAuth 2.0 specs,

    adding best practices, 

    removing deprecated features

    Capture current best practices in OAuth
    2.0 under a single name

    Add references to extensions that didn't
    exist when OAuth 2.0 was published

    View Slide

  27. @aaronpk
    September 2020
    OAuth 2.1
    No new behavior defined by OAuth 2.1
    Non-Goals:
    Don't include anything experimental, 

    in progress or not widely implemented

    View Slide

  28. @aaronpk
    September 2020
    OAuth 2.1
    Authors: Dick Hardt, Aaron Parecki, Torsten Lodderstedt

    • OAuth 2.1 is a consolidation of: 

    OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps
    BCP (draft), Security BCP (draft), 

    Bearer Tokens (RFC6750)

    • Grant types defined: Authorization Code with PKCE, Client Credentials

    • Exact redirect URI matching

    • No Bearer tokens in query strings

    • Refresh tokens for SPAs must be sender-constrained or one-time use

    • Implicit and password grants are omitted

    View Slide

  29. @aaronpk
    September 2020
    OAuth 2.1 Client Types
    Public

    Confidential

    View Slide

  30. @aaronpk
    September 2020
    OAuth 2.1 Client Types
    Public

    Confidential

    Credentialed

    View Slide

  31. @aaronpk
    September 2020
    Credentialed Client
    This distinction already exists in OAuth 2.0!

    OAuth 2.0:

    If the client type is confidential or the client was
    issued client credentials, the client MUST
    authenticate...
    OAuth 2.1:

    Confidential or credentialed clients MUST authenticate...

    View Slide

  32. @aaronpk
    September 2020
    Credentialed Client
    • A client that has credentials, but whose identity is not confirmed

    • e.g. a client that obtains a client secret via dynamic client registration

    View Slide

  33. @aaronpk
    September 2020
    OAuth 2.1
    oauth.net/2.1
    tools.ietf.org/html/draft-ietf-oauth-v2-1
    Recently adopted by the OAuth Working Group

    View Slide

  34. Thank you!
    @aaronpk
    aaronpk.com

    oauth.wtf

    View Slide