Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's New with OAuth and OpenID Connect - API Days Australia

11954e59b49809173d48133ec4047fce?s=47 Aaron Parecki
September 15, 2020
Technology
2
190

What's New with OAuth and OpenID Connect - API Days Australia

https://aaronparecki.com/2020/09/16/23/

11954e59b49809173d48133ec4047fce?s=128

Aaron Parecki

September 15, 2020
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
App Integrity Attestations for OAuth - OAuth Security Workshop 2022
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
60
Intro to OAuth - IETF 110
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
94
OAuth 101 - Internet Identity Workshop XXXI
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
390
How to Think about OAuth Security - Disclosure 2020
11954e59b49809173d48133ec4047fce?s=48 aaronpk
1
130
Protecting Single-Page Apps using OAuth
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
310
OAuth 2.1 - OAuth Security Workshop
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
580
The State of OAuth
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
130
OAuth 2.0 Client Intermediary Metadata - IETF 107
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
64
How to Hack OAuth - Goto Chicago 2020
11954e59b49809173d48133ec4047fce?s=48 aaronpk
0
220

Other Decks in Technology

See All in Technology
【OCHaCafe#5】その Pod 突然落ちても大丈夫ですか?
B2ec9cc63288622b90b772a0ab71adc2?s=48 k6s4i53rx
1
120
⚡Lightdashを試してみた
2c6a9bc003b77685330cc9359b6fbbc4?s=48 k_data_analyst
0
200
A Conditional Point Diffusion-Refinement Paradigm for 3D Point Cloud Completion
2c88806cbaab6024dc95b9a654c99d86?s=48 takmin
0
210
AWS ChatbotでEC2インスタンスを 起動できるようにした
Eb5a213a0a76afa872249a05444c78c1?s=48 iwamot
0
130
信頼性の階層の一段目を積み上げる/Monitoring Dashboard
0b238801605070def81a98cfe8061aee?s=48 shonansurvivors
0
140
AWSの基礎を学ぼうで学んだ9種類のDBを勝手にふりかえる
6395e3c01eccba987502884a2e40b381?s=48 98lerr
2
720
ZOZOTOWNのProduction Readiness Checklistと信頼性向上の取り組み / Improvement the reliability of ZOZOTOWN with Production Readiness Checklist
08672189228a165c14ed8d896f9a4d3a?s=48 akitok_
5
1.6k
エンタープライズにおけるSRE立ち上げとNew Relic選定に至った背景とは / SRE Startup and New Relic in the Enterprise
Aa0d25b0254ef311ed8177b5275577f4?s=48 tomoyakitaura
2
160
5分で完全理解するGoのiota
9c23bec5e8b0aa1d9458d40800987347?s=48 uji
3
2.1k
我々はなぜテストをするのか?
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
PRO
0
300
tfcon-2022-cpp
Dcc589548f0372645aaeb95bda8e22c2?s=48 cpp
5
5k
New Features in C# 10/11
1c3658db58f755e44fc1a70255c08ff7?s=48 chack411
0
920

Featured

See All Featured
10 Git Anti Patterns You Should be Aware of
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
638
52k
Art Directing for the Web. Five minutes with CSS Template Areas
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
196
9.4k
Automating Front-end Workflow
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1351
200k
Distributed Sagas: A Protocol for Coordinating Microservices
9128d500301ae51524e887bb680f471d?s=48 caitiem20
315
19k
Optimizing for Happiness
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
365
63k
Designing for Performance
245cee81a9c424266e5e401d844ea881?s=48 lara
596
63k
Faster Mobile Websites
C620790ae5bf5b50c245b2e0ef95f338?s=48 deanohume
294
28k
Code Review Best Practice
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
41
6.7k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
19
1.4k
Raft: Consensus for Rubyists
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
126
5.4k
Navigating Team Friction
245cee81a9c424266e5e401d844ea881?s=48 lara
175
11k
Why Our Code Smells
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
324
54k

Transcript

  1. What's New in OAuth 2.1 Aaron Parecki Senior Security Architect,

    Okta API Days Australia • September 2020

  2. @aaronpk September 2020 oauth.net/2

  3. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials Grant Types

  4. @aaronpk September 2020

  5. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials Grant Types RFC6750 Bearer Tokens Token Usage Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  6. @aaronpk September 2020

  7. @aaronpk September 2020 OAuth Server OAuth Client Passing Data via

    the Front Channel Did they catch 
 it? Did someone else 
 steal it? Is this really 
 from the real 
 OAuth server?

  8. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  9. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  10. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  11. @aaronpk September 2020

  12. @aaronpk September 2020 https://example.com https://app.example.com https://auth.example GET / HTML, CSS,

    etc POST /token access token CORS

  13. @aaronpk September 2020 caniuse.com/cors

  14. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  15. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

  16. @aaronpk September 2020 OAuth 2.0 for Browser-Based Apps

  17. @aaronpk September 2020 OAuth 2.0 for Browser-Based Apps

  18. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

  19. @aaronpk September 2020 Password oauth.net/2/oauth-best-practice

  20. @aaronpk September 2020 Password oauth.net/2/oauth-best-practice • Added to OAuth to

    enable migrating applications from HTTP Basic Auth or using a stored password to OAuth

  21. @aaronpk September 2020 OAuth 2.0 Security BCP • All OAuth

    clients MUST use PKCE with the authorization code flow • Password grant MUST NOT be used • Use exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens for public clients must be 
 sender-constrained or one-time use oauth.net/2/oauth-best-practice

  22. @aaronpk September 2020 RFC6749 RFC6750 CLIENT TYPE AUTH GRANT TYPE

    RFC6819 RFC7009 RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 BUILDING YOUR APPLICATION RFC8252 OIDC RFC8414 STATE TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN DPOP PAR

  23. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

  24. @aaronpk September 2020 OAuth 2.1 Authorization Code Client Credentials +PKCE

    Tokens in HTTP Header Tokens in POST Form Body

  25. OAuth 2.1 oauth.net/2.1

  26. @aaronpk September 2020 OAuth 2.1 Consolidate the OAuth 2.0 specs,


    adding best practices, 
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name Add references to extensions that didn't exist when OAuth 2.0 was published

  27. @aaronpk September 2020 OAuth 2.1 No new behavior defined by

    OAuth 2.1 Non-Goals: Don't include anything experimental, 
 in progress or not widely implemented

  28. @aaronpk September 2020 OAuth 2.1 Authors: Dick Hardt, Aaron Parecki,

    Torsten Lodderstedt • OAuth 2.1 is a consolidation of: 
 OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps BCP (draft), Security BCP (draft), 
 Bearer Tokens (RFC6750) • Grant types defined: Authorization Code with PKCE, Client Credentials • Exact redirect URI matching • No Bearer tokens in query strings • Refresh tokens for SPAs must be sender-constrained or one-time use • Implicit and password grants are omitted

  29. @aaronpk September 2020 OAuth 2.1 Client Types Public Confidential

  30. @aaronpk September 2020 OAuth 2.1 Client Types Public Confidential Credentialed

  31. @aaronpk September 2020 Credentialed Client This distinction already exists in

    OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials, the client MUST authenticate... OAuth 2.1: Confidential or credentialed clients MUST authenticate...

  32. @aaronpk September 2020 Credentialed Client • A client that has

    credentials, but whose identity is not confirmed • e.g. a client that obtains a client secret via dynamic client registration

  33. @aaronpk September 2020 OAuth 2.1 oauth.net/2.1 tools.ietf.org/html/draft-ietf-oauth-v2-1 Recently adopted by

    the OAuth Working Group

  34. Thank you! @aaronpk aaronpk.com oauth.wtf