The Many Layers of OAuth

The Many Layers of OAuth

OAuth is one of the most important but most misunderstood frameworks out there. What you think it is, it probably isn’t. What it actually is, you probably hadn’t considered. Regardless, when you consider the standards, specifications, and common practices interact and fit together, it’s impressive what you can accomplish with minimal effort.

In this session, we’ll explore through the most common RFCs that are combined to make powerful, robust, and secure solutions that drive modern software development.

23365b2ae97212e561fb82442857d8bb?s=128

Keith Casey

June 08, 2018
Tweet

Transcript

  1. THE MANY LAYERS OF OAUTH D. Keith Casey Jr keith@caseysoftware.com

    @CaseySoftware
  2. WHO AM I?

  3. WHO AM I?

  4. WHO AM I? http://TheAPIDesignBook.com

  5. AGENDA • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware
  6. AGENDA • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware
  7. ASSUMPTIONS • Security is an important part of your job

    • You are probably using OAuth • You might be building OAuth servers • All the specs drive you nuts @CaseySoftware
  8. ASSUMPTIONS • Nothing is perfect • You make mistakes •

    Your providers make mistakes • That other team are all knuckleheads • Your team is great though @CaseySoftware
  9. btw, I mean OAuth 2.0 @CaseySoftware

  10. AGENDA • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware
  11. HOTEL KEY CARDS BUT FOR APPS @CaseySoftware

  12. TO PUT IT ANOTHER WAY • Sharing access without sharing

    creds (aka delegation) • Granting limited access (aka scoping & expiration) • Separating policy decisions from enforcement @CaseySoftware
  13. BUT THIS DOESN’T SOLVE IDENTITY @CaseySoftware

  14. WAIT, WHAT? @CaseySoftware

  15. AGENDA • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware
  16. AUTHENTICATION VS AUTHORIZATION • Authentication aka AuthN • Who are

    you? • Authorization aka AuthZ • Are you allowed to do that? @CaseySoftware
  17. BACK TO THE SPEC @CaseySoftware

  18. AUTH CODE GRANT TYPE (there are other grant types, not

    important atm) Credit: https://developer.okta.com @CaseySoftware
  19. WHAT ABOUT THOSE TOKENS? @CaseySoftware

  20. What about a JWT !? (aka JSON Web Token) @CaseySoftware

  21. JWT SPECIFICATION @CaseySoftware

  22. JWT SPECIFICATION @CaseySoftware

  23. ENTER OPENID CONNECT @CaseySoftware

  24. ADD ANOTHER SPEC @CaseySoftware

  25. OPINIONATED STRUCTURE • Scopes • openid • profile • email

    • address • phone • Claims • name • given_name • email • street_address • phone_number • and lots more @CaseySoftware
  26. AGENDA • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware
  27. THE ENDPOINTS • /authorize • /token • JWT • /introspect

    • /revoke • /logout • /keys • /userinfo • /.well-known/openid-configuration • /.well-known/oauth-authorization-server • RFC 6749 - OAuth Core • RFC 6749 - OAuth Core • RFC 7519 - JSON Web Token • RFC 7662 - Token Introspection • RFC 7009 - Token Revocation • ????? • ???? • OpenID Connect Specification • Draft - OpenID Provider Metadata Spec • Draft - Auth Server Metadata spec
  28. AGENDA • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware
  29. COMPONENTS Credit: https://developer.okta.com 1 2 3 4 @CaseySoftware

  30. COMPONENTS Credit: https://developer.okta.com 1 2 3 4 @CaseySoftware

  31. COMPONENTS Credit: https://developer.okta.com 1 2 3 4 @CaseySoftware

  32. COMPONENTS Credit: https://developer.okta.com 1 2 3 4 @CaseySoftware

  33. COMPONENTS Credit: https://developer.okta.com 1 2 3 4 @CaseySoftware

  34. 0. THE USER @CaseySoftware

  35. RECAP • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware
  36. THE MANY LAYERS OF OAUTH D. Keith Casey Jr keith@caseysoftware.com

    @CaseySoftware