Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Many Layers of OAuth

The Many Layers of OAuth

OAuth is one of the most important but most misunderstood frameworks out there. What you think it is, it probably isn’t. What it actually is, you probably hadn’t considered. Regardless, when you consider the standards, specifications, and common practices interact and fit together, it’s impressive what you can accomplish with minimal effort.

In this session, we’ll explore through the most common RFCs that are combined to make powerful, robust, and secure solutions that drive modern software development.

Keith Casey

June 08, 2018
Tweet

More Decks by Keith Casey

Other Decks in Technology

Transcript

  1. AGENDA • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware
  2. AGENDA • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware
  3. ASSUMPTIONS • Security is an important part of your job

    • You are probably using OAuth • You might be building OAuth servers • All the specs drive you nuts @CaseySoftware
  4. ASSUMPTIONS • Nothing is perfect • You make mistakes •

    Your providers make mistakes • That other team are all knuckleheads • Your team is great though @CaseySoftware
  5. AGENDA • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware
  6. TO PUT IT ANOTHER WAY • Sharing access without sharing

    creds (aka delegation) • Granting limited access (aka scoping & expiration) • Separating policy decisions from enforcement @CaseySoftware
  7. AGENDA • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware
  8. AUTHENTICATION VS AUTHORIZATION • Authentication aka AuthN • Who are

    you? • Authorization aka AuthZ • Are you allowed to do that? @CaseySoftware
  9. AUTH CODE GRANT TYPE (there are other grant types, not

    important atm) Credit: https://developer.okta.com @CaseySoftware
  10. OPINIONATED STRUCTURE • Scopes • openid • profile • email

    • address • phone • Claims • name • given_name • email • street_address • phone_number • and lots more @CaseySoftware
  11. AGENDA • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware
  12. THE ENDPOINTS • /authorize • /token • JWT • /introspect

    • /revoke • /logout • /keys • /userinfo • /.well-known/openid-configuration • /.well-known/oauth-authorization-server • RFC 6749 - OAuth Core • RFC 6749 - OAuth Core • RFC 7519 - JSON Web Token • RFC 7662 - Token Introspection • RFC 7009 - Token Revocation • ????? • ???? • OpenID Connect Specification • Draft - OpenID Provider Metadata Spec • Draft - Auth Server Metadata spec
  13. AGENDA • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware
  14. RECAP • Assumptions • What problems are we solving? •

    AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware