GNAP: The future of OAuth

Transcript

1. GNAP THE FUTURE OF OAUTH @chalas_r

2. ROBIN CHALAS @chalas_r Les-Tilleuls.coop chalasr Core Team @chalas_r

3. DISCLAIMER I'M NOT A SECURITY EXPERT @chalas_r

4. DISCLAIMER 2 I MAY PRONOUNCE OAUTH INCORRECTLY @chalas_r

5. REMINDER WHAT IS OAUTH? @chalas_r

6. OAUTH? INDUSTRY-STANDARD AUTHORIZATION PROTOCOL FOR WEB, DESKTOP, MOBILE & IOT.

   @chalas_r

7. OAUTH WINS Successful as a standard Better than prior art

   Continuously improving @chalas_r

8. A BIT OF HISTORY OAUTH 1.0? For browser-based clients only

   Based on Flickr’s authorization API & Google’s AuthSub Security concerns on the clients' shoulders @chalas_r

9. OAUTH 1.0 Spring Security Docs @chalas_r

10. A BIT OF HISTORY OAUTH 2.0? Complete rewrite of OAuth

    1 For anything that builds on HTTP(S) Relies on TLS (& eventually JOSE) @chalas_r

11. OAUTH 2.0 Spring Security Docs @chalas_r

12. OAUTH 2.0 BUILT-IN GRANT TYPES Resource Owner Password Credentials Implicit

    Client Credentials Authorization Code @chalas_r

13. OAUTH 2.1 BUILT-IN GRANT TYPES Resource Owner Password Credentials Implicit

    Client Credentials Authorization Code + Proof Key for Code exchange (PKCE) @chalas_r

14. OAUTH 2.1 OTHER MAJOR CHANGES No more Bearer tokens in

    the query string (URL) Refresh tokens must either be one-time use or sender-constrained Simplified "Public VS Confidential clients" concept Identification/authentication concept is mentioned oauth2.net/2.1 @chalas_r

15. WHAT'S WRONG WITH OAUTH2? @chalas_r

16. None

17. OAUTH2 FLAWS OVERLY COMPLEX 28 RFC + 10 ACTIVE DRAFTS

    SaaS solutions exist e.g. Keycloak @chalas_r

18. OAUTH2 FLAWS AUTHENTICATION LEFT ASIDE 🎁 You've got 10+ more

    specifications to read! Welcome OpenID Connect openid.net/developers/specs/ @chalas_r

19. OAUTH2 FLAWS STILL TIED TO REDIRECTS THEREFORE TO BROWSERS @chalas_r

20. OAUTH2 FLAWS PROOF OF POSSESSION LATE TO THE GAME Welcome

    & Mutual-TLS DPoP @chalas_r

21. OAUTH2 FLAWS CRYPTO KEYS ROTATION NOT COVERED @chalas_r

22. OAUTH2 FLAWS PAINFUL ON MOBILE Better with RFC8252 - OAuth

    2.0 for Native Apps @chalas_r

23. OAUTH2 FLAWS OLD-FASHIONED UX/DX @chalas_r

24. 👋 GNAP @chalas_r

25. GRANT NEGOTIATION & AUTHORIZATION PROTOCOL @chalas_r

26. GNAP FOR MODERN APPLICATIONS' SECURITY NEEDS @chalas_r

27. FOR ANY CLIENT/PLATFORM GNAP: KEY POINTS @chalas_r

28. INTERACTIONS AS FIRST-CLASS CONCEPTS GNAP: KEY POINTS @chalas_r

29. NO PRE-FLIGHT DISCOVERY NEEDED GNAP: KEY POINTS @chalas_r

30. GNAP: KEY POINTS CRYPTO KEYS EVERYWHERE + (EXTENSIBLE) ROTATION MECHANISMS

    @chalas_r

31. GNAP: KEY POINTS BEARER TOKENS AND MORE @chalas_r

32. GNAP: KEY POINTS MULTIPLE ACCESS TOKENS PER GRANT REQUEST @chalas_r

33. GNAP: KEY POINTS BUILT-IN IDENTITY! @chalas_r

34. GNAP: KEY POINTS BETTER DEVELOPER ERGONOMICS @chalas_r

35. GNAP: OVERALL PROTOCOL SEQUENCE datatracker.ietf.org/doc/html/draft-ietf-gnap-core-protocol#section-1.1

36. NOT BACKWARDS-COMPATIBLE WITH OAUTH2 @chalas_r

37. OAUTH GRANT TYPES EQUIVALENTS Auth Code Grant => redirect interaction

    mode (with automatic PKCE) Device Grant => user_code interaction mode Client Credentials Grant => Just a Grant request with no interaction @chalas_r

38. RELATIONSHIP TO OTHER SPECS OpenID Connect (OIDC) => Identity is

    part of GNAP Core & Resource Server. User-Managed Access (UMA) => Same can be achieved with only GNAP Core. Proof Of Posssesion (PoP, M-TLS & DPOP) => All tokens are key-bound by default in GNAP @chalas_r

39. CURRENT STATE WG STARTED IN OCTOBER 2020, LED BY .

    JUSTIN RICHER PROTOCOL IMPROVED A LOT SINCE THEN. @chalas_r

40. IT'S MOSTLY GETTING STABLE LAST WG MEETING HAPPENED IN NOVEMBER

    2022 NO PROTOCOL CHANGES. datatracker.ietf.org/meeting/114/materials/slides-114-gnap-protocol-slides-00 @chalas_r

41. NEXT STEPS? @chalas_r

42. GET INVOLVED Read the specification Subscribe to the mailing list

    Implement it in your favorite language (existing implementations available on ) ietf.org/mailman/listinfo/txauth oauth.xyz @chalas_r

43. WHAT ABOUT SYMFONY? @chalas_r

44. THANK YOU! @chalas_r @chalas_r