Status Quo of OAuth 2

Transcript

1. OAUTH 2.x

2. Niko Köbler | keycloak-experte.de Keycloak IAM & SSO ABOUT ME

   ▸ Independent Consultant/Architect/Developer/Trainer ▸ Doing stuff with & without Computers, Software, > 25 yrs ▸ "Mr. Keycloak" since 2015 (v1.x) ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Author of „Serverless Computing in AWS Cloud“ serverlessbuch.de ▸ Web: www.n-k.de / Social: @dasniko ▸ YouTube: youtube.com/@dasniko
3. None

4. STATUS QUO OF OAUTH2 DISCLAIMER This talk is not about

   what OAuth is and how it works!

5. STATUS QUO OF OAUTH2 OAuth 2.0 Standard, Specification or Framework?

6. STATUS QUO OF OAUTH2 OAuth 2.0 IETF, RFC 6749: The

   OAuth 2.0 authorization framework enables a 3rd-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

7. STATUS QUO OF OAUTH2 Aaron Parecki, Okta, @aaronpk, 2020

8. How many RFC’s does it take to change a lightbulb!?

   Unkown Developer STATUS QUO OF OAUTH2

9. STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS

   RFC6749, 2012

10. STATUS QUO OF OAUTH2 2010 / 2012 iPhone 5 Internet

    Explorer 9 AJAX Apps (SPA) HTTP POST Form-Request instead of JSON CORS not yet established W3C-Standard The world was much simpler, less choices!

11. STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS

    RFC6749

12. STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS

    RFC6749 PKCE RFC7636

13. STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS

    RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252

14. STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS

    RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626

15. STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS

    RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626 PKCE FOR SPAS Browser App BCP

16. STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS

    RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626 SECURITY BCP PKCE FOR SPAS Browser App BCP PKCE for confidential clients RFCs about tokens (Bearer, JWT) not even mentioned here…!

17. STATUS QUO OF OAUTH2 AUTHORIZATION CODE + PKCE CLIENT CREDENTIALS

    OAuth 2.1 DEVICE CODE

18. STATUS QUO OF OAUTH2 OAuth 2.1 ➡ PKCE is required

    for all OAuth clients using the authorization code flow ➡ Implicit grant is omitted from the specification ➡ Resource Owner Password Credentials grant is omitted from the specification https://oauth.net/2.1/

19. STATUS QUO OF OAUTH2 OAuth 2.1 ➡ Redirect URIs must

    be compared using exact string matching ➡ Bearer token usage omits the use of bearer tokens in the query string of URIs ➡ Refresh tokens for public clients must either be sender- constrained or one-time use https://oauth.net/2.1/

20. STATUS QUO OF OAUTH2 OAuth 2.1 ➡ No new behavior

    is defined in OAuth 2.1! ➡ Nothing experimental, in-progress or not widely implemented! https://oauth.net/2.1/

21. STATUS QUO OF OAUTH2 OAuth 2.1 When will it be

    released? " Well, nobody knows #

22. It’s difficult to make predictions, especially about the future. Niels

    Bohr, Nobel Laureate in Quantum-Physics & Father of the Atomic model STATUS QUO OF OAUTH2

23. STATUS QUO OF OAUTH2 OAuth 2.1 When will it be

    released? " Well, nobody knows # …but there’s nothing what stops you from JUST USING it! $

24. STATUS QUO OF OAUTH2 https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/

25. STATUS QUO OF OAUTH2 FUTURE!?

26. STATUS QUO OF OAUTH2 OAuth 2.1 is made to stay!

27. STATUS QUO OF OAUTH2 OAuth 3?

28. STATUS QUO OF OAUTH2 GNAP Grant Negotiation and Authorization Protocol

    An in-progress effort to develop a next-generation authorization protocol. Early drafts of the spec were called "XYZ", "TxAuth", and "Transactional Authorization". https://oauth.net/gnap/

29. STATUS QUO OF OAUTH2 Links OAuth 2.0 ▸ OAuth 2.0

    Overview: https://oauth.net/2/ ▸ OAuth Core, RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749 ▸ OAuth 2.0 Threat Model and Security Considerations, RFC 6819: https://datatracker.ietf.org/doc/html/rfc6819 ▸ OAuth 2.0 Token Revocation, RFC 7009: https://datatracker.ietf.org/doc/html/rfc7009 ▸ Proof Key for Code Exchange, RFC 7636: https://datatracker.ietf.org/doc/html/rfc7636 ▸ OAuth 2.0 for Native Apps, RFC 8252: https://datatracker.ietf.org/doc/html/rfc8252 ▸ OAuth 2.0 Device Authorization Grant, RFC 8628: https://datatracker.ietf.org/doc/html/rfc8628 ▸ OAuth 2.0 for Browser-Based Apps: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps ▸ OAuth 2.0 Security Best Current Practice: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics

30. STATUS QUO OF OAUTH2 Links OAuth 2.1+ ▸ OAuth 2.1

    Overview: https://oauth.net/2.1/ ▸ OAuth 2.1 Draft: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1 ▸ GNAP Overview: https://oauth.net/gnap/

31. STATUS QUO OF OAUTH2 Links Token ▸ OAuth 2.0 Bearer

    Token Usage, RFC 6750: https://datatracker.ietf.org/doc/html/rfc6750 ▸ OAuth 2.0 Token Binding, Draft: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-binding-08 ▸ OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens, RFC 8705: https://datatracker.ietf.org/doc/html/rfc8705 ▸ JSON Web Token, RFC 7519: https://datatracker.ietf.org/doc/html/rfc7519 ▸ JSON Web Token (JWT) Best Current Practice: RFC 8725: https://datatracker.ietf.org/doc/html/rfc8725 ▸ JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens, RFC 9068: https://datatracker.ietf.org/doc/html/rfc9068

32. Thank You. Any Questions? Slides: https://speakerdeck.com/dasniko NIKO KÖBLER | www.n-k.de

    | [email protected] | @dasniko STATUS QUO OF OAUTH2