Status Quo of OAuth 2

Transcript

1. OAUTH next

2. ABOUT ME ▸ Independent Consultant/Architect/Developer/Trainer ▸ Doing stuff with &

   without Computers, Software, > 25 yrs ▸ "Mr. Keycloak" since 2015 (v1.x) ▸ Organizer of Keycloak DevDay Conf (keycloak-day.dev) ▸ Member of various IAM Expert groups ▸ Co-Lead of JUG DA (www.jug-da.de / @JUG_DA) ▸ Web: www.n-k.de / Social: @dasniko YouTube: youtube.com/@dasniko
3. None

4. The Status Quo of OAuth2 DISCLAIMER This talk is not

   about what OAuth is and how it works!

5. The Status Quo of OAuth2 OAuth Standard, Specification, Protocol or

   Framework?

6. The Status Quo of OAuth2 OAuth 1.0 ? IETF, RFC

   5849, 2007: OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.

7. The Status Quo of OAuth2 OAuth 1.0 ? IETF, RFC

   5849, 2007: The OAuth protocol enables websites or applications (Consumers) to access Protected Resources from a web service (Service Provider) via an API, without requiring Users to disclose their Service Provider credentials to the Consumers. More generally, OAuth creates a freely-implementable and generic methodology for API authentication. Digital Signatures, Crypto…

8. The Status Quo of OAuth2 OAuth 2.0 IETF, RFC 6749/6750:

   The OAuth 2.0 authorization framework enables a 3rd-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

9. The Status Quo of OAuth2 Aaron Parecki, Okta, @aaronpk, 2020

10. The Status Quo of OAuth2 How many RFC’s does it

    take to change a lightbulb!? Unkown Developer

11. The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

    CREDENTIALS RFC6749, 2012

12. The Status Quo of OAuth2 Wait… " 2010 / 2012

    ?

13. The Status Quo of OAuth2 2010 / 2012 iPhone 5

    Internet Explorer 9 Server-side Applications AJAX Apps (SPA) HTTP POST Form-Request instead of JSON CORS not yet established W3C-Standard The world was much simpler, less choices!

14. The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

    CREDENTIALS RFC6749

15. The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

    CREDENTIALS RFC6749 PKCE RFC7636

16. The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

    CREDENTIALS RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252

17. The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

    CREDENTIALS RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626

18. The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

    CREDENTIALS RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626 PKCE FOR SPAS Browser App BCP

19. The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

    CREDENTIALS RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626 SECURITY BCP RFC 9700 PKCE FOR SPAS Browser App BCP PKCE for confidential clients RFCs about tokens (Bearer, JWT) not even mentioned here…! Exact string matching for RedirectURIs

20. The Status Quo of OAuth2 AUTHORIZATION CODE + PKCE CLIENT

    CREDENTIALS OAuth 2.1 DEVICE CODE

21. The Status Quo of OAuth2 OAuth 2.1 ➡ PKCE is

    required for all OAuth clients using the authorization code flow ➡ Implicit grant is omitted from the specification ➡ Resource Owner Password Credentials grant is omitted from the specification https://oauth.net/2.1/

22. The Status Quo of OAuth2 OAuth 2.1 ➡ Redirect URIs

    must be compared using exact string matching ➡ Bearer token usage omits the use of bearer tokens in the query string of URIs ➡ Refresh tokens for public clients must either be sender- constrained or one-time use https://oauth.net/2.1/

23. The Status Quo of OAuth2 OAuth 2.1 ➡ No new

    behavior is defined in OAuth 2.1! ➡ Nothing experimental, in-progress or not widely implemented! https://oauth.net/2.1/

24. The Status Quo of OAuth2 OAuth 2.1 When will it

    be released? # Well, nobody knows $

25. The Status Quo of OAuth2 It’s difficult to make predictions,

    especially about the future. Niels Bohr, Nobel Laureate in Quantum-Physics & Father of the Atomic model

26. The Status Quo of OAuth2 OAuth 2.1 When will it

    be released? # Well, nobody knows $ …but there’s nothing what stops you from JUST USING it! %

27. The Status Quo of OAuth2 https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/

28. The Status Quo of OAuth2 FUTURE!?

29. The Status Quo of OAuth2 OAuth 2.1 is made to

    stay!

30. The Status Quo of OAuth2 OAuth 3?

31. The Status Quo of OAuth2 GNAP!

32. The Status Quo of OAuth2 Grant Negotiation & Authorization Protocol

    Next-generation authorization protocol RFC 9635, Oct. 2024 Dynamic registration of clients Only 1 endpoint Flexible negotiation (grants) Token binding / PoP Multi-context (not only browsers) Early drafts of the spec were called "XYZ", "TxAuth", and "Transactional Authorization". https://oauth.net/gnap/

33. The Status Quo of OAuth2 Links OAuth 2.0 ▸ OAuth

    2.0 Overview: https://oauth.net/2/ ▸ OAuth Core, RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749 ▸ OAuth 2.0 Threat Model and Security Considerations, RFC 6819: https://datatracker.ietf.org/doc/html/rfc6819 ▸ OAuth 2.0 Token Revocation, RFC 7009: https://datatracker.ietf.org/doc/html/rfc7009 ▸ Proof Key for Code Exchange, RFC 7636: https://datatracker.ietf.org/doc/html/rfc7636 ▸ OAuth 2.0 for Native Apps, RFC 8252: https://datatracker.ietf.org/doc/html/rfc8252 ▸ OAuth 2.0 Device Authorization Grant, RFC 8628: https://datatracker.ietf.org/doc/html/rfc8628 ▸ OAuth 2.0 for Browser-Based Apps: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps ▸ OAuth 2.0 Security Best Current Practice: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics

34. The Status Quo of OAuth2 Links Token ▸ OAuth 2.0

    Bearer Token Usage, RFC 6750: https://datatracker.ietf.org/doc/html/rfc6750 ▸ OAuth 2.0 Token Binding, Draft: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-binding-08 ▸ OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens, RFC 8705: https://datatracker.ietf.org/doc/html/rfc8705 ▸ JSON Web Token, RFC 7519: https://datatracker.ietf.org/doc/html/rfc7519 ▸ JSON Web Token (JWT) Best Current Practice: RFC 8725: https://datatracker.ietf.org/doc/html/rfc8725 ▸ JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens, RFC 9068: https://datatracker.ietf.org/doc/html/rfc9068

35. The Status Quo of OAuth2 Links OAuth 2.1+ ▸ OAuth

    2.1 Overview: https://oauth.net/2.1/ ▸ OAuth 2.1 Draft: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1 ▸ GNAP Overview: https://oauth.net/gnap/

36. The Status Quo of OAuth2 NIKO KÖBLER | www.n-k.de |

    [email protected] | @dasniko THANK YOU. ANY QUESTIONS? Slides & Links: https://linktr.ee/dasniko