Status Quo of OAuth 2

Transcript

1. OAUTH 2.X NIKO KÖBLER (@DASNIKO) KEYCLOAK-EXPERTE.DE

2. Niko Köbler | keycloak-experte.de Keycloak IAM & SSO ABOUT ME

   ▸ Freelance Consultant/Architect/Developer/Trainer ▸ Doing stuff with & without Computers, Software, ~25 yrs ▸ "Mr. Keycloak" since 2015 (v1.x) ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Author of „Serverless Computing in AWS Cloud“ serverlessbuch.de ▸ Web: www.n-k.de / Social: @dasniko ▸ YouTube: youtube.com/@dasniko

3. https://www.socreatory.com/de/trainings/keycloak?ref=niko

4. @DASNIKO STATUS QUO OF OAUTH2 DISCLAIMER This talk is not

   about what OAuth is and how it works!

5. @DASNIKO STATUS QUO OF OAUTH2 OAUTH 2.0 STANDARD, SPECIFICATION OR

   FRAMEWORK?

6. @DASNIKO STATUS QUO OF OAUTH2 OAUTH 2.0 IETF, RFC 6749:

   The OAuth 2.0 authorization framework enables a 3rd-party application to obtain limited access to an HTTP service.

7. @DASNIKO STATUS QUO OF OAUTH2 Aaron Parecki, Okta, @aaronpk, 2020

8. @DASNIKO STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

   CREDENTIALS RFC6749, 2012

9. @DASNIKO STATUS QUO OF OAUTH2 2010 / 2012 The world

   was much simpler, less choices! iPhone 5 Internet Explorer 9 AJAX Apps (SPA) HTTP POST Form-Request instead of JSON CORS not yet established W3C-Standard

10. @DASNIKO STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

    CREDENTIALS RFC6749

11. @DASNIKO STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

    CREDENTIALS RFC6749 PKCE RFC7636

12. @DASNIKO STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

    CREDENTIALS RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252

13. @DASNIKO STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

    CREDENTIALS RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626

14. @DASNIKO STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

    CREDENTIALS RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626 PKCE FOR SPAS Browser App BCP

15. @DASNIKO STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT

    CREDENTIALS RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626 SECURITY BCP PKCE FOR SPAS Browser App BCP PKCE for confidential clients RFCs about tokens (Bearer, JWT) not even mentioned here…!

16. @DASNIKO STATUS QUO OF OAUTH2 AUTHORIZATION CODE + PKCE CLIENT

    CREDENTIALS OAuth 2.1 DEVICE CODE

17. @DASNIKO STATUS QUO OF OAUTH2 OAUTH 2.1 PKCE is required

    for all OAuth clients using the authorization code flow Implicit grant is omitted from the specification Resource Owner Password Credentials grant is omitted from the specification https://oauth.net/2.1/

18. @DASNIKO STATUS QUO OF OAUTH2 OAUTH 2.1 Redirect URIs must

    be compared using exact string matching Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender- constrained or one-time use https://oauth.net/2.1/

19. @DASNIKO STATUS QUO OF OAUTH2 OAUTH 2.1 No new behavior

    is defined in OAuth 2.1! Nothing experimental, in-progress or not widely implemented! https://oauth.net/2.1/

20. @DASNIKO STATUS QUO OF OAUTH2 OAUTH 2.1 WHEN WILL IT

    BE RELEASED? 🎉 WELL, NOBODY KNOWS 🤷 …BUT THERE’S NOTHING WHAT STOPS YOU FROM JUST USING IT! 🚀

21. @DASNIKO STATUS QUO OF OAUTH2 https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/

22. @DASNIKO STATUS QUO OF OAUTH2 FUTURE!?

23. @DASNIKO STATUS QUO OF OAUTH2 OAUTH 2.1 IS MADE TO

    STAY!

24. @DASNIKO STATUS QUO OF OAUTH2 OAUTH 3?

25. @DASNIKO STATUS QUO OF OAUTH2 GNAP Grant Negotiation and Authorization

    Protocol An in-progress effort to develop a next-generation authorization protocol. Early drafts of the spec were called "XYZ", "TxAuth", and "Transactional Authorization". https://oauth.net/gnap/

26. @DASNIKO STATUS QUO OF OAUTH2 LINKS OAUTH 2.0 ▸ OAuth

    2.0 Overview: https://oauth.net/2/ ▸ OAuth Core, RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749 ▸ OAuth 2.0 Threat Model and Security Considerations, RFC 6819: https://datatracker.ietf.org/doc/html/rfc6819 ▸ OAuth 2.0 Token Revocation, RFC 7009: https://datatracker.ietf.org/doc/html/rfc7009 ▸ Proof Key for Code Exchange, RFC 7636: https://datatracker.ietf.org/doc/html/rfc7636 ▸ OAuth 2.0 for Native Apps, RFC 8252: https://datatracker.ietf.org/doc/html/rfc8252 ▸ OAuth 2.0 Device Authorization Grant, RFC 8628: https://datatracker.ietf.org/doc/html/rfc8628 ▸ OAuth 2.0 for Browser-Based Apps, Best Current Practice: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps ▸ OAuth 2.0 Security Best Current Practice: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics

27. @DASNIKO STATUS QUO OF OAUTH2 LINKS OAUTH 2.1+ ▸ OAuth

    2.1 Overview: https://oauth.net/2.1/ ▸ OAuth 2.1 Draft: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1 ▸ GNAP Overview: https://oauth.net/gnap/

28. @DASNIKO STATUS QUO OF OAUTH2 LINKS TOKEN ▸ OAuth 2.0

    Bearer Token Usage, RFC 6750: https://datatracker.ietf.org/doc/html/rfc6750 ▸ OAuth 2.0 Token Binding, Draft: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-binding-08 ▸ OAuth 2.0 Mutual-TLS Client Authentication and Certi fi cate-Bound Access Tokens, RFC 8705: https://datatracker.ietf.org/doc/html/rfc8705 ▸ JSON Web Token, RFC 7519: https://datatracker.ietf.org/doc/html/rfc7519 ▸ JSON Web Token (JWT) Best Current Practice: RFC 8725: https://datatracker.ietf.org/doc/html/rfc8725 ▸ JSON Web Token (JWT) Pro fi le for OAuth 2.0 Access Tokens, RFC 9068: https://datatracker.ietf.org/doc/html/rfc9068

29. @DASNIKO THANK YOU. ANY QUESTIONS? Slides: https://speakerdeck.com/dasniko Niko Köbler |

    www.n-k.de | [email protected] | @dasniko STATUS QUO OF OAUTH2