Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Rethinking Token-based Security: OAuth 2.0 Secu...
Search
Manfred Steyer
PRO
November 22, 2019
Programming
0
550
Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice @jsPoland 2019 Warsaw
Manfred Steyer
PRO
November 22, 2019
Tweet
Share
More Decks by Manfred Steyer
See All by Manfred Steyer
Modern Angular with Signals and Signal Store:New Rules for Your Architecture @enterJS Advanced Angular Day 2025
manfredsteyer
PRO
0
170
The Missing Link in Angular‘s Signal Story Resource API and httpResource @ngRome 2025
manfredsteyer
PRO
0
80
Your Architecture as a Crime Scene:Forensic Analysis
manfredsteyer
PRO
0
140
Rethinking Data Access: The New httpResource in Angular
manfredsteyer
PRO
0
290
Reactive Thinking with Signals, Resource API, and httpResource @Devm.io Angular 20 Launch Party
manfredsteyer
PRO
0
190
JavaScript as a Crime SceneForensic Analysis
manfredsteyer
PRO
0
90
Modern Angular with Signals and Signal Store:New Rules for Your Architecture @jax2025 in Mainz, Germany
manfredsteyer
PRO
0
170
Premier Disciplin for Micro Frontends Multi Version/ Framework Scenarios
manfredsteyer
PRO
0
98
Your Architecture as a Crime SceneForensic Analysis
manfredsteyer
PRO
0
72
Other Decks in Programming
See All in Programming
datadog dash 2025 LLM observability for reliability and stability
ivry_presentationmaterials
0
420
エンジニア向け採用ピッチ資料
inusan
0
180
Railsアプリケーションと パフォーマンスチューニング ー 秒間5万リクエストの モバイルオーダーシステムを支える事例 ー Rubyセミナー 大阪
falcon8823
4
1k
初学者でも今すぐできる、Claude Codeの生産性を10倍上げるTips
s4yuba
3
3.1k
WebViewの現在地 - SwiftUI時代のWebKit - / The Current State Of WebView
marcy731
0
110
AIエージェントはこう育てる - GitHub Copilot Agentとチームの共進化サイクル
koboriakira
0
480
GitHub Copilot and GitHub Codespaces Hands-on
ymd65536
1
140
生成AIコーディングとの向き合い方、AIと共創するという考え方 / How to deal with generative AI coding and the concept of co-creating with AI
seike460
PRO
1
350
今ならAmazon ECSのサービス間通信をどう選ぶか / Selection of ECS Interservice Communication 2025
tkikuc
21
3.8k
童醫院敏捷轉型的實踐經驗
cclai999
0
210
関数型まつりレポート for JuliaTokai #22
antimon2
0
160
第9回 情シス転職ミートアップ 株式会社IVRy(アイブリー)の紹介
ivry_presentationmaterials
1
260
Featured
See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
A better future with KSS
kneath
239
17k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
500
It's Worth the Effort
3n
185
28k
Bash Introduction
62gerente
614
210k
Building an army of robots
kneath
306
45k
Agile that works and the tools we love
rasmusluckow
329
21k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.7k
Unsuck your backbone
ammeep
671
58k
Transcript
Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice Manfred
Steyer SOFTWAREarchitekt.at ManfredSteyer
Contents State of the Art Issues leading to new Best
Practices Proposed Solution Token Refresh HTTP-only Cookies
About me… • Manfred Steyer SOFTWAREarchitekt.at • Angular Trainings and
Consultancy • Google Developer Expert (GDE) • Trusted Collaborator in the Angular Team Page ▪ 3 Manfred Steyer Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops
State of the Art
Flow Folie▪ 5 Client Authorization-Server Resource-Server 1. Redirection 2. Redirection
w/ Access-Token 3. Access-Token One central user account Only Auth-Svr. sees the Password Auth. decoupled from Client Tokens provide flexibility No Cookies: No XSRF
Most Popular Solution: OAuth 2 and OpenId Connect
Implicit Flow w/ OIDC Folie▪ 7 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Access-Token and Id-Token 3. Access-Token Format: JSON Web Token (JWT)
Issues
None
Current Best Practices Document advices against Implicit Flow
There are possible attacks! However, this is not new for
us!
None
Have we been that naive in the last 6+ years?
No!
All serious implementations used Implicit Flow together with Best Practices
to prevent those attacks!
OpenId Connect enforces such Best Practices!
Implicit Flow w/ OIDC Folie▪ 16 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Access-Token and Id-Token
Implicit Flow w/ OIDC Folie▪ 17 Client Attacker Resource-Server Hyperlink
with Attacker's w/ Access-Token and Id-Token
Implicit Flow w/ OIDC Folie▪ 18 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Access-Token and Id-Token Part of the URL! Browser History? Server Logs?
Proposed Solution
Code Flow w/ OIDC Folie▪ 20 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Code
Code Flow w/ OIDC Folie▪ 21 Client Authorization-Server Resource-Server 3.
AJAX Code 4. Redirection w/ Access-Token and Id-Token 5. Access-Token
Code Flow + PKCE w/ OIDC Folie▪ 22 Client Authorization-Server
Resource-Server 1. Redirection + Hash(verifier) 2. Redirection w/ Code Hash(verifier) verifier
Code Flow + PKCE w/ OIDC Folie▪ 23 Client Authorization-Server
Resource-Server 3. AJAX Code + verifier 4. Redirection w/ Access-Token and Id-Token 5. Access-Token Hash(verifier) verifier verifier
Code Flow + PKCE w/ OIDC Folie▪ 24 Client Authorization-Server
Stealing Tokens using XSS
Solutions Prevent XSS by using frameworks Look into CSP (Content
Security Policy) Short-living Tokens (~ 10 min)
Token Refresh Page ▪ 26
Refresh Token Folie▪ 27 Client Authorization-Server Resource-Server Redirection w/ Access-Token
und Id-Token and Refresh-Token
Refresh Token Folie▪ 28 Client Authorization-Server Resource-Server Refresh-Token Redirection w/
Access-Token und Id-Token and new Refresh-Token
Officially, Refresh Tokens are forbidden in the browser as they
can be stolen too (XSS).
Allowed by the Best Practices Document if … • Know
threats and take care of them (XSS!) • Refresh-Token is an one time token! • Log out users if used more than once!
None
Alternative: HTTP-Only Cookies
The savest way to store tokens in the browser are
HTTP Only Cookies!
Client Resource-Server Authorization-Server Resource-Server2 Access-Token Tunnle through backend Prevent XSRF
with XSRF-Tokens Needs to be aware of Web Client ("Backend for Frontend") Consequences Same Origin Policy
Conclusion Implicit Flow: Don't panic! New solutions: Code Flow +
PKCE Refresh Tokens are allowed HTTP-only Cookies: Most secure but inconvinient
Contact and Downloads [mail]
[email protected]
[web] SOFTWAREarchitekt.at [twitter] ManfredSteyer d
Slides & Examples Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops