Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Rethinking Token-based Security: OAuth 2.0 Secu...
Search
Manfred Steyer
PRO
November 22, 2019
Programming
0
550
Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice @jsPoland 2019 Warsaw
Manfred Steyer
PRO
November 22, 2019
Tweet
Share
More Decks by Manfred Steyer
See All by Manfred Steyer
Advanced Micro Frontends: Multi Version/ Framework Scenarios
manfredsteyer
PRO
0
310
Advanced Micro Frontends: Multi Version/ Framework Scenarios @WAD 2025, Berlin
manfredsteyer
PRO
0
610
Modern Angular with Signals and Signal Store:New Rules for Your Architecture @enterJS Advanced Angular Day 2025
manfredsteyer
PRO
0
480
The Missing Link in Angular‘s Signal Story Resource API and httpResource @ngRome 2025
manfredsteyer
PRO
0
160
Your Architecture as a Crime Scene:Forensic Analysis
manfredsteyer
PRO
0
220
Rethinking Data Access: The New httpResource in Angular
manfredsteyer
PRO
0
350
Reactive Thinking with Signals, Resource API, and httpResource @Devm.io Angular 20 Launch Party
manfredsteyer
PRO
0
240
JavaScript as a Crime SceneForensic Analysis
manfredsteyer
PRO
0
130
Modern Angular with Signals and Signal Store:New Rules for Your Architecture @jax2025 in Mainz, Germany
manfredsteyer
PRO
0
220
Other Decks in Programming
See All in Programming
プロポーザル駆動学習 / Proposal-Driven Learning
mackey0225
2
510
Vue・React マルチプロダクト開発を支える Vite
andpad
0
110
AI時代のUIはどこへ行く?
yusukebe
12
7.3k
詳解!defer panic recover のしくみ / Understanding defer, panic, and recover
convto
0
210
コンテキストエンジニアリング Cursor編
kinopeee
1
750
実用的なGOCACHEPROG実装をするために / golang.tokyo #40
mazrean
1
170
AWS発のAIエディタKiroを使ってみた
iriikeita
1
150
DockerからECSへ 〜 AWSの海に出る前に知っておきたいこと 〜
ota1022
5
1.9k
【第4回】関東Kaggler会「Kaggleは執筆に役立つ」
mipypf
0
1k
Flutter with Dart MCP: All You Need - 박제창 2025 I/O Extended Busan
itsmedreamwalker
0
120
OSS開発者という働き方
andpad
5
1.7k
MCPとデザインシステムに立脚したデザインと実装の融合
yukukotani
4
1.2k
Featured
See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
30
9.6k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
Balancing Empowerment & Direction
lara
3
610
How to Think Like a Performance Engineer
csswizardry
26
1.9k
4 Signs Your Business is Dying
shpigford
184
22k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
111
20k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
252
21k
Documentation Writing (for coders)
carmenintech
73
5k
Rebuilding a faster, lazier Slack
samanthasiow
83
9.1k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
284
13k
Transcript
Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice Manfred
Steyer SOFTWAREarchitekt.at ManfredSteyer
Contents State of the Art Issues leading to new Best
Practices Proposed Solution Token Refresh HTTP-only Cookies
About me… • Manfred Steyer SOFTWAREarchitekt.at • Angular Trainings and
Consultancy • Google Developer Expert (GDE) • Trusted Collaborator in the Angular Team Page ▪ 3 Manfred Steyer Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops
State of the Art
Flow Folie▪ 5 Client Authorization-Server Resource-Server 1. Redirection 2. Redirection
w/ Access-Token 3. Access-Token One central user account Only Auth-Svr. sees the Password Auth. decoupled from Client Tokens provide flexibility No Cookies: No XSRF
Most Popular Solution: OAuth 2 and OpenId Connect
Implicit Flow w/ OIDC Folie▪ 7 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Access-Token and Id-Token 3. Access-Token Format: JSON Web Token (JWT)
Issues
None
Current Best Practices Document advices against Implicit Flow
There are possible attacks! However, this is not new for
us!
None
Have we been that naive in the last 6+ years?
No!
All serious implementations used Implicit Flow together with Best Practices
to prevent those attacks!
OpenId Connect enforces such Best Practices!
Implicit Flow w/ OIDC Folie▪ 16 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Access-Token and Id-Token
Implicit Flow w/ OIDC Folie▪ 17 Client Attacker Resource-Server Hyperlink
with Attacker's w/ Access-Token and Id-Token
Implicit Flow w/ OIDC Folie▪ 18 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Access-Token and Id-Token Part of the URL! Browser History? Server Logs?
Proposed Solution
Code Flow w/ OIDC Folie▪ 20 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Code
Code Flow w/ OIDC Folie▪ 21 Client Authorization-Server Resource-Server 3.
AJAX Code 4. Redirection w/ Access-Token and Id-Token 5. Access-Token
Code Flow + PKCE w/ OIDC Folie▪ 22 Client Authorization-Server
Resource-Server 1. Redirection + Hash(verifier) 2. Redirection w/ Code Hash(verifier) verifier
Code Flow + PKCE w/ OIDC Folie▪ 23 Client Authorization-Server
Resource-Server 3. AJAX Code + verifier 4. Redirection w/ Access-Token and Id-Token 5. Access-Token Hash(verifier) verifier verifier
Code Flow + PKCE w/ OIDC Folie▪ 24 Client Authorization-Server
Stealing Tokens using XSS
Solutions Prevent XSS by using frameworks Look into CSP (Content
Security Policy) Short-living Tokens (~ 10 min)
Token Refresh Page ▪ 26
Refresh Token Folie▪ 27 Client Authorization-Server Resource-Server Redirection w/ Access-Token
und Id-Token and Refresh-Token
Refresh Token Folie▪ 28 Client Authorization-Server Resource-Server Refresh-Token Redirection w/
Access-Token und Id-Token and new Refresh-Token
Officially, Refresh Tokens are forbidden in the browser as they
can be stolen too (XSS).
Allowed by the Best Practices Document if … • Know
threats and take care of them (XSS!) • Refresh-Token is an one time token! • Log out users if used more than once!
None
Alternative: HTTP-Only Cookies
The savest way to store tokens in the browser are
HTTP Only Cookies!
Client Resource-Server Authorization-Server Resource-Server2 Access-Token Tunnle through backend Prevent XSRF
with XSRF-Tokens Needs to be aware of Web Client ("Backend for Frontend") Consequences Same Origin Policy
Conclusion Implicit Flow: Don't panic! New solutions: Code Flow +
PKCE Refresh Tokens are allowed HTTP-only Cookies: Most secure but inconvinient
Contact and Downloads [mail]
[email protected]
[web] SOFTWAREarchitekt.at [twitter] ManfredSteyer d
Slides & Examples Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops