Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rethinking Token-based Security: OAuth 2.0 Secu...

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Manfred Steyer Manfred Steyer PRO
November 22, 2019
Programming
0
560

Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice @jsPoland 2019 Warsaw

Avatar for Manfred Steyer

Manfred Steyer PRO

November 22, 2019
Tweet

More Decks by Manfred Steyer

See All by Manfred Steyer
Migration to Signals, Signal Forms, Resource API, and NgRx Signal Store @Angular Days 03/2026 Munich
Avatar for Manfred Steyer manfredsteyer
PRO
0
100
AI Assistants for Your Angular Solutions @Angular Graz, March 2026
Avatar for Manfred Steyer manfredsteyer
PRO
0
53
AI Assistants for Your Angular Solutions @ngVienna March 2026
Avatar for Manfred Steyer manfredsteyer
PRO
0
41
AI Assistants for Your Angular Solutions
Avatar for Manfred Steyer manfredsteyer
PRO
0
150
Nostalgia Meets Technology: Super Mario with TypeScript
Avatar for Manfred Steyer manfredsteyer
PRO
0
95
Full Cycle Reactivity in Angular: SignalStore mit Signal Forms und Resources
Avatar for Manfred Steyer manfredsteyer
PRO
0
72
Premier Disciplin for Micro Frontends Multi Version/ Framework Scenarios @OOP 2026, Munic
Avatar for Manfred Steyer manfredsteyer
PRO
0
220
Beyond the Basics: Signal Forms
Avatar for Manfred Steyer manfredsteyer
PRO
0
130
360° Signals in Angular: Signal Forms with SignalStore & Resources @ngLondon 01/2026
Avatar for Manfred Steyer manfredsteyer
PRO
0
220

Other Decks in Programming

See All in Programming
grapheme_strrev関数が採択されました(あと雑感)
Avatar for てきめん tekimen youkidearitai
PRO
1
230
今からFlash開発できるわけないじゃん、ムリムリ! (※ムリじゃなかった!?)
Avatar for Sora Arakawa arkw
0
120
AI活用のコスパを最大化する方法
Avatar for Ochtum ochtum
0
230
守る「だけ」の優しいEMを抜けて、 事業とチームを両方見る視点を身につけた話
Avatar for Mitsui maroon8021
3
1.1k
CSC307 Lecture 15
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
260
Symfony + NelmioApiDocBundle を使った スキーマ駆動開発 / Schema Driven Development with NelmioApiDocBundle
Avatar for Shohei Okada okashoi
0
170
仕様漏れ実装漏れをなくすトレーサビリティAI基盤のご紹介
Avatar for Kuniwak orgachem
PRO
6
2.3k
最初からAWS CDKで技術検証してもいいんじゃない?
Avatar for アキキー | Akihisa Ikeda akihisaikeda
4
160
Kubernetesでセルフホストが簡単なNewSQLを求めて / Seeking a NewSQL Database That's Simple to Self-Host on Kubernetes
Avatar for nnaka2992 nnaka2992
0
160
モダンOBSプラグイン開発
Avatar for Kaito Udagawa umireon
0
160
Angular-Apps smarter machen mit Gen AI: Lokal und offlinefähig - Hands-on Workshop!
Avatar for Christian Liebel christianliebel
PRO
0
120
ふつうの Rubyist、ちいさなデバイス、大きな一年
Avatar for bash0C7 bash0c7
0
1.1k

Featured

See All Featured
WENDY [Excerpt]
Avatar for Tessa Abrams tessaabrams
9
36k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
133
19k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
269
14k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
31
3.1k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
38
2.8k
Design in an AI World
Avatar for tapps tapps
0
170
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
698
190k
Discover your Explorer Soul
Avatar for Emna emna__ayadi
2
1.1k
Avoiding the “Bad Training, Faster” Trap in the Age of AI
Avatar for Mike Taylor tmiket
0
100
A Guide to Academic Writing Using Generative AI - A Workshop
Avatar for Kenji Saito ks91
PRO
0
240
Heart Work Chapter 1 - Part 1
Avatar for Lake Fama lfama
PRO
5
35k
How to Talk to Developers About Accessibility
Avatar for Jason CranfordTeague jct
2
150

Transcript

  1. Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice Manfred

    Steyer SOFTWAREarchitekt.at ManfredSteyer

  2. Contents State of the Art Issues leading to new Best

    Practices Proposed Solution Token Refresh HTTP-only Cookies

  3. About me… • Manfred Steyer SOFTWAREarchitekt.at • Angular Trainings and

    Consultancy • Google Developer Expert (GDE) • Trusted Collaborator in the Angular Team Page ▪ 3 Manfred Steyer Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops

  4. State of the Art

  5. Flow Folie▪ 5 Client Authorization-Server Resource-Server 1. Redirection 2. Redirection

    w/ Access-Token 3. Access-Token One central user account Only Auth-Svr. sees the Password Auth. decoupled from Client Tokens provide flexibility No Cookies: No XSRF

  6. Most Popular Solution: OAuth 2 and OpenId Connect

  7. Implicit Flow w/ OIDC Folie▪ 7 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token 3. Access-Token Format: JSON Web Token (JWT)

  8. Issues

  9. None

  10. Current Best Practices Document advices against Implicit Flow

  11. There are possible attacks! However, this is not new for

    us!
  12. None

  13. Have we been that naive in the last 6+ years?

    No!

  14. All serious implementations used Implicit Flow together with Best Practices

    to prevent those attacks!

  15. OpenId Connect enforces such Best Practices!

  16. Implicit Flow w/ OIDC Folie▪ 16 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token

  17. Implicit Flow w/ OIDC Folie▪ 17 Client Attacker Resource-Server Hyperlink

    with Attacker's w/ Access-Token and Id-Token

  18. Implicit Flow w/ OIDC Folie▪ 18 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token Part of the URL! Browser History? Server Logs?

  19. Proposed Solution

  20. Code Flow w/ OIDC Folie▪ 20 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Code

  21. Code Flow w/ OIDC Folie▪ 21 Client Authorization-Server Resource-Server 3.

    AJAX Code 4. Redirection w/ Access-Token and Id-Token 5. Access-Token

  22. Code Flow + PKCE w/ OIDC Folie▪ 22 Client Authorization-Server

    Resource-Server 1. Redirection + Hash(verifier) 2. Redirection w/ Code Hash(verifier) verifier

  23. Code Flow + PKCE w/ OIDC Folie▪ 23 Client Authorization-Server

    Resource-Server 3. AJAX Code + verifier 4. Redirection w/ Access-Token and Id-Token 5. Access-Token Hash(verifier) verifier verifier

  24. Code Flow + PKCE w/ OIDC Folie▪ 24 Client Authorization-Server

    Stealing Tokens using XSS

  25. Solutions Prevent XSS by using frameworks Look into CSP (Content

    Security Policy) Short-living Tokens (~ 10 min)

  26. Token Refresh Page ▪ 26

  27. Refresh Token Folie▪ 27 Client Authorization-Server Resource-Server Redirection w/ Access-Token

    und Id-Token and Refresh-Token

  28. Refresh Token Folie▪ 28 Client Authorization-Server Resource-Server Refresh-Token Redirection w/

    Access-Token und Id-Token and new Refresh-Token

  29. Officially, Refresh Tokens are forbidden in the browser as they

    can be stolen too (XSS).

  30. Allowed by the Best Practices Document if … • Know

    threats and take care of them (XSS!) • Refresh-Token is an one time token! • Log out users if used more than once!
  31. None

  32. Alternative: HTTP-Only Cookies

  33. The savest way to store tokens in the browser are

    HTTP Only Cookies!

  34. Client Resource-Server Authorization-Server Resource-Server2 Access-Token Tunnle through backend Prevent XSRF

    with XSRF-Tokens Needs to be aware of Web Client ("Backend for Frontend") Consequences Same Origin Policy

  35. Conclusion Implicit Flow: Don't panic! New solutions: Code Flow +

    PKCE Refresh Tokens are allowed HTTP-only Cookies: Most secure but inconvinient

  36. Contact and Downloads [mail] [email protected] [web] SOFTWAREarchitekt.at [twitter] ManfredSteyer d

    Slides & Examples Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops