Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice @jsPoland 2019 Warsaw
Search
Manfred Steyer
PRO
November 22, 2019
Programming
0
550
Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice @jsPoland 2019 Warsaw
Manfred Steyer
PRO
November 22, 2019
Tweet
Share
More Decks by Manfred Steyer
See All by Manfred Steyer
The New NGRX Signal Store for Angular 3+n Flavors @enterJS 2014 in Darmstadt
manfredsteyer
PRO
0
41
Native Federation: The Future of Micro Frontends in Angular
manfredsteyer
PRO
0
120
The New NGRX Signal Store for Angular: 3+n Flavors of the Signal Store
manfredsteyer
PRO
0
65
Micro Frontends with Modern Angular and Island Architectures @ijs London 2024
manfredsteyer
PRO
0
100
Modern State Management in Angular: 3+n Flavors of the Signal Store @ijs London 2024
manfredsteyer
PRO
0
90
Changed Rules: Architectures with Lightweight Stores
manfredsteyer
PRO
0
250
Migrating to Signals: A Practical Workshop
manfredsteyer
PRO
0
430
Micro Frontends with Web Standards
manfredsteyer
PRO
1
320
The New NGRX Signal Store for Angular: 3+n Flavors
manfredsteyer
PRO
1
230
Other Decks in Programming
See All in Programming
Komplexe Oberflächen mit SVG und der Web Animation API
joergneumann
0
680
Elm Form Validation
bkuhlmann
0
520
Exploring the Implementation of “t.Run”, “t.Parallel”, and “t.Cleanup”
akarin
1
140
Ruby GitHub Packages
bkuhlmann
0
650
Milestoner
bkuhlmann
1
420
敵対的ポイフル
futabato
0
140
大規模UIKitベースアプリへのTCAの段階的導入/gradual-adoption-of-tca-in-a-large-scale-uikit-based-app
takehilo
2
210
Ruby Function Composition
bkuhlmann
1
340
Git Lint
bkuhlmann
4
760
Fast JSX: Don't clone props object #28768
yossydev
1
200
dbtのドメイン分割による データ基盤の改善とDigdagとの連携
sakama
0
470
slow types ってなんだろう?
karad
0
140
Featured
See All Featured
From Idea to $5000 a Month in 5 Months
shpigford
378
45k
The Illustrated Children's Guide to Kubernetes
chrisshort
32
47k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
188
16k
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
A better future with KSS
kneath
231
16k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
Building a Scalable Design System with Sketch
lauravandoore
457
32k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
We Have a Design System, Now What?
morganepeng
43
6.8k
Typedesign – Prime Four
hannesfritz
36
2.1k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
126
32k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Transcript
Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice Manfred
Steyer SOFTWAREarchitekt.at ManfredSteyer
Contents State of the Art Issues leading to new Best
Practices Proposed Solution Token Refresh HTTP-only Cookies
About me… • Manfred Steyer SOFTWAREarchitekt.at • Angular Trainings and
Consultancy • Google Developer Expert (GDE) • Trusted Collaborator in the Angular Team Page ▪ 3 Manfred Steyer Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops
State of the Art
Flow Folie▪ 5 Client Authorization-Server Resource-Server 1. Redirection 2. Redirection
w/ Access-Token 3. Access-Token One central user account Only Auth-Svr. sees the Password Auth. decoupled from Client Tokens provide flexibility No Cookies: No XSRF
Most Popular Solution: OAuth 2 and OpenId Connect
Implicit Flow w/ OIDC Folie▪ 7 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Access-Token and Id-Token 3. Access-Token Format: JSON Web Token (JWT)
Issues
None
Current Best Practices Document advices against Implicit Flow
There are possible attacks! However, this is not new for
us!
None
Have we been that naive in the last 6+ years?
No!
All serious implementations used Implicit Flow together with Best Practices
to prevent those attacks!
OpenId Connect enforces such Best Practices!
Implicit Flow w/ OIDC Folie▪ 16 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Access-Token and Id-Token
Implicit Flow w/ OIDC Folie▪ 17 Client Attacker Resource-Server Hyperlink
with Attacker's w/ Access-Token and Id-Token
Implicit Flow w/ OIDC Folie▪ 18 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Access-Token and Id-Token Part of the URL! Browser History? Server Logs?
Proposed Solution
Code Flow w/ OIDC Folie▪ 20 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Code
Code Flow w/ OIDC Folie▪ 21 Client Authorization-Server Resource-Server 3.
AJAX Code 4. Redirection w/ Access-Token and Id-Token 5. Access-Token
Code Flow + PKCE w/ OIDC Folie▪ 22 Client Authorization-Server
Resource-Server 1. Redirection + Hash(verifier) 2. Redirection w/ Code Hash(verifier) verifier
Code Flow + PKCE w/ OIDC Folie▪ 23 Client Authorization-Server
Resource-Server 3. AJAX Code + verifier 4. Redirection w/ Access-Token and Id-Token 5. Access-Token Hash(verifier) verifier verifier
Code Flow + PKCE w/ OIDC Folie▪ 24 Client Authorization-Server
Stealing Tokens using XSS
Solutions Prevent XSS by using frameworks Look into CSP (Content
Security Policy) Short-living Tokens (~ 10 min)
Token Refresh Page ▪ 26
Refresh Token Folie▪ 27 Client Authorization-Server Resource-Server Redirection w/ Access-Token
und Id-Token and Refresh-Token
Refresh Token Folie▪ 28 Client Authorization-Server Resource-Server Refresh-Token Redirection w/
Access-Token und Id-Token and new Refresh-Token
Officially, Refresh Tokens are forbidden in the browser as they
can be stolen too (XSS).
Allowed by the Best Practices Document if … • Know
threats and take care of them (XSS!) • Refresh-Token is an one time token! • Log out users if used more than once!
None
Alternative: HTTP-Only Cookies
The savest way to store tokens in the browser are
HTTP Only Cookies!
Client Resource-Server Authorization-Server Resource-Server2 Access-Token Tunnle through backend Prevent XSRF
with XSRF-Tokens Needs to be aware of Web Client ("Backend for Frontend") Consequences Same Origin Policy
Conclusion Implicit Flow: Don't panic! New solutions: Code Flow +
PKCE Refresh Tokens are allowed HTTP-only Cookies: Most secure but inconvinient
Contact and Downloads [mail]
[email protected]
[web] SOFTWAREarchitekt.at [twitter] ManfredSteyer d
Slides & Examples Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops