Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

Rethinking Token-based Security: OAuth 2.0 Secu...

Avatar for Manfred Steyer Manfred Steyer PRO
November 22, 2019
Programming
0
560

Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice @jsPoland 2019 Warsaw

Avatar for Manfred Steyer

Manfred Steyer PRO

November 22, 2019
Tweet

More Decks by Manfred Steyer

See All by Manfred Steyer
Full-Cycle Reactivity in Angular: SignalStore mit Signal Forms und Resources
Avatar for Manfred Steyer manfredsteyer
PRO
0
140
Your Architecture as a Crime Scene? Forensic Analysis
Avatar for Manfred Steyer manfredsteyer
PRO
0
100
Full-Cycle Reactivity in Angular: SignalStore mit Signal Forms und Resources
Avatar for Manfred Steyer manfredsteyer
PRO
0
210
Your Architecture as a Crime Scene: Forensic Analysis
Avatar for Manfred Steyer manfredsteyer
PRO
0
90
Reactive Thinking with Signals and the new Resource API
Avatar for Manfred Steyer manfredsteyer
PRO
0
190
Rethinking Angular: The Future with Signal Store and the New Resource API @w-jax 2025, Munich
Avatar for Manfred Steyer manfredsteyer
PRO
0
78
Premier Disciplin for Micro Frontends Multi Version/ Framework Scenarios
Avatar for Manfred Steyer manfredsteyer
PRO
0
120
The Missing Link in Angular's Signal Story: Resource API and httpResource
Avatar for Manfred Steyer manfredsteyer
PRO
0
160
Rethinking Angular: The Future with Signals and the New Resource API @iJS Munich 2025
Avatar for Manfred Steyer manfredsteyer
PRO
0
97

Other Decks in Programming

See All in Programming
認証・認可の基本を学ぼう前編
Avatar for kaza kouyuume
0
200
堅牢なフロントエンドテスト基盤を構築するために行った取り組み
Avatar for Shogo Fukami shogo4131
8
2.4k
これだけで丸わかり!LangChain v1.0 アップデートまとめ
Avatar for os1ma os1ma
6
1.8k
Flutter On-device AI로 완성하는 오프라인 앱, 박제창 @DevFest INCHEON 2025
Avatar for JaiChangPark itsmedreamwalker
1
110
Github Copilotのチャット履歴ビューワーを作りました~WPF、dotnet10もあるよ~ #clrh111
Avatar for KatsuYuzu katsuyuzu
0
110
Canon EOS R50 V と R5 Mark II 購入でみえてきた最近のデジイチ VR180 事情、そして VR180 静止画に活路を見出すまで
Avatar for kazuhiro hara karad
0
110
複数人でのCLI/Infrastructure as Codeの暮らしを良くする
Avatar for Shoma Okamoto shmokmt
5
2.3k
React Native New Architecture 移行実践報告
Avatar for taminif taminif
1
150
【Streamlit x Snowflake】データ基盤からアプリ開発・AI活用まで、すべてをSnowflake内で実現
Avatar for Ayumu Yamaguchi ayumu_yamaguchi
1
120
ハイパーメディア駆動アプリケーションとIslandアーキテクチャ: htmxによるWebアプリケーション開発と動的UIの局所的適用
Avatar for Ryota Nakamura nowaki28
0
420
Socio-Technical Evolution: Growing an Architecture and Its Organization for Fast Flow
Avatar for Chris Richardson cer
PRO
0
340
新卒エンジニアのプルリクエスト with AI駆動
Avatar for Yuta Fukunaga fukunaga2025
0
220

Featured

See All Featured
Balancing Empowerment & Direction
Avatar for Lara Hogan lara
5
800
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
72
12k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
302
51k
Context Engineering - Making Every Token Count
Avatar for Addy Osmani addyosmani
9
510
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
196
70k
Designing for Performance
Avatar for Lara Hogan lara
610
69k
The Language of Interfaces
Avatar for Des Traynor destraynor
162
25k
Done Done
Avatar for chrislema chrislema
186
16k
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
4.1k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
37
2.6k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
120k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k

Transcript

  1. Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice Manfred

    Steyer SOFTWAREarchitekt.at ManfredSteyer

  2. Contents State of the Art Issues leading to new Best

    Practices Proposed Solution Token Refresh HTTP-only Cookies

  3. About me… • Manfred Steyer SOFTWAREarchitekt.at • Angular Trainings and

    Consultancy • Google Developer Expert (GDE) • Trusted Collaborator in the Angular Team Page ▪ 3 Manfred Steyer Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops

  4. State of the Art

  5. Flow Folie▪ 5 Client Authorization-Server Resource-Server 1. Redirection 2. Redirection

    w/ Access-Token 3. Access-Token One central user account Only Auth-Svr. sees the Password Auth. decoupled from Client Tokens provide flexibility No Cookies: No XSRF

  6. Most Popular Solution: OAuth 2 and OpenId Connect

  7. Implicit Flow w/ OIDC Folie▪ 7 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token 3. Access-Token Format: JSON Web Token (JWT)

  8. Issues

  9. None

  10. Current Best Practices Document advices against Implicit Flow

  11. There are possible attacks! However, this is not new for

    us!
  12. None

  13. Have we been that naive in the last 6+ years?

    No!

  14. All serious implementations used Implicit Flow together with Best Practices

    to prevent those attacks!

  15. OpenId Connect enforces such Best Practices!

  16. Implicit Flow w/ OIDC Folie▪ 16 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token

  17. Implicit Flow w/ OIDC Folie▪ 17 Client Attacker Resource-Server Hyperlink

    with Attacker's w/ Access-Token and Id-Token

  18. Implicit Flow w/ OIDC Folie▪ 18 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token Part of the URL! Browser History? Server Logs?

  19. Proposed Solution

  20. Code Flow w/ OIDC Folie▪ 20 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Code

  21. Code Flow w/ OIDC Folie▪ 21 Client Authorization-Server Resource-Server 3.

    AJAX Code 4. Redirection w/ Access-Token and Id-Token 5. Access-Token

  22. Code Flow + PKCE w/ OIDC Folie▪ 22 Client Authorization-Server

    Resource-Server 1. Redirection + Hash(verifier) 2. Redirection w/ Code Hash(verifier) verifier

  23. Code Flow + PKCE w/ OIDC Folie▪ 23 Client Authorization-Server

    Resource-Server 3. AJAX Code + verifier 4. Redirection w/ Access-Token and Id-Token 5. Access-Token Hash(verifier) verifier verifier

  24. Code Flow + PKCE w/ OIDC Folie▪ 24 Client Authorization-Server

    Stealing Tokens using XSS

  25. Solutions Prevent XSS by using frameworks Look into CSP (Content

    Security Policy) Short-living Tokens (~ 10 min)

  26. Token Refresh Page ▪ 26

  27. Refresh Token Folie▪ 27 Client Authorization-Server Resource-Server Redirection w/ Access-Token

    und Id-Token and Refresh-Token

  28. Refresh Token Folie▪ 28 Client Authorization-Server Resource-Server Refresh-Token Redirection w/

    Access-Token und Id-Token and new Refresh-Token

  29. Officially, Refresh Tokens are forbidden in the browser as they

    can be stolen too (XSS).

  30. Allowed by the Best Practices Document if … • Know

    threats and take care of them (XSS!) • Refresh-Token is an one time token! • Log out users if used more than once!
  31. None

  32. Alternative: HTTP-Only Cookies

  33. The savest way to store tokens in the browser are

    HTTP Only Cookies!

  34. Client Resource-Server Authorization-Server Resource-Server2 Access-Token Tunnle through backend Prevent XSRF

    with XSRF-Tokens Needs to be aware of Web Client ("Backend for Frontend") Consequences Same Origin Policy

  35. Conclusion Implicit Flow: Don't panic! New solutions: Code Flow +

    PKCE Refresh Tokens are allowed HTTP-only Cookies: Most secure but inconvinient

  36. Contact and Downloads [mail] [email protected] [web] SOFTWAREarchitekt.at [twitter] ManfredSteyer d

    Slides & Examples Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops