Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Rethinking Token-based Security: OAuth 2.0 Secu...
Search
Manfred Steyer
PRO
November 22, 2019
Programming
0
560
Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice @jsPoland 2019 Warsaw
Manfred Steyer
PRO
November 22, 2019
Tweet
Share
More Decks by Manfred Steyer
See All by Manfred Steyer
Advanced Micro Frontends: Multi Version/ Framework Scenarios
manfredsteyer
PRO
0
340
Advanced Micro Frontends: Multi Version/ Framework Scenarios @WAD 2025, Berlin
manfredsteyer
PRO
0
620
Modern Angular with Signals and Signal Store:New Rules for Your Architecture @enterJS Advanced Angular Day 2025
manfredsteyer
PRO
0
490
The Missing Link in Angular‘s Signal Story Resource API and httpResource @ngRome 2025
manfredsteyer
PRO
0
160
Your Architecture as a Crime Scene:Forensic Analysis
manfredsteyer
PRO
0
230
Rethinking Data Access: The New httpResource in Angular
manfredsteyer
PRO
0
360
Reactive Thinking with Signals, Resource API, and httpResource @Devm.io Angular 20 Launch Party
manfredsteyer
PRO
0
240
JavaScript as a Crime SceneForensic Analysis
manfredsteyer
PRO
0
130
Modern Angular with Signals and Signal Store:New Rules for Your Architecture @jax2025 in Mainz, Germany
manfredsteyer
PRO
0
230
Other Decks in Programming
See All in Programming
Testing Trophyは叫ばない
toms74209200
0
880
アルテニア コンサル/ITエンジニア向け 採用ピッチ資料
altenir
0
110
CJK and Unicode From a PHP Committer
youkidearitai
PRO
0
110
Namespace and Its Future
tagomoris
6
700
旅行プランAIエージェント開発の裏側
ippo012
2
910
今から始めるClaude Code入門〜AIコーディングエージェントの歴史と導入〜
nokomoro3
0
180
Rancher と Terraform
fufuhu
2
550
為你自己學 Python - 冷知識篇
eddie
1
350
AI Coding Agentのセキュリティリスク:PRの自己承認とメルカリの対策
s3h
0
230
はじめてのMaterial3 Expressive
ym223
2
740
GitHubとGitLabとAWS CodePipelineでCI/CDを組み比べてみた
satoshi256kbyte
4
240
rage against annotate_predecessor
junk0612
0
170
Featured
See All Featured
Art, The Web, and Tiny UX
lynnandtonic
303
21k
Practical Orchestrator
shlominoach
190
11k
Designing for Performance
lara
610
69k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Making Projects Easy
brettharned
117
6.4k
How STYLIGHT went responsive
nonsquared
100
5.8k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
Agile that works and the tools we love
rasmusluckow
330
21k
Transcript
Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice Manfred
Steyer SOFTWAREarchitekt.at ManfredSteyer
Contents State of the Art Issues leading to new Best
Practices Proposed Solution Token Refresh HTTP-only Cookies
About me… • Manfred Steyer SOFTWAREarchitekt.at • Angular Trainings and
Consultancy • Google Developer Expert (GDE) • Trusted Collaborator in the Angular Team Page ▪ 3 Manfred Steyer Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops
State of the Art
Flow Folie▪ 5 Client Authorization-Server Resource-Server 1. Redirection 2. Redirection
w/ Access-Token 3. Access-Token One central user account Only Auth-Svr. sees the Password Auth. decoupled from Client Tokens provide flexibility No Cookies: No XSRF
Most Popular Solution: OAuth 2 and OpenId Connect
Implicit Flow w/ OIDC Folie▪ 7 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Access-Token and Id-Token 3. Access-Token Format: JSON Web Token (JWT)
Issues
None
Current Best Practices Document advices against Implicit Flow
There are possible attacks! However, this is not new for
us!
None
Have we been that naive in the last 6+ years?
No!
All serious implementations used Implicit Flow together with Best Practices
to prevent those attacks!
OpenId Connect enforces such Best Practices!
Implicit Flow w/ OIDC Folie▪ 16 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Access-Token and Id-Token
Implicit Flow w/ OIDC Folie▪ 17 Client Attacker Resource-Server Hyperlink
with Attacker's w/ Access-Token and Id-Token
Implicit Flow w/ OIDC Folie▪ 18 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Access-Token and Id-Token Part of the URL! Browser History? Server Logs?
Proposed Solution
Code Flow w/ OIDC Folie▪ 20 Client Authorization-Server Resource-Server 1.
Redirection 2. Redirection w/ Code
Code Flow w/ OIDC Folie▪ 21 Client Authorization-Server Resource-Server 3.
AJAX Code 4. Redirection w/ Access-Token and Id-Token 5. Access-Token
Code Flow + PKCE w/ OIDC Folie▪ 22 Client Authorization-Server
Resource-Server 1. Redirection + Hash(verifier) 2. Redirection w/ Code Hash(verifier) verifier
Code Flow + PKCE w/ OIDC Folie▪ 23 Client Authorization-Server
Resource-Server 3. AJAX Code + verifier 4. Redirection w/ Access-Token and Id-Token 5. Access-Token Hash(verifier) verifier verifier
Code Flow + PKCE w/ OIDC Folie▪ 24 Client Authorization-Server
Stealing Tokens using XSS
Solutions Prevent XSS by using frameworks Look into CSP (Content
Security Policy) Short-living Tokens (~ 10 min)
Token Refresh Page ▪ 26
Refresh Token Folie▪ 27 Client Authorization-Server Resource-Server Redirection w/ Access-Token
und Id-Token and Refresh-Token
Refresh Token Folie▪ 28 Client Authorization-Server Resource-Server Refresh-Token Redirection w/
Access-Token und Id-Token and new Refresh-Token
Officially, Refresh Tokens are forbidden in the browser as they
can be stolen too (XSS).
Allowed by the Best Practices Document if … • Know
threats and take care of them (XSS!) • Refresh-Token is an one time token! • Log out users if used more than once!
None
Alternative: HTTP-Only Cookies
The savest way to store tokens in the browser are
HTTP Only Cookies!
Client Resource-Server Authorization-Server Resource-Server2 Access-Token Tunnle through backend Prevent XSRF
with XSRF-Tokens Needs to be aware of Web Client ("Backend for Frontend") Consequences Same Origin Policy
Conclusion Implicit Flow: Don't panic! New solutions: Code Flow +
PKCE Refresh Tokens are allowed HTTP-only Cookies: Most secure but inconvinient
Contact and Downloads [mail]
[email protected]
[web] SOFTWAREarchitekt.at [twitter] ManfredSteyer d
Slides & Examples Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops