Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rethinking Token-based Security: OAuth 2.0 Secu...

Avatar for Manfred Steyer Manfred Steyer PRO
November 22, 2019
Programming
560
0

Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice @jsPoland 2019 Warsaw

Avatar for Manfred Steyer

Manfred Steyer PRO

November 22, 2019

More Decks by Manfred Steyer

See All by Manfred Steyer
Agentic AI in the Frontend: Architectures with Open Standards @iJS London 2026
Avatar for Manfred Steyer manfredsteyer
PRO
0
39
Agentic AI & UI: Arcitecture, HITL, Emerging Standards
Avatar for Manfred Steyer manfredsteyer
PRO
0
35
Agentic UI Requires Standards: AG-UI, A2UI, and MCP Apps Work Together @Angular London
Avatar for Manfred Steyer manfredsteyer
PRO
1
36
Signal Forms: Beyond the Basics @ngBelgrade 2026
Avatar for Manfred Steyer manfredsteyer
PRO
0
120
Agentic UI in the Frontend: Architectures with Open Standards @JAX 2026 in Mainz
Avatar for Manfred Steyer manfredsteyer
PRO
0
97
Rethinking Angular: The Future with Signal Store and the New Resource API @JAX 2024 in Mainz
Avatar for Manfred Steyer manfredsteyer
PRO
0
61
Agentic UI with Angular @ngAir April 2025
Avatar for Manfred Steyer manfredsteyer
PRO
0
180
Migration to Signals, Signal Forms, Resource API, and NgRx Signal Store @Angular Days 03/2026 Munich
Avatar for Manfred Steyer manfredsteyer
PRO
0
340
AI Assistants for Your Angular Solutions @Angular Graz, March 2026
Avatar for Manfred Steyer manfredsteyer
PRO
0
200

Other Decks in Programming

See All in Programming
決定論 vs 確率論:Gemini 3 FlashとTF-IDFを組み合わせた「法規判定エンジン」の構築
Avatar for Shu Kobuchi shukob
0
150
20260514 - build with ai 2026 - build LINE Bot with Gemini CLI
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
240
ハーネスエンジニアリングとは?
Avatar for kinopee kinopeee
13
6.8k
AIと共に生きる技術選定 2026
Avatar for Sugar Sato sgash708
0
120
Road to RubyKaigi: Play Hard(ware)
Avatar for makicamel makicamel
1
550
GoogleCloudとterraform完全に理解した
Avatar for Terisuke terisuke
1
190
Programming with a DJ Controller — not vibe coding
Avatar for seki at druby.org m_seki
3
780
The Less-Told Story of Socket Timeouts
Avatar for Misaki Shioi(塩井美咲/しおい) coe401_
3
970
書き換えて学ぶTemporal #fukts
Avatar for Hiroyuki ANAI pirosikick
2
350
Vibe NLP for Applied NLP
Avatar for Ines Montani inesmontani
PRO
0
600
Claude CodeでETLジョブ実行テストを自動化してみた
Avatar for yoshiki kasama yoshikikasama
0
1.1k
「話せることがない」を乗り越える 〜日常業務から登壇テーマをつくる思考法〜
Avatar for ShoheiMitani shoheimitani
4
970

Featured

See All Featured
Unsuck your backbone
Avatar for Amy Palamountain ammeep
672
58k
The Illustrated Guide to Node.js - THAT Conference 2024
Avatar for David Neal reverentgeek
1
340
Primal Persuasion: How to Engage the Brain for Learning That Lasts
Avatar for Mike Taylor tmiket
0
330
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
247
13k
The Language of Interfaces
Avatar for Des Traynor destraynor
162
26k
Claude Code のすすめ
Avatar for schroneko schroneko
67
220k
<Decoding/> the Language of Devs - We Love SEO 2024
Avatar for Nikki Halliwell nikkihalliwell
1
210
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
28
2.6k
The Mindset for Success: Future Career Progression
Avatar for Greg Gifford greggifford
PRO
0
320
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
128
17k
From π to Pie charts
Avatar for Rasagy Sharma rasagy
0
180
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
3k

Transcript

  1. Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice Manfred

    Steyer SOFTWAREarchitekt.at ManfredSteyer

  2. Contents State of the Art Issues leading to new Best

    Practices Proposed Solution Token Refresh HTTP-only Cookies

  3. About me… • Manfred Steyer SOFTWAREarchitekt.at • Angular Trainings and

    Consultancy • Google Developer Expert (GDE) • Trusted Collaborator in the Angular Team Page ▪ 3 Manfred Steyer Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops

  4. State of the Art

  5. Flow Folie▪ 5 Client Authorization-Server Resource-Server 1. Redirection 2. Redirection

    w/ Access-Token 3. Access-Token One central user account Only Auth-Svr. sees the Password Auth. decoupled from Client Tokens provide flexibility No Cookies: No XSRF

  6. Most Popular Solution: OAuth 2 and OpenId Connect

  7. Implicit Flow w/ OIDC Folie▪ 7 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token 3. Access-Token Format: JSON Web Token (JWT)

  8. Issues

  9. None

  10. Current Best Practices Document advices against Implicit Flow

  11. There are possible attacks! However, this is not new for

    us!
  12. None

  13. Have we been that naive in the last 6+ years?

    No!

  14. All serious implementations used Implicit Flow together with Best Practices

    to prevent those attacks!

  15. OpenId Connect enforces such Best Practices!

  16. Implicit Flow w/ OIDC Folie▪ 16 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token

  17. Implicit Flow w/ OIDC Folie▪ 17 Client Attacker Resource-Server Hyperlink

    with Attacker's w/ Access-Token and Id-Token

  18. Implicit Flow w/ OIDC Folie▪ 18 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token Part of the URL! Browser History? Server Logs?

  19. Proposed Solution

  20. Code Flow w/ OIDC Folie▪ 20 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Code

  21. Code Flow w/ OIDC Folie▪ 21 Client Authorization-Server Resource-Server 3.

    AJAX Code 4. Redirection w/ Access-Token and Id-Token 5. Access-Token

  22. Code Flow + PKCE w/ OIDC Folie▪ 22 Client Authorization-Server

    Resource-Server 1. Redirection + Hash(verifier) 2. Redirection w/ Code Hash(verifier) verifier

  23. Code Flow + PKCE w/ OIDC Folie▪ 23 Client Authorization-Server

    Resource-Server 3. AJAX Code + verifier 4. Redirection w/ Access-Token and Id-Token 5. Access-Token Hash(verifier) verifier verifier

  24. Code Flow + PKCE w/ OIDC Folie▪ 24 Client Authorization-Server

    Stealing Tokens using XSS

  25. Solutions Prevent XSS by using frameworks Look into CSP (Content

    Security Policy) Short-living Tokens (~ 10 min)

  26. Token Refresh Page ▪ 26

  27. Refresh Token Folie▪ 27 Client Authorization-Server Resource-Server Redirection w/ Access-Token

    und Id-Token and Refresh-Token

  28. Refresh Token Folie▪ 28 Client Authorization-Server Resource-Server Refresh-Token Redirection w/

    Access-Token und Id-Token and new Refresh-Token

  29. Officially, Refresh Tokens are forbidden in the browser as they

    can be stolen too (XSS).

  30. Allowed by the Best Practices Document if … • Know

    threats and take care of them (XSS!) • Refresh-Token is an one time token! • Log out users if used more than once!
  31. None

  32. Alternative: HTTP-Only Cookies

  33. The savest way to store tokens in the browser are

    HTTP Only Cookies!

  34. Client Resource-Server Authorization-Server Resource-Server2 Access-Token Tunnle through backend Prevent XSRF

    with XSRF-Tokens Needs to be aware of Web Client ("Backend for Frontend") Consequences Same Origin Policy

  35. Conclusion Implicit Flow: Don't panic! New solutions: Code Flow +

    PKCE Refresh Tokens are allowed HTTP-only Cookies: Most secure but inconvinient

  36. Contact and Downloads [mail] [email protected] [web] SOFTWAREarchitekt.at [twitter] ManfredSteyer d

    Slides & Examples Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops