Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rethinking Token-based Security: OAuth 2.0 Secu...

Avatar for Manfred Steyer Manfred Steyer
PRO
November 22, 2019
Programming
0
550

Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice @jsPoland 2019 Warsaw

Avatar for Manfred Steyer

Manfred Steyer
PRO

November 22, 2019
Tweet

More Decks by Manfred Steyer

See All by Manfred Steyer
Modern Angular with Signals and Signal Store: New Rules for Your Architecture @enterJS Advanced Angular Day 2025
Avatar for Manfred Steyer manfredsteyer
PRO
0
170
The Missing Link in Angular‘s Signal Story Resource API and httpResource @ngRome 2025
Avatar for Manfred Steyer manfredsteyer
PRO
0
80
Your Architecture as a Crime Scene: Forensic Analysis
Avatar for Manfred Steyer manfredsteyer
PRO
0
140
Rethinking Data Access: The New httpResource in Angular
Avatar for Manfred Steyer manfredsteyer
PRO
0
290
Reactive Thinking with Signals, Resource API, and httpResource @Devm.io Angular 20 Launch Party
Avatar for Manfred Steyer manfredsteyer
PRO
0
190
JavaScript as a Crime Scene Forensic Analysis
Avatar for Manfred Steyer manfredsteyer
PRO
0
90
Modern Angular with Signals and Signal Store: New Rules for Your Architecture @jax2025 in Mainz, Germany
Avatar for Manfred Steyer manfredsteyer
PRO
0
170
Premier Disciplin for Micro Frontends Multi Version/ Framework Scenarios
Avatar for Manfred Steyer manfredsteyer
PRO
0
98
Your Architecture as a Crime Scene Forensic Analysis
Avatar for Manfred Steyer manfredsteyer
PRO
0
72

Other Decks in Programming

See All in Programming
datadog dash 2025 LLM observability for reliability and stability
Avatar for 株式会社IVRy(社員登壇資料) ivry_presentationmaterials
0
420
エンジニア向け採用ピッチ資料
Avatar for 犬飼嵩 inusan
0
180
Railsアプリケーションと パフォーマンスチューニング ー 秒間5万リクエストの モバイルオーダーシステムを支える事例 ー Rubyセミナー 大阪
Avatar for Hayato OKUMOTO falcon8823
4
1k
初学者でも今すぐできる、Claude Codeの生産性を10倍上げるTips
Avatar for Oikon s4yuba
3
3.1k
WebViewの現在地 - SwiftUI時代のWebKit - / The Current State Of WebView
Avatar for marcy731 marcy731
0
110
AIエージェントはこう育てる - GitHub Copilot Agentとチームの共進化サイクル
Avatar for Akira Kobori koboriakira
0
480
GitHub Copilot and GitHub Codespaces Hands-on
Avatar for Kento.Yamada ymd65536
1
140
生成AIコーディングとの向き合い方、AIと共創するという考え方 / How to deal with generative AI coding and the concept of co-creating with AI
Avatar for shiro seike seike460
PRO
1
350
今ならAmazon ECSのサービス間通信をどう選ぶか / Selection of ECS Interservice Communication 2025
Avatar for Tetsuya Kikuchi tkikuc
21
3.8k
童醫院敏捷轉型的實踐經驗
Avatar for Max Lai cclai999
0
210
関数型まつりレポート for JuliaTokai #22
Avatar for GOTOH Shunsuke antimon2
0
160
第9回 情シス転職ミートアップ 株式会社IVRy(アイブリー)の紹介
Avatar for 株式会社IVRy(社員登壇資料) ivry_presentationmaterials
1
260

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
367
19k
A better future with KSS
Avatar for Kyle Neath kneath
239
17k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
51
3.3k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
7
500
It's Worth the Effort
Avatar for 3n 3n
185
28k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
614
210k
Building an army of robots
Avatar for Kyle Neath kneath
306
45k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
329
21k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
462
33k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
26k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
29
2.7k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k

Transcript

  1. Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice Manfred

    Steyer SOFTWAREarchitekt.at ManfredSteyer

  2. Contents State of the Art Issues leading to new Best

    Practices Proposed Solution Token Refresh HTTP-only Cookies

  3. About me… • Manfred Steyer SOFTWAREarchitekt.at • Angular Trainings and

    Consultancy • Google Developer Expert (GDE) • Trusted Collaborator in the Angular Team Page ▪ 3 Manfred Steyer Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops

  4. State of the Art

  5. Flow Folie▪ 5 Client Authorization-Server Resource-Server 1. Redirection 2. Redirection

    w/ Access-Token 3. Access-Token One central user account Only Auth-Svr. sees the Password Auth. decoupled from Client Tokens provide flexibility No Cookies: No XSRF

  6. Most Popular Solution: OAuth 2 and OpenId Connect

  7. Implicit Flow w/ OIDC Folie▪ 7 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token 3. Access-Token Format: JSON Web Token (JWT)

  8. Issues

  9. None

  10. Current Best Practices Document advices against Implicit Flow

  11. There are possible attacks! However, this is not new for

    us!
  12. None

  13. Have we been that naive in the last 6+ years?

    No!

  14. All serious implementations used Implicit Flow together with Best Practices

    to prevent those attacks!

  15. OpenId Connect enforces such Best Practices!

  16. Implicit Flow w/ OIDC Folie▪ 16 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token

  17. Implicit Flow w/ OIDC Folie▪ 17 Client Attacker Resource-Server Hyperlink

    with Attacker's w/ Access-Token and Id-Token

  18. Implicit Flow w/ OIDC Folie▪ 18 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token Part of the URL! Browser History? Server Logs?

  19. Proposed Solution

  20. Code Flow w/ OIDC Folie▪ 20 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Code

  21. Code Flow w/ OIDC Folie▪ 21 Client Authorization-Server Resource-Server 3.

    AJAX Code 4. Redirection w/ Access-Token and Id-Token 5. Access-Token

  22. Code Flow + PKCE w/ OIDC Folie▪ 22 Client Authorization-Server

    Resource-Server 1. Redirection + Hash(verifier) 2. Redirection w/ Code Hash(verifier) verifier

  23. Code Flow + PKCE w/ OIDC Folie▪ 23 Client Authorization-Server

    Resource-Server 3. AJAX Code + verifier 4. Redirection w/ Access-Token and Id-Token 5. Access-Token Hash(verifier) verifier verifier

  24. Code Flow + PKCE w/ OIDC Folie▪ 24 Client Authorization-Server

    Stealing Tokens using XSS

  25. Solutions Prevent XSS by using frameworks Look into CSP (Content

    Security Policy) Short-living Tokens (~ 10 min)

  26. Token Refresh Page ▪ 26

  27. Refresh Token Folie▪ 27 Client Authorization-Server Resource-Server Redirection w/ Access-Token

    und Id-Token and Refresh-Token

  28. Refresh Token Folie▪ 28 Client Authorization-Server Resource-Server Refresh-Token Redirection w/

    Access-Token und Id-Token and new Refresh-Token

  29. Officially, Refresh Tokens are forbidden in the browser as they

    can be stolen too (XSS).

  30. Allowed by the Best Practices Document if … • Know

    threats and take care of them (XSS!) • Refresh-Token is an one time token! • Log out users if used more than once!
  31. None

  32. Alternative: HTTP-Only Cookies

  33. The savest way to store tokens in the browser are

    HTTP Only Cookies!

  34. Client Resource-Server Authorization-Server Resource-Server2 Access-Token Tunnle through backend Prevent XSRF

    with XSRF-Tokens Needs to be aware of Web Client ("Backend for Frontend") Consequences Same Origin Policy

  35. Conclusion Implicit Flow: Don't panic! New solutions: Code Flow +

    PKCE Refresh Tokens are allowed HTTP-only Cookies: Most secure but inconvinient

  36. Contact and Downloads [mail] [email protected] [web] SOFTWAREarchitekt.at [twitter] ManfredSteyer d

    Slides & Examples Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops