Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rethinking Token-based Security: OAuth 2.0 Secu...

Avatar for Manfred Steyer Manfred Steyer PRO
November 22, 2019
Programming
0
560

Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice @jsPoland 2019 Warsaw

Avatar for Manfred Steyer

Manfred Steyer PRO

November 22, 2019
Tweet

More Decks by Manfred Steyer

See All by Manfred Steyer
Premier Disciplin for Micro Frontends Multi Version/ Framework Scenarios @OOP 2026, Munic
Avatar for Manfred Steyer manfredsteyer
PRO
0
91
Beyond the Basics: Signal Forms
Avatar for Manfred Steyer manfredsteyer
PRO
0
63
360° Signals in Angular: Signal Forms with SignalStore & Resources @ngLondon 01/2026
Avatar for Manfred Steyer manfredsteyer
PRO
0
140
All About Angular‘s New Signal Forms
Avatar for Manfred Steyer manfredsteyer
PRO
0
29
Full-Cycle Reactivity in Angular: SignalStore mit Signal Forms und Resources
Avatar for Manfred Steyer manfredsteyer
PRO
0
260
Your Architecture as a Crime Scene? Forensic Analysis
Avatar for Manfred Steyer manfredsteyer
PRO
0
180
Full-Cycle Reactivity in Angular: SignalStore mit Signal Forms und Resources
Avatar for Manfred Steyer manfredsteyer
PRO
0
280
Your Architecture as a Crime Scene: Forensic Analysis
Avatar for Manfred Steyer manfredsteyer
PRO
0
130
Reactive Thinking with Signals and the new Resource API
Avatar for Manfred Steyer manfredsteyer
PRO
0
250

Other Decks in Programming

See All in Programming
React Native × React Router v7 API通信の共通化で考えるべきこと
Avatar for Suguru Ohki suguruooki
0
100
今から始めるClaude Code超入門
Avatar for 448jp | OKI Yoshiya 448jp
8
9.1k
「ブロックテーマでは再現できない」は本当か?
Avatar for Takashi Kitajima inc2734
0
1k
FOSDEM 2026: STUNMESH-go: Building P2P WireGuard Mesh Without Self-Hosted Infrastructure
Avatar for Date Huang tjjh89017
0
180
AI & Enginnering
Avatar for codelynx codelynx
0
120
OSSとなったswift-buildで Xcodeのビルドを差し替えられるため 自分でXcodeを直せる時代になっている ダイアモンド問題編
Avatar for yimajo yimajo
3
630
AI Agent の開発と運用を支える Durable Execution #AgentsInProd
Avatar for izumin5210 izumin5210
7
2.3k
AWS re:Invent 2025参加 直前 Seattle-Tacoma Airport(SEA)におけるハードウェア紛失インシデントLT
Avatar for tetutetu214 tetutetu214
2
120
CSC307 Lecture 04
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
660
SourceGeneratorのススメ
Avatar for tkym htkym
0
200
疑似コードによるプロンプト記述、どのくらい正確に実行される?
Avatar for kokuyouwind kokuyouwind
0
390
日本だけで解禁されているアプリ起動の方法
Avatar for Ryu-nakayama ryunakayama
0
190

Featured

See All Featured
Paper Plane (Part 1)
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
4.3k
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
74
5k
Crafting Experiences
Avatar for Bethany Jepchumba bethany
1
51
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
6.9k
Un-Boring Meetings
Avatar for Sebastian Deterding codingconduct
0
200
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
57
6.8k
Heart Work Chapter 1 - Part 1
Avatar for Lake Fama lfama
PRO
5
35k
Agile Leadership in an Agile Organization
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
85
Kristin Tynski - Automating Marketing Tasks With AI
Avatar for Tech SEO Connect techseoconnect
PRO
0
150
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
333
24k
The Illustrated Guide to Node.js - THAT Conference 2024
Avatar for David Neal reverentgeek
0
260
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
273
27k

Transcript

  1. Rethinking Token-based Security: OAuth 2.0 Security Best Current Practice Manfred

    Steyer SOFTWAREarchitekt.at ManfredSteyer

  2. Contents State of the Art Issues leading to new Best

    Practices Proposed Solution Token Refresh HTTP-only Cookies

  3. About me… • Manfred Steyer SOFTWAREarchitekt.at • Angular Trainings and

    Consultancy • Google Developer Expert (GDE) • Trusted Collaborator in the Angular Team Page ▪ 3 Manfred Steyer Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops

  4. State of the Art

  5. Flow Folie▪ 5 Client Authorization-Server Resource-Server 1. Redirection 2. Redirection

    w/ Access-Token 3. Access-Token One central user account Only Auth-Svr. sees the Password Auth. decoupled from Client Tokens provide flexibility No Cookies: No XSRF

  6. Most Popular Solution: OAuth 2 and OpenId Connect

  7. Implicit Flow w/ OIDC Folie▪ 7 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token 3. Access-Token Format: JSON Web Token (JWT)

  8. Issues

  9. None

  10. Current Best Practices Document advices against Implicit Flow

  11. There are possible attacks! However, this is not new for

    us!
  12. None

  13. Have we been that naive in the last 6+ years?

    No!

  14. All serious implementations used Implicit Flow together with Best Practices

    to prevent those attacks!

  15. OpenId Connect enforces such Best Practices!

  16. Implicit Flow w/ OIDC Folie▪ 16 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token

  17. Implicit Flow w/ OIDC Folie▪ 17 Client Attacker Resource-Server Hyperlink

    with Attacker's w/ Access-Token and Id-Token

  18. Implicit Flow w/ OIDC Folie▪ 18 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token Part of the URL! Browser History? Server Logs?

  19. Proposed Solution

  20. Code Flow w/ OIDC Folie▪ 20 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Code

  21. Code Flow w/ OIDC Folie▪ 21 Client Authorization-Server Resource-Server 3.

    AJAX Code 4. Redirection w/ Access-Token and Id-Token 5. Access-Token

  22. Code Flow + PKCE w/ OIDC Folie▪ 22 Client Authorization-Server

    Resource-Server 1. Redirection + Hash(verifier) 2. Redirection w/ Code Hash(verifier) verifier

  23. Code Flow + PKCE w/ OIDC Folie▪ 23 Client Authorization-Server

    Resource-Server 3. AJAX Code + verifier 4. Redirection w/ Access-Token and Id-Token 5. Access-Token Hash(verifier) verifier verifier

  24. Code Flow + PKCE w/ OIDC Folie▪ 24 Client Authorization-Server

    Stealing Tokens using XSS

  25. Solutions Prevent XSS by using frameworks Look into CSP (Content

    Security Policy) Short-living Tokens (~ 10 min)

  26. Token Refresh Page ▪ 26

  27. Refresh Token Folie▪ 27 Client Authorization-Server Resource-Server Redirection w/ Access-Token

    und Id-Token and Refresh-Token

  28. Refresh Token Folie▪ 28 Client Authorization-Server Resource-Server Refresh-Token Redirection w/

    Access-Token und Id-Token and new Refresh-Token

  29. Officially, Refresh Tokens are forbidden in the browser as they

    can be stolen too (XSS).

  30. Allowed by the Best Practices Document if … • Know

    threats and take care of them (XSS!) • Refresh-Token is an one time token! • Log out users if used more than once!
  31. None

  32. Alternative: HTTP-Only Cookies

  33. The savest way to store tokens in the browser are

    HTTP Only Cookies!

  34. Client Resource-Server Authorization-Server Resource-Server2 Access-Token Tunnle through backend Prevent XSRF

    with XSRF-Tokens Needs to be aware of Web Client ("Backend for Frontend") Consequences Same Origin Policy

  35. Conclusion Implicit Flow: Don't panic! New solutions: Code Flow +

    PKCE Refresh Tokens are allowed HTTP-only Cookies: Most secure but inconvinient

  36. Contact and Downloads [mail] [email protected] [web] SOFTWAREarchitekt.at [twitter] ManfredSteyer d

    Slides & Examples Public: Frankfurt, Munich, Vienna In-House: everywhere http://softwarearchitekt.at/workshops