Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking OAuth 2.0
Search
Marcin Hoppe
October 13, 2019
Programming
0
52
Hacking OAuth 2.0
Marcin Hoppe
October 13, 2019
Tweet
Share
More Decks by Marcin Hoppe
See All by Marcin Hoppe
Przepraszam, czy można?
marcinhoppe
0
30
Problemy z JSON Web Tokens ... i garść rozwiązań
marcinhoppe
0
62
JSON Web Tokens. Problemy i rozwiązania
marcinhoppe
0
130
Other Decks in Programming
See All in Programming
プロポーザル駆動学習 / Proposal-Driven Learning
mackey0225
2
1.3k
Reading Rails 1.0 Source Code
okuramasafumi
0
250
How Android Uses Data Structures Behind The Scenes
l2hyunwoo
0
480
Navigating Dependency Injection with Metro
zacsweers
3
2.5k
2025 年のコーディングエージェントの現在地とエンジニアの仕事の変化について
azukiazusa1
24
12k
為你自己學 Python - 冷知識篇
eddie
1
350
OSS開発者という働き方
andpad
5
1.7k
アプリの "かわいい" を支えるアニメーションツールRiveについて
uetyo
0
280
CloudflareのChat Agent Starter Kitで簡単!AIチャットボット構築
syumai
2
510
print("Hello, World")
eddie
2
530
RDoc meets YARD
okuramasafumi
4
170
CJK and Unicode From a PHP Committer
youkidearitai
PRO
0
110
Featured
See All Featured
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
Six Lessons from altMBA
skipperchong
28
4k
The Cult of Friendly URLs
andyhume
79
6.6k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
131
19k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
Site-Speed That Sticks
csswizardry
10
820
Optimising Largest Contentful Paint
csswizardry
37
3.4k
Context Engineering - Making Every Token Count
addyosmani
3
58
Faster Mobile Websites
deanohume
309
31k
Git: the NoSQL Database
bkeepers
PRO
431
66k
Reflections from 52 weeks, 52 projects
jeffersonlam
352
21k
Transcript
Hacking OAuth 2.0 @marcin_hoppe
Past, present, and future @marcin_hoppe ... told by one security
team
IDaaS Identity protocols Product security team @marcin_hoppe
Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT
WS-Federation
@marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code
access token
How to test for security flaws? @marcin_hoppe
Existing resources Security considerations in RFCs Threat model RFC and
security BCP Formal security model @marcin_hoppe
Good enough? @marcin_hoppe
No, but a great start! @marcin_hoppe
OAuth attack library Structured attack documentation Useful for offensive security
crowd Automation! @marcin_hoppe
None
Meanwhile in the real world... @marcin_hoppe
Redirects are tricky Cookies + state binding in URL UA
navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe
Existing resources are generic! @marcin_hoppe
None
None
None
None
None
None
None
None
Generic threat models do not cover this complexity! @marcin_hoppe
Protocols as FSMs Each prompt is a state Only some
state transitions allowed Security properties for states and transitions @marcin_hoppe
How to generate FSMs? Source: ideal but difficult Runtime: test
instrumentation DOT language + GraphViz @marcin_hoppe
Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs
@marcin_hoppe
Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent
How to analyze FSMs? Threat modeling: STRIDE State bypass Session
management @marcin_hoppe
Takeaways Protocol testing is hard Existing resources: useful but generic
FSMs help with specific systems @marcin_hoppe
Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group
Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe
Ask me anything! @marcin_hoppe
marcinhoppe
mackey0225
okuramasafumi
l2hyunwoo
zacsweers
azukiazusa1
eddie
andpad
uetyo
syumai
youkidearitai
kastner
hatefulcrawdad
skipperchong
andyhume
morganepeng
addyosmani
csswizardry
deanohume
bkeepers
jeffersonlam
