Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking OAuth 2.0
Search
Marcin Hoppe
October 13, 2019
Programming
0
51
Hacking OAuth 2.0
Marcin Hoppe
October 13, 2019
Tweet
Share
More Decks by Marcin Hoppe
See All by Marcin Hoppe
Przepraszam, czy można?
marcinhoppe
0
29
Problemy z JSON Web Tokens ... i garść rozwiązań
marcinhoppe
0
60
JSON Web Tokens. Problemy i rozwiązania
marcinhoppe
0
130
Other Decks in Programming
See All in Programming
High-Level Programming Languages in AI Era -Human Thought and Mind-
hayat01sh1da
PRO
0
880
AWS Summit Japan 2024と2025の比較/はじめてのKiro、今あなたは岐路に立つ
satoshi256kbyte
0
120
Model Pollution
hschwentner
1
160
たった 1 枚の PHP ファイルで実装する MCP サーバ / MCP Server with Vanilla PHP
okashoi
1
300
マッチングアプリにおけるフリックUIで苦労したこと
yuheiito
0
190
SQLアンチパターン第2版 データベースプログラミングで陥りがちな失敗とその対策 / Intro to SQL Antipatterns 2nd
twada
PRO
11
1.3k
React は次の10年を生き残れるか:3つのトレンドから考える
oukayuka
7
2.4k
AI時代のソフトウェア開発を考える(2025/07版) / Agentic Software Engineering Findy 2025-07 Edition
twada
PRO
99
37k
Android 16KBページサイズ対応をはじめからていねいに
mine2424
0
440
AIエージェントはこう育てる - GitHub Copilot Agentとチームの共進化サイクル
koboriakira
0
760
リバースエンジニアリング新時代へ! GhidraとClaude DesktopをMCPで繋ぐ/findy202507
tkmru
3
960
明示と暗黙 ー PHPとGoの インターフェイスの違いを知る
shimabox
2
620
Featured
See All Featured
Building Applications with DynamoDB
mza
95
6.5k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
BBQ
matthewcrist
89
9.7k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Visualization
eitanlees
146
16k
Why You Should Never Use an ORM
jnunemaker
PRO
58
9.5k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
How to Think Like a Performance Engineer
csswizardry
25
1.7k
Thoughts on Productivity
jonyablonski
69
4.7k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.6k
GitHub's CSS Performance
jonrohan
1031
460k
Transcript
Hacking OAuth 2.0 @marcin_hoppe
Past, present, and future @marcin_hoppe ... told by one security
team
IDaaS Identity protocols Product security team @marcin_hoppe
Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT
WS-Federation
@marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code
access token
How to test for security flaws? @marcin_hoppe
Existing resources Security considerations in RFCs Threat model RFC and
security BCP Formal security model @marcin_hoppe
Good enough? @marcin_hoppe
No, but a great start! @marcin_hoppe
OAuth attack library Structured attack documentation Useful for offensive security
crowd Automation! @marcin_hoppe
None
Meanwhile in the real world... @marcin_hoppe
Redirects are tricky Cookies + state binding in URL UA
navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe
Existing resources are generic! @marcin_hoppe
None
None
None
None
None
None
None
None
Generic threat models do not cover this complexity! @marcin_hoppe
Protocols as FSMs Each prompt is a state Only some
state transitions allowed Security properties for states and transitions @marcin_hoppe
How to generate FSMs? Source: ideal but difficult Runtime: test
instrumentation DOT language + GraphViz @marcin_hoppe
Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs
@marcin_hoppe
Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent
How to analyze FSMs? Threat modeling: STRIDE State bypass Session
management @marcin_hoppe
Takeaways Protocol testing is hard Existing resources: useful but generic
FSMs help with specific systems @marcin_hoppe
Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group
Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe
Ask me anything! @marcin_hoppe