Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking OAuth 2.0
Search
Marcin Hoppe
October 13, 2019
Programming
0
53
Hacking OAuth 2.0
Marcin Hoppe
October 13, 2019
Tweet
Share
More Decks by Marcin Hoppe
See All by Marcin Hoppe
Przepraszam, czy można?
marcinhoppe
0
31
Problemy z JSON Web Tokens ... i garść rozwiązań
marcinhoppe
0
64
JSON Web Tokens. Problemy i rozwiązania
marcinhoppe
0
130
Other Decks in Programming
See All in Programming
HTTPプロトコル正しく理解していますか? 〜かわいい猫と共に学ぼう。ฅ^•ω•^ฅ ニャ〜
hekuchan
2
690
Honoを使ったリモートMCPサーバでAIツールとの連携を加速させる!
tosuri13
1
180
CSC307 Lecture 02
javiergs
PRO
1
780
ぼくの開発環境2026
yuzneri
0
230
登壇資料を作る時に意識していること #登壇資料_findy
konifar
4
1.2k
CSC307 Lecture 07
javiergs
PRO
0
550
Oxlintはいいぞ
yug1224
5
1.3k
今から始めるClaude Code超入門
448jp
8
8.8k
QAフローを最適化し、品質水準を満たしながらリリースまでの期間を最短化する #RSGT2026
shibayu36
2
4.4k
Raku Raku Notion 20260128
hareyakayuruyaka
0
180
AIと一緒にレガシーに向き合ってみた
nyafunta9858
0
240
React 19でつくる「気持ちいいUI」- 楽観的UIのすすめ
himorishige
11
7.4k
Featured
See All Featured
The AI Search Optimization Roadmap by Aleyda Solis
aleyda
1
5.2k
The Language of Interfaces
destraynor
162
26k
[RailsConf 2023] Rails as a piece of cake
palkan
59
6.3k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.4k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.2k
Designing for humans not robots
tammielis
254
26k
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
The Limits of Empathy - UXLibs8
cassininazir
1
210
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
techseoconnect
PRO
0
86
Color Theory Basics | Prateek | Gurzu
gurzu
0
200
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.8k
The SEO Collaboration Effect
kristinabergwall1
0
350
Transcript
Hacking OAuth 2.0 @marcin_hoppe
Past, present, and future @marcin_hoppe ... told by one security
team
IDaaS Identity protocols Product security team @marcin_hoppe
Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT
WS-Federation
@marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code
access token
How to test for security flaws? @marcin_hoppe
Existing resources Security considerations in RFCs Threat model RFC and
security BCP Formal security model @marcin_hoppe
Good enough? @marcin_hoppe
No, but a great start! @marcin_hoppe
OAuth attack library Structured attack documentation Useful for offensive security
crowd Automation! @marcin_hoppe
None
Meanwhile in the real world... @marcin_hoppe
Redirects are tricky Cookies + state binding in URL UA
navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe
Existing resources are generic! @marcin_hoppe
None
None
None
None
None
None
None
None
Generic threat models do not cover this complexity! @marcin_hoppe
Protocols as FSMs Each prompt is a state Only some
state transitions allowed Security properties for states and transitions @marcin_hoppe
How to generate FSMs? Source: ideal but difficult Runtime: test
instrumentation DOT language + GraphViz @marcin_hoppe
Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs
@marcin_hoppe
Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent
How to analyze FSMs? Threat modeling: STRIDE State bypass Session
management @marcin_hoppe
Takeaways Protocol testing is hard Existing resources: useful but generic
FSMs help with specific systems @marcin_hoppe
Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group
Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe
Ask me anything! @marcin_hoppe
marcinhoppe
hekuchan
tosuri13
javiergs
yuzneri
konifar
yug1224
448jp
shibayu36
hareyakayuruyaka
nyafunta9858
himorishige
aleyda
destraynor
palkan
rmw
tammyeverts
tammielis
wjessup
cassininazir
techseoconnect
gurzu
reverentgeek
kristinabergwall1
