Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking OAuth 2.0
Search
Marcin Hoppe
October 13, 2019
Programming
0
51
Hacking OAuth 2.0
Marcin Hoppe
October 13, 2019
Tweet
Share
More Decks by Marcin Hoppe
See All by Marcin Hoppe
Przepraszam, czy można?
marcinhoppe
0
28
Problemy z JSON Web Tokens ... i garść rozwiązań
marcinhoppe
0
60
JSON Web Tokens. Problemy i rozwiązania
marcinhoppe
0
130
Other Decks in Programming
See All in Programming
#kanrk08 / 公開版 PicoRubyとマイコンでの自作トレーニング計測装置を用いたワークアウトの理想と現実
bash0c7
1
680
Systèmes distribués, pour le meilleur et pour le pire - BreizhCamp 2025 - Conférence
slecache
0
120
生成AIコーディングとの向き合い方、AIと共創するという考え方 / How to deal with generative AI coding and the concept of co-creating with AI
seike460
PRO
1
350
Kotlin エンジニアへ送る:Swift 案件に参加させられる日に備えて~似てるけど色々違う Swift の仕様 / from Kotlin to Swift
lovee
1
260
Quand Symfony, ApiPlatform, OpenAI et LangChain s'allient pour exploiter vos PDF : de la théorie à la production…
ahmedbhs123
0
130
Railsアプリケーションと パフォーマンスチューニング ー 秒間5万リクエストの モバイルオーダーシステムを支える事例 ー Rubyセミナー 大阪
falcon8823
5
1.1k
都市をデータで見るってこういうこと PLATEAU属性情報入門
nokonoko1203
1
590
Composerが「依存解決」のためにどんな工夫をしているか #phpcon
o0h
PRO
1
250
VS Code Update for GitHub Copilot
74th
2
610
High-Level Programming Languages in AI Era -Human Thought and Mind-
hayat01sh1da
PRO
0
720
AIコーディング道場勉強会#2 君(エンジニア)たちはどう生きるか
misakiotb
1
280
LINEヤフー データグループ紹介
lycorp_recruit_jp
0
2k
Featured
See All Featured
A designer walks into a library…
pauljervisheath
207
24k
Docker and Python
trallard
44
3.5k
Writing Fast Ruby
sferik
628
62k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Java REST API Framework Comparison - PWX 2021
mraible
31
8.7k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
17
950
Faster Mobile Websites
deanohume
307
31k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
940
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
125
52k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.5k
Unsuck your backbone
ammeep
671
58k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Transcript
Hacking OAuth 2.0 @marcin_hoppe
Past, present, and future @marcin_hoppe ... told by one security
team
IDaaS Identity protocols Product security team @marcin_hoppe
Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT
WS-Federation
@marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code
access token
How to test for security flaws? @marcin_hoppe
Existing resources Security considerations in RFCs Threat model RFC and
security BCP Formal security model @marcin_hoppe
Good enough? @marcin_hoppe
No, but a great start! @marcin_hoppe
OAuth attack library Structured attack documentation Useful for offensive security
crowd Automation! @marcin_hoppe
None
Meanwhile in the real world... @marcin_hoppe
Redirects are tricky Cookies + state binding in URL UA
navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe
Existing resources are generic! @marcin_hoppe
None
None
None
None
None
None
None
None
Generic threat models do not cover this complexity! @marcin_hoppe
Protocols as FSMs Each prompt is a state Only some
state transitions allowed Security properties for states and transitions @marcin_hoppe
How to generate FSMs? Source: ideal but difficult Runtime: test
instrumentation DOT language + GraphViz @marcin_hoppe
Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs
@marcin_hoppe
Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent
How to analyze FSMs? Threat modeling: STRIDE State bypass Session
management @marcin_hoppe
Takeaways Protocol testing is hard Existing resources: useful but generic
FSMs help with specific systems @marcin_hoppe
Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group
Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe
Ask me anything! @marcin_hoppe