Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking OAuth 2.0
Search
Marcin Hoppe
October 13, 2019
Programming
0
53
Hacking OAuth 2.0
Marcin Hoppe
October 13, 2019
Tweet
Share
More Decks by Marcin Hoppe
See All by Marcin Hoppe
Przepraszam, czy można?
marcinhoppe
0
31
Problemy z JSON Web Tokens ... i garść rozwiązań
marcinhoppe
0
64
JSON Web Tokens. Problemy i rozwiązania
marcinhoppe
0
130
Other Decks in Programming
See All in Programming
例外処理とどう使い分ける?Result型を使ったエラー設計 #burikaigi
kajitack
16
6.1k
AWS re:Invent 2025参加 直前 Seattle-Tacoma Airport(SEA)におけるハードウェア紛失インシデントLT
tetutetu214
2
110
dchart: charts from deck markup
ajstarks
3
990
Package Management Learnings from Homebrew
mikemcquaid
0
220
Honoを使ったリモートMCPサーバでAIツールとの連携を加速させる!
tosuri13
1
180
Apache Iceberg V3 and migration to V3
tomtanaka
0
160
なるべく楽してバックエンドに型をつけたい!(楽とは言ってない)
hibiki_cube
0
140
「ブロックテーマでは再現できない」は本当か?
inc2734
0
1k
CSC307 Lecture 06
javiergs
PRO
0
690
16年目のピクシブ百科事典を支える最新の技術基盤 / The Modern Tech Stack Powering Pixiv Encyclopedia in its 16th Year
ahuglajbclajep
5
1k
AIと一緒にレガシーに向き合ってみた
nyafunta9858
0
240
IFSによる形状設計/デモシーンの魅力 @ 慶應大学SFC
gam0022
1
300
Featured
See All Featured
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
davidcarrasco
0
66
Speed Design
sergeychernyshev
33
1.5k
The SEO Collaboration Effect
kristinabergwall1
0
350
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.6k
Making Projects Easy
brettharned
120
6.6k
Build your cross-platform service in a week with App Engine
jlugia
234
18k
A Guide to Academic Writing Using Generative AI - A Workshop
ks91
PRO
0
210
ラッコキーワード サービス紹介資料
rakko
1
2.3M
Everyday Curiosity
cassininazir
0
130
The Curse of the Amulet
leimatthew05
1
8.6k
Site-Speed That Sticks
csswizardry
13
1.1k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
Transcript
Hacking OAuth 2.0 @marcin_hoppe
Past, present, and future @marcin_hoppe ... told by one security
team
IDaaS Identity protocols Product security team @marcin_hoppe
Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT
WS-Federation
@marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code
access token
How to test for security flaws? @marcin_hoppe
Existing resources Security considerations in RFCs Threat model RFC and
security BCP Formal security model @marcin_hoppe
Good enough? @marcin_hoppe
No, but a great start! @marcin_hoppe
OAuth attack library Structured attack documentation Useful for offensive security
crowd Automation! @marcin_hoppe
None
Meanwhile in the real world... @marcin_hoppe
Redirects are tricky Cookies + state binding in URL UA
navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe
Existing resources are generic! @marcin_hoppe
None
None
None
None
None
None
None
None
Generic threat models do not cover this complexity! @marcin_hoppe
Protocols as FSMs Each prompt is a state Only some
state transitions allowed Security properties for states and transitions @marcin_hoppe
How to generate FSMs? Source: ideal but difficult Runtime: test
instrumentation DOT language + GraphViz @marcin_hoppe
Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs
@marcin_hoppe
Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent
How to analyze FSMs? Threat modeling: STRIDE State bypass Session
management @marcin_hoppe
Takeaways Protocol testing is hard Existing resources: useful but generic
FSMs help with specific systems @marcin_hoppe
Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group
Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe
Ask me anything! @marcin_hoppe
marcinhoppe
kajitack
tetutetu214
ajstarks
mikemcquaid
tosuri13
tomtanaka
hibiki_cube
inc2734
javiergs
ahuglajbclajep
nyafunta9858
gam0022
davidcarrasco
sergeychernyshev
kristinabergwall1
philnash
brettharned
jlugia
ks91
rakko
cassininazir
leimatthew05
csswizardry
keithpitt
