$30 off During Our Annual Pro Sale. View Details »
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking OAuth 2.0
Search
Marcin Hoppe
October 13, 2019
Programming
0
53
Hacking OAuth 2.0
Marcin Hoppe
October 13, 2019
Tweet
Share
More Decks by Marcin Hoppe
See All by Marcin Hoppe
Przepraszam, czy można?
marcinhoppe
0
31
Problemy z JSON Web Tokens ... i garść rozwiązań
marcinhoppe
0
64
JSON Web Tokens. Problemy i rozwiązania
marcinhoppe
0
130
Other Decks in Programming
See All in Programming
Jetpack XR SDKから紐解くAndroid XR開発と技術選定のヒント / about-androidxr-and-jetpack-xr-sdk
drumath2237
1
180
組み合わせ爆発にのまれない - 責務分割 x テスト
halhorn
1
160
[AtCoder Conference 2025] LLMを使った業務AHCの上⼿な解き⽅
terryu16
2
310
Claude Codeの「Compacting Conversation」を体感50%減! CLAUDE.md + 8 Skills で挑むコンテキスト管理術
kmurahama
1
620
Flutter On-device AI로 완성하는 오프라인 앱, 박제창 @DevFest INCHEON 2025
itsmedreamwalker
1
140
Pythonではじめるオープンデータ分析〜書籍の紹介と書籍で紹介しきれなかった事例の紹介〜
welliving
2
500
Deno Tunnel を使ってみた話
kamekyame
0
220
AIコーディングエージェント(NotebookLM)
kondai24
0
220
AIエージェントを活かすPM術 AI駆動開発の現場から
gyuta
0
460
AIエンジニアリングのご紹介 / Introduction to AI Engineering
rkaga
8
3.2k
俺流レスポンシブコーディング 2025
tak_dcxi
14
9.4k
안드로이드 9년차 개발자, 프론트엔드 주니어로 커리어 리셋하기
maryang
1
130
Featured
See All Featured
The untapped power of vector embeddings
frankvandijk
1
1.5k
What does AI have to do with Human Rights?
axbom
PRO
0
1.9k
Redefining SEO in the New Era of Traffic Generation
szymonslowik
1
160
Building a Scalable Design System with Sketch
lauravandoore
463
34k
HDC tutorial
michielstock
0
260
A Soul's Torment
seathinner
1
2k
Darren the Foodie - Storyboard
khoart
PRO
0
1.9k
The Cost Of JavaScript in 2023
addyosmani
55
9.4k
Optimizing for Happiness
mojombo
379
70k
Kristin Tynski - Automating Marketing Tasks With AI
techseoconnect
PRO
0
110
jQuery: Nuts, Bolts and Bling
dougneiner
65
8.3k
Building a A Zero-Code AI SEO Workflow
portentint
PRO
0
190
Transcript
Hacking OAuth 2.0 @marcin_hoppe
Past, present, and future @marcin_hoppe ... told by one security
team
IDaaS Identity protocols Product security team @marcin_hoppe
Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT
WS-Federation
@marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code
access token
How to test for security flaws? @marcin_hoppe
Existing resources Security considerations in RFCs Threat model RFC and
security BCP Formal security model @marcin_hoppe
Good enough? @marcin_hoppe
No, but a great start! @marcin_hoppe
OAuth attack library Structured attack documentation Useful for offensive security
crowd Automation! @marcin_hoppe
None
Meanwhile in the real world... @marcin_hoppe
Redirects are tricky Cookies + state binding in URL UA
navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe
Existing resources are generic! @marcin_hoppe
None
None
None
None
None
None
None
None
Generic threat models do not cover this complexity! @marcin_hoppe
Protocols as FSMs Each prompt is a state Only some
state transitions allowed Security properties for states and transitions @marcin_hoppe
How to generate FSMs? Source: ideal but difficult Runtime: test
instrumentation DOT language + GraphViz @marcin_hoppe
Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs
@marcin_hoppe
Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent
How to analyze FSMs? Threat modeling: STRIDE State bypass Session
management @marcin_hoppe
Takeaways Protocol testing is hard Existing resources: useful but generic
FSMs help with specific systems @marcin_hoppe
Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group
Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe
Ask me anything! @marcin_hoppe
marcinhoppe
drumath2237
halhorn
terryu16
kmurahama
itsmedreamwalker
welliving
kamekyame
kondai24
gyuta
rkaga
.jpg){kind=avatar}
tak_dcxi
maryang
frankvandijk
axbom
szymonslowik
lauravandoore
michielstock
seathinner
khoart
addyosmani
mojombo
techseoconnect
dougneiner
portentint
