Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking OAuth 2.0

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Marcin Hoppe Marcin Hoppe
October 13, 2019
Programming
0
54

Hacking OAuth 2.0

Avatar for Marcin Hoppe

Marcin Hoppe

October 13, 2019
Tweet

More Decks by Marcin Hoppe

See All by Marcin Hoppe
Przepraszam, czy można?
Avatar for Marcin Hoppe marcinhoppe
0
31
Problemy z JSON Web Tokens ... i garść rozwiązań
Avatar for Marcin Hoppe marcinhoppe
0
66
JSON Web Tokens. Problemy i rozwiązania
Avatar for Marcin Hoppe marcinhoppe
0
130

Other Decks in Programming

See All in Programming
S3ストレージクラスの「見える」「ある」「使える」は全部違う ─ 体験から見た、仕様の深淵を覗く
Avatar for ya_ma23 ya_ma23
0
890
脱 雰囲気実装! AgentCoreを良い感じに WEBアプリケーションに組み込むために
Avatar for Takuya Yonezawa takuyay0ne
3
380
技術検証結果の整理と解析をAIに任せよう!
Avatar for Keisuke Ikeda keisukeikeda
0
130
PHPで TLSのプロトコルを実装してみる
Avatar for higaki higaki_program
0
400
DevinとClaude Code、SREの現場で使い倒してみた件
Avatar for karia/Y.Hisamatsu karia
1
1.1k
Migration to Signals, Signal Forms, Resource API, and NgRx Signal Store @Angular Days 03/2026 Munich
Avatar for Manfred Steyer manfredsteyer
PRO
0
130
Redox OS でのネームスペース管理と chroot の実現
Avatar for isan isanethen
0
410
Codex CLIのSubagentsによる並列API実装 / Parallel API Implementation with Codex CLI Subagents
Avatar for 冨澤宝斗 takatty
2
240
How to stabilize UI tests using XCTest
Avatar for Akio Itaya akkeylab
0
140
Goの型安全性で実現する複数プロダクトの権限管理
Avatar for ishikawa-pro ishikawa_pro
2
900
Understanding Apache Lucene - More than just full-text search
Avatar for Alexander Reelsen spinscale
0
140
Claude Codeセッション現状確認 2026福岡 / fukuoka-aicoding-00-beacon
Avatar for monochromegane monochromegane
4
450

Featured

See All Featured
Introduction to Domain-Driven Design and Collaborative software design
Avatar for Kenny Baas-Schwegler baasie
1
650
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.8k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
659
61k
Un-Boring Meetings
Avatar for Sebastian Deterding codingconduct
0
230
KATA
Avatar for Megan Lloyd mclloyd
PRO
35
15k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
Avatar for Kenny Baas-Schwegler baasie
0
260
How to Get Subject Matter Experts Bought In and Actively Contributing to SEO & PR Initiatives.
Avatar for Liv Day livdayseo
0
89
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
34
2.7k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
120k
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
Avatar for Aleyda Solis aleyda
1
1.2k
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
37
7.2k
Information Architects: The Missing Link in Design Systems
Avatar for Michelle Chin soysaucechin
0
840

Transcript

  1. Hacking
 
 
 OAuth 2.0 @marcin_hoppe

  2. Past, present, and future @marcin_hoppe ... told by one security

    team

  3. IDaaS Identity protocols Product security team @marcin_hoppe

  4. Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT

    WS-Federation

  5. @marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code

    access token

  6. How to test for security flaws? @marcin_hoppe

  7. Existing resources Security considerations in RFCs Threat model RFC and

    security BCP Formal security model @marcin_hoppe

  8. Good enough? @marcin_hoppe

  9. No, but a great start! @marcin_hoppe

  10. OAuth attack library Structured attack documentation Useful for offensive security

    crowd Automation! @marcin_hoppe
  11. None

  12. Meanwhile in the real world... @marcin_hoppe

  13. Redirects are tricky Cookies + state binding in URL UA

    navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe

  14. Existing resources are generic! @marcin_hoppe

  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None
  22. None

  23. Generic threat models do not cover this complexity! @marcin_hoppe

  24. Protocols as FSMs Each prompt is a state Only some

    state transitions allowed Security properties for states and transitions @marcin_hoppe

  25. How to generate FSMs? Source: ideal but difficult Runtime: test

    instrumentation DOT language + GraphViz @marcin_hoppe

  26. Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs

    @marcin_hoppe

  27. Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent

  28. How to analyze FSMs? Threat modeling: STRIDE State bypass Session

    management @marcin_hoppe

  29. Takeaways Protocol testing is hard Existing resources: useful but generic

    FSMs help with specific systems @marcin_hoppe

  30. Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group

    Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe

  31. Ask me anything! @marcin_hoppe