Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking OAuth 2.0
Search
Marcin Hoppe
October 13, 2019
Programming
0
46
Hacking OAuth 2.0
Marcin Hoppe
October 13, 2019
Tweet
Share
More Decks by Marcin Hoppe
See All by Marcin Hoppe
Przepraszam, czy można?
marcinhoppe
0
23
Problemy z JSON Web Tokens ... i garść rozwiązań
marcinhoppe
0
43
JSON Web Tokens. Problemy i rozwiązania
marcinhoppe
0
120
Other Decks in Programming
See All in Programming
incrementalモデルの理解を深める
ikkimiyazaki
2
640
PHPerKaigi 2024〜10年以上動いているレガシーなバッチシステムを Kubernetes(Amazon EKS) に移行する取り組み〜
tshinowpub
1
220
Introduction for Open Source Swift Workshop
giginet
PRO
0
290
孤独のCTOグルメという やや奇抜な企画をやった目的と効果
shoheimitani
3
1k
導入から5年が経って見えた Datadog APM 運用の課題
bgpat
2
540
TCAの Shared Stateって どういう仕組みになってんの?
yimajo
0
330
CircleCIを活用して AWSへの継続的デリバリーを 実践する
coconala_engineer
1
110
Ruby製社内ツールのGo移行
bgpat
2
260
OpenTelemetry のサービスという概念について
azukiazusa1
1
410
とにかくHTTP3をライトニングに話す / Anyway, I'll talk to Lightning about HTTP3.
seike460
PRO
0
120
Laravel標準バリデーションでできること
hmb_ok
2
360
コミュニティに参加したことで起きた変化
ohmori_yusuke
3
130
Featured
See All Featured
In The Pink: A Labor of Love
frogandcode
137
21k
Building Effective Engineering Teams - LeadDev
addyosmani
25
1.8k
Designing for humans not robots
tammielis
247
25k
Building Flexible Design Systems
yeseniaperezcruz
317
37k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2.2k
Docker and Python
trallard
33
2.6k
Navigating Team Friction
lara
177
13k
Side Projects
sachag
451
41k
Automating Front-end Workflow
addyosmani
1353
200k
Atom: Resistance is Futile
akmur
258
25k
Gamification - CAS2011
davidbonilla
76
4.5k
How GitHub (no longer) Works
holman
301
140k
Transcript
Hacking OAuth 2.0 @marcin_hoppe
Past, present, and future @marcin_hoppe ... told by one security
team
IDaaS Identity protocols Product security team @marcin_hoppe
Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT
WS-Federation
@marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code
access token
How to test for security flaws? @marcin_hoppe
Existing resources Security considerations in RFCs Threat model RFC and
security BCP Formal security model @marcin_hoppe
Good enough? @marcin_hoppe
No, but a great start! @marcin_hoppe
OAuth attack library Structured attack documentation Useful for offensive security
crowd Automation! @marcin_hoppe
None
Meanwhile in the real world... @marcin_hoppe
Redirects are tricky Cookies + state binding in URL UA
navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe
Existing resources are generic! @marcin_hoppe
None
None
None
None
None
None
None
None
Generic threat models do not cover this complexity! @marcin_hoppe
Protocols as FSMs Each prompt is a state Only some
state transitions allowed Security properties for states and transitions @marcin_hoppe
How to generate FSMs? Source: ideal but difficult Runtime: test
instrumentation DOT language + GraphViz @marcin_hoppe
Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs
@marcin_hoppe
Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent
How to analyze FSMs? Threat modeling: STRIDE State bypass Session
management @marcin_hoppe
Takeaways Protocol testing is hard Existing resources: useful but generic
FSMs help with specific systems @marcin_hoppe
Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group
Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe
Ask me anything! @marcin_hoppe