Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking OAuth 2.0
Search
Marcin Hoppe
October 13, 2019
Programming
0
51
Hacking OAuth 2.0
Marcin Hoppe
October 13, 2019
Tweet
Share
More Decks by Marcin Hoppe
See All by Marcin Hoppe
Przepraszam, czy można?
marcinhoppe
0
29
Problemy z JSON Web Tokens ... i garść rozwiązań
marcinhoppe
0
60
JSON Web Tokens. Problemy i rozwiązania
marcinhoppe
0
130
Other Decks in Programming
See All in Programming
PHPでWebSocketサーバーを実装しよう2025
kubotak
0
290
データの民主化を支える、透明性のあるデータ利活用への挑戦 2025-06-25 Database Engineering Meetup#7
y_ken
0
360
明示と暗黙 ー PHPとGoの インターフェイスの違いを知る
shimabox
2
510
XP, Testing and ninja testing
m_seki
3
250
#kanrk08 / 公開版 PicoRubyとマイコンでの自作トレーニング計測装置を用いたワークアウトの理想と現実
bash0c7
1
770
第9回 情シス転職ミートアップ 株式会社IVRy(アイブリー)の紹介
ivry_presentationmaterials
1
320
イベントストーミング図からコードへの変換手順 / Procedure for Converting Event Storming Diagrams to Code
nrslib
2
830
Rails Frontend Evolution: It Was a Setup All Along
skryukov
0
140
PipeCDのプラグイン化で目指すところ
warashi
1
280
PostgreSQLのRow Level SecurityをPHPのORMで扱う Eloquent vs Doctrine #phpcon #track2
77web
2
530
スタートアップの急成長を支えるプラットフォームエンジニアリングと組織戦略
sutochin26
1
5.8k
Systèmes distribués, pour le meilleur et pour le pire - BreizhCamp 2025 - Conférence
slecache
0
120
Featured
See All Featured
Why Our Code Smells
bkeepers
PRO
336
57k
Code Reviewing Like a Champion
maltzj
524
40k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.9k
Faster Mobile Websites
deanohume
307
31k
Being A Developer After 40
akosma
90
590k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Optimizing for Happiness
mojombo
379
70k
Designing for humans not robots
tammielis
253
25k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
740
Build your cross-platform service in a week with App Engine
jlugia
231
18k
Speed Design
sergeychernyshev
32
1k
The Straight Up "How To Draw Better" Workshop
denniskardys
234
140k
Transcript
Hacking OAuth 2.0 @marcin_hoppe
Past, present, and future @marcin_hoppe ... told by one security
team
IDaaS Identity protocols Product security team @marcin_hoppe
Protocols and standards @marcin_hoppe PKCE OIDC OAuth 2.0 SAML JWT
WS-Federation
@marcin_hoppe OAuth 2.0 Authorization Code Flow IdP App UA code
access token
How to test for security flaws? @marcin_hoppe
Existing resources Security considerations in RFCs Threat model RFC and
security BCP Formal security model @marcin_hoppe
Good enough? @marcin_hoppe
No, but a great start! @marcin_hoppe
OAuth attack library Structured attack documentation Useful for offensive security
crowd Automation! @marcin_hoppe
None
Meanwhile in the real world... @marcin_hoppe
Redirects are tricky Cookies + state binding in URL UA
navigates in and out of the page Potential for CSRF, session fixation, open redirects... @marcin_hoppe
Existing resources are generic! @marcin_hoppe
None
None
None
None
None
None
None
None
Generic threat models do not cover this complexity! @marcin_hoppe
Protocols as FSMs Each prompt is a state Only some
state transitions allowed Security properties for states and transitions @marcin_hoppe
How to generate FSMs? Source: ideal but difficult Runtime: test
instrumentation DOT language + GraphViz @marcin_hoppe
Our stack Node.js runtime Express middleware Passport authentication Flowstate FSMs
@marcin_hoppe
Example simple FSM @marcin_hoppe /authorize /login /mfa /pwdreset /consent
How to analyze FSMs? Threat modeling: STRIDE State bypass Session
management @marcin_hoppe
Takeaways Protocol testing is hard Existing resources: useful but generic
FSMs help with specific systems @marcin_hoppe
Marcin Hoppe Senior Manager Product Security Auth0 Security Working Group
Node.js Foundation Project Leader OWASP Serverless Top 10 marcin.hoppe @ auth0.com twitter.com/Marcin_Hoppe
Ask me anything! @marcin_hoppe