Slide 1

Slide 1 text

GNAP THE FUTURE OF OAUTH @chalas_r

Slide 2

Slide 2 text

ROBIN CHALAS @chalas_r Les-Tilleuls.coop chalasr Core Team @chalas_r

Slide 3

Slide 3 text

DISCLAIMER I'M NOT A SECURITY EXPERT @chalas_r

Slide 4

Slide 4 text

DISCLAIMER 2 I MAY PRONOUNCE OAUTH INCORRECTLY @chalas_r

Slide 5

Slide 5 text

REMINDER WHAT IS OAUTH? @chalas_r

Slide 6

Slide 6 text

OAUTH? INDUSTRY-STANDARD AUTHORIZATION PROTOCOL FOR WEB, DESKTOP, MOBILE & IOT. @chalas_r

Slide 7

Slide 7 text

OAUTH WINS Successful as a standard Better than prior art Continuously improving @chalas_r

Slide 8

Slide 8 text

A BIT OF HISTORY OAUTH 1.0? For browser-based clients only Based on Flickr’s authorization API & Google’s AuthSub Security concerns on the clients' shoulders @chalas_r

Slide 9

Slide 9 text

OAUTH 1.0 Spring Security Docs @chalas_r

Slide 10

Slide 10 text

A BIT OF HISTORY OAUTH 2.0? Complete rewrite of OAuth 1 For anything that builds on HTTP(S) Relies on TLS (& eventually JOSE) @chalas_r

Slide 11

Slide 11 text

OAUTH 2.0 Spring Security Docs @chalas_r

Slide 12

Slide 12 text

OAUTH 2.0 BUILT-IN GRANT TYPES Resource Owner Password Credentials Implicit Client Credentials Authorization Code @chalas_r

Slide 13

Slide 13 text

OAUTH 2.1 BUILT-IN GRANT TYPES Resource Owner Password Credentials Implicit Client Credentials Authorization Code + Proof Key for Code exchange (PKCE) @chalas_r

Slide 14

Slide 14 text

OAUTH 2.1 OTHER MAJOR CHANGES No more Bearer tokens in the query string (URL) Refresh tokens must either be one-time use or sender-constrained Simplified "Public VS Confidential clients" concept Identification/authentication concept is mentioned oauth2.net/2.1 @chalas_r

Slide 15

Slide 15 text

WHAT'S WRONG WITH OAUTH2? @chalas_r

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

OAUTH2 FLAWS OVERLY COMPLEX 28 RFC + 10 ACTIVE DRAFTS SaaS solutions exist e.g. Keycloak @chalas_r

Slide 18

Slide 18 text

OAUTH2 FLAWS AUTHENTICATION LEFT ASIDE 🎁 You've got 10+ more specifications to read! Welcome OpenID Connect openid.net/developers/specs/ @chalas_r

Slide 19

Slide 19 text

OAUTH2 FLAWS STILL TIED TO REDIRECTS THEREFORE TO BROWSERS @chalas_r

Slide 20

Slide 20 text

OAUTH2 FLAWS PROOF OF POSSESSION LATE TO THE GAME Welcome & Mutual-TLS DPoP @chalas_r

Slide 21

Slide 21 text

OAUTH2 FLAWS CRYPTO KEYS ROTATION NOT COVERED @chalas_r

Slide 22

Slide 22 text

OAUTH2 FLAWS PAINFUL ON MOBILE Better with RFC8252 - OAuth 2.0 for Native Apps @chalas_r

Slide 23

Slide 23 text

OAUTH2 FLAWS OLD-FASHIONED UX/DX @chalas_r

Slide 24

Slide 24 text

👋 GNAP @chalas_r

Slide 25

Slide 25 text

GRANT NEGOTIATION & AUTHORIZATION PROTOCOL @chalas_r

Slide 26

Slide 26 text

GNAP FOR MODERN APPLICATIONS' SECURITY NEEDS @chalas_r

Slide 27

Slide 27 text

FOR ANY CLIENT/PLATFORM GNAP: KEY POINTS @chalas_r

Slide 28

Slide 28 text

INTERACTIONS AS FIRST-CLASS CONCEPTS GNAP: KEY POINTS @chalas_r

Slide 29

Slide 29 text

NO PRE-FLIGHT DISCOVERY NEEDED GNAP: KEY POINTS @chalas_r

Slide 30

Slide 30 text

GNAP: KEY POINTS CRYPTO KEYS EVERYWHERE + (EXTENSIBLE) ROTATION MECHANISMS @chalas_r

Slide 31

Slide 31 text

GNAP: KEY POINTS BEARER TOKENS AND MORE @chalas_r

Slide 32

Slide 32 text

GNAP: KEY POINTS MULTIPLE ACCESS TOKENS PER GRANT REQUEST @chalas_r

Slide 33

Slide 33 text

GNAP: KEY POINTS BUILT-IN IDENTITY! @chalas_r

Slide 34

Slide 34 text

GNAP: KEY POINTS BETTER DEVELOPER ERGONOMICS @chalas_r

Slide 35

Slide 35 text

GNAP: OVERALL PROTOCOL SEQUENCE datatracker.ietf.org/doc/html/draft-ietf-gnap-core-protocol#section-1.1

Slide 36

Slide 36 text

NOT BACKWARDS-COMPATIBLE WITH OAUTH2 @chalas_r

Slide 37

Slide 37 text

OAUTH GRANT TYPES EQUIVALENTS Auth Code Grant => redirect interaction mode (with automatic PKCE) Device Grant => user_code interaction mode Client Credentials Grant => Just a Grant request with no interaction @chalas_r

Slide 38

Slide 38 text

RELATIONSHIP TO OTHER SPECS OpenID Connect (OIDC) => Identity is part of GNAP Core & Resource Server. User-Managed Access (UMA) => Same can be achieved with only GNAP Core. Proof Of Posssesion (PoP, M-TLS & DPOP) => All tokens are key-bound by default in GNAP @chalas_r

Slide 39

Slide 39 text

CURRENT STATE WG STARTED IN OCTOBER 2020, LED BY . JUSTIN RICHER PROTOCOL IMPROVED A LOT SINCE THEN. @chalas_r

Slide 40

Slide 40 text

IT'S MOSTLY GETTING STABLE LAST WG MEETING HAPPENED IN NOVEMBER 2022 NO PROTOCOL CHANGES. datatracker.ietf.org/meeting/114/materials/slides-114-gnap-protocol-slides-00 @chalas_r

Slide 41

Slide 41 text

NEXT STEPS? @chalas_r

Slide 42

Slide 42 text

GET INVOLVED Read the specification Subscribe to the mailing list Implement it in your favorite language (existing implementations available on ) ietf.org/mailman/listinfo/txauth oauth.xyz @chalas_r

Slide 43

Slide 43 text

WHAT ABOUT SYMFONY? @chalas_r

Slide 44

Slide 44 text

THANK YOU! @chalas_r @chalas_r