Slide 1

Slide 1 text

OAUTH next

Slide 2

Slide 2 text

ABOUT ME ▸ Independent Consultant/Architect/Developer/Trainer ▸ Doing stuff with & without Computers, Software, > 25 yrs ▸ "Mr. Keycloak" since 2015 (v1.x) ▸ Organizer of Keycloak DevDay Conf (keycloak-day.dev) ▸ Co-Lead of JUG DA (www.jug-da.de / @JUG_DA) ▸ Author of „Serverless Computing in AWS Cloud“ ▸ Web: www.n-k.de / Social: @dasniko YouTube: youtube.com/@dasniko

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

The Status Quo of OAuth2 DISCLAIMER This talk is not about what OAuth is and how it works!

Slide 5

Slide 5 text

The Status Quo of OAuth2 OAuth Standard, Specification, Protocol or Framework?

Slide 6

Slide 6 text

The Status Quo of OAuth2 OAuth 1.0 ? IETF, RFC 5849, 2007: OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.

Slide 7

Slide 7 text

The Status Quo of OAuth2 OAuth 1.0 ? IETF, RFC 5849, 2007: The OAuth protocol enables websites or applications (Consumers) to access Protected Resources from a web service (Service Provider) via an API, without requiring Users to disclose their Service Provider credentials to the Consumers. More generally, OAuth creates a freely-implementable and generic methodology for API authentication. Digital Signatures, Crypto…

Slide 8

Slide 8 text

The Status Quo of OAuth2 OAuth 2.0 IETF, RFC 6749/6750: The OAuth 2.0 authorization framework enables a 3rd-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

Slide 9

Slide 9 text

The Status Quo of OAuth2 Aaron Parecki, Okta, @aaronpk, 2020

Slide 10

Slide 10 text

The Status Quo of OAuth2 How many RFC’s does it take to change a lightbulb!? Unkown Developer

Slide 11

Slide 11 text

The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS RFC6749, 2012

Slide 12

Slide 12 text

The Status Quo of OAuth2 Wait… " 2010 / 2012 ?

Slide 13

Slide 13 text

The Status Quo of OAuth2 2010 / 2012 iPhone 5 Internet Explorer 9 AJAX Apps (SPA) HTTP POST Form-Request instead of JSON CORS not yet established W3C-Standard The world was much simpler, less choices!

Slide 14

Slide 14 text

The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS RFC6749

Slide 15

Slide 15 text

The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS RFC6749 PKCE RFC7636

Slide 16

Slide 16 text

The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252

Slide 17

Slide 17 text

The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626

Slide 18

Slide 18 text

The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626 PKCE FOR SPAS Browser App BCP

Slide 19

Slide 19 text

The Status Quo of OAuth2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626 SECURITY BCP PKCE FOR SPAS Browser App BCP PKCE for confidential clients RFCs about tokens (Bearer, JWT) not even mentioned here…! Exact string matching for RedirectURIs

Slide 20

Slide 20 text

The Status Quo of OAuth2 AUTHORIZATION CODE + PKCE CLIENT CREDENTIALS OAuth 2.1 DEVICE CODE

Slide 21

Slide 21 text

The Status Quo of OAuth2 OAuth 2.1 ➡ PKCE is required for all OAuth clients using the authorization code flow ➡ Implicit grant is omitted from the specification ➡ Resource Owner Password Credentials grant is omitted from the specification https://oauth.net/2.1/

Slide 22

Slide 22 text

The Status Quo of OAuth2 OAuth 2.1 ➡ Redirect URIs must be compared using exact string matching ➡ Bearer token usage omits the use of bearer tokens in the query string of URIs ➡ Refresh tokens for public clients must either be sender- constrained or one-time use https://oauth.net/2.1/

Slide 23

Slide 23 text

The Status Quo of OAuth2 OAuth 2.1 ➡ No new behavior is defined in OAuth 2.1! ➡ Nothing experimental, in-progress or not widely implemented! https://oauth.net/2.1/

Slide 24

Slide 24 text

The Status Quo of OAuth2 OAuth 2.1 When will it be released? # Well, nobody knows $

Slide 25

Slide 25 text

The Status Quo of OAuth2 It’s difficult to make predictions, especially about the future. Niels Bohr, Nobel Laureate in Quantum-Physics & Father of the Atomic model

Slide 26

Slide 26 text

The Status Quo of OAuth2 OAuth 2.1 When will it be released? # Well, nobody knows $ …but there’s nothing what stops you from JUST USING it! %

Slide 27

Slide 27 text

The Status Quo of OAuth2 https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/

Slide 28

Slide 28 text

The Status Quo of OAuth2 FUTURE!?

Slide 29

Slide 29 text

The Status Quo of OAuth2 OAuth 2.1 is made to stay!

Slide 30

Slide 30 text

The Status Quo of OAuth2 OAuth 3?

Slide 31

Slide 31 text

The Status Quo of OAuth2 GNAP Grant Negotiation and Authorization Protocol An in-progress effort to develop a next-generation authorization protocol. Early drafts of the spec were called "XYZ", "TxAuth", and "Transactional Authorization". https://oauth.net/gnap/

Slide 32

Slide 32 text

The Status Quo of OAuth2 Links OAuth 2.0 ▸ OAuth 2.0 Overview: https://oauth.net/2/ ▸ OAuth Core, RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749 ▸ OAuth 2.0 Threat Model and Security Considerations, RFC 6819: https://datatracker.ietf.org/doc/html/rfc6819 ▸ OAuth 2.0 Token Revocation, RFC 7009: https://datatracker.ietf.org/doc/html/rfc7009 ▸ Proof Key for Code Exchange, RFC 7636: https://datatracker.ietf.org/doc/html/rfc7636 ▸ OAuth 2.0 for Native Apps, RFC 8252: https://datatracker.ietf.org/doc/html/rfc8252 ▸ OAuth 2.0 Device Authorization Grant, RFC 8628: https://datatracker.ietf.org/doc/html/rfc8628 ▸ OAuth 2.0 for Browser-Based Apps: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps ▸ OAuth 2.0 Security Best Current Practice: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics

Slide 33

Slide 33 text

The Status Quo of OAuth2 Links Token ▸ OAuth 2.0 Bearer Token Usage, RFC 6750: https://datatracker.ietf.org/doc/html/rfc6750 ▸ OAuth 2.0 Token Binding, Draft: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-binding-08 ▸ OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens, RFC 8705: https://datatracker.ietf.org/doc/html/rfc8705 ▸ JSON Web Token, RFC 7519: https://datatracker.ietf.org/doc/html/rfc7519 ▸ JSON Web Token (JWT) Best Current Practice: RFC 8725: https://datatracker.ietf.org/doc/html/rfc8725 ▸ JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens, RFC 9068: https://datatracker.ietf.org/doc/html/rfc9068

Slide 34

Slide 34 text

The Status Quo of OAuth2 Links OAuth 2.1+ ▸ OAuth 2.1 Overview: https://oauth.net/2.1/ ▸ OAuth 2.1 Draft: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1 ▸ GNAP Overview: https://oauth.net/gnap/

Slide 35

Slide 35 text

The Status Quo of OAuth2 NIKO KÖBLER | www.n-k.de | [email protected] | @dasniko THANK YOU. ANY QUESTIONS? Slides & Links: https://linktr.ee/dasniko