IIW 39 - OAuth 101 - Speaker Deck

Slide 1

Slide 1 text

Aaron Parecki • October 2024 oauth2simpli fi ed.com OAuth 101 Internet Identity Workshop

Slide 2

Slide 2 text

Specs are not good tutorials!

Slide 3

Slide 3 text

RFC6749 RFC6750 CLIENT TYPE AUTH METHOD GRANT TYPE RFC6819 RFC7009 RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 RFC8252 OIDC RFC8414 STATE PARAM TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN BINDING POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN EXCHANGE DPOP

Slide 4

Slide 4 text

https://yelp.com/

Slide 5

Slide 5 text

The Password Anti-Pattern

Slide 6

Slide 6 text

The Password Anti-Pattern facebook.com ~2010

Slide 7

Slide 7 text

The Password Anti-Pattern • How do you revoke this app’s access? • Do you trust the app to not store your password? • Do you trust the app to access only the things it says it needs? • Do you trust the app to not do things like change your password or delete your account?

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

how can I let an app access my data without giving it my password?

Slide 10

Slide 10 text

Authorization Server Access Token Resource (API)

Slide 11

Slide 11 text

https://unsplash.com/photos/GJY1eAw6tn8

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Application OAuth Server

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

@oktadev WHAT ABOUT FIRST PARTY APPS?

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

@oktadev

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

https://krausefx.com/blog/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking

Slide 21

Slide 21 text

@oktadev

Slide 22

Slide 22 text

@oktadev

Slide 23

Slide 23 text

@oktadev

Slide 24

Slide 24 text

@oktadev DOES MFA SOLVE THIS?

Slide 25

Slide 25 text

Phishable MFA Phishing-Resistant MFA

Slide 26

Slide 26 text

https://google.com

Slide 27

Slide 27 text

https://google.com https://apple.com

Slide 28

Slide 28 text

https://accounts.google.com https://gmail.com https://youtube.com https://google.com

Slide 29

Slide 29 text

Application OAuth Server

Slide 30

Slide 30 text

OAuth doesn't tell the app who logged in

Slide 31

Slide 31 text

Identification Accessing APIs Tells the application about the user authenticating Gives the application a way to make API requests

Slide 32

Slide 32 text

Tells the application about the user authenticating Gives the application a way to make API requests ID Token Access Token

Slide 33

Slide 33 text

ID Token Access Token

Slide 34

Slide 34 text

OAuth Server Application API

Slide 35

Slide 35 text

ID Token Access Token Read by the App Read by the API

Slide 36

Slide 36 text

How OAuth Works

Slide 37

Slide 37 text

Authorization Code OAuth Flows Device Flow Client Credentials Implicit Password web mobile SPA browserless devices server-to-server CLI CLI >_ >_

Slide 38

Slide 38 text

POST /resource/1/update HTTP/1.1 Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia Host: api.authorization-server.com description=Hello+World USING AN ACCESS TOKEN

Slide 39

Slide 39 text

User Agent App OAuth Server API ? Authorization Request Authorization Code Response Token Request Token Response "Log In"

Slide 40

Slide 40 text

User Agent App OAuth Server API ? Authorization Request Authorization Code Response Token Request Token Response "Log In" Front Channel Back Channel

Slide 41

Slide 41 text

https://authorization-server.com/auth? response_type=code& client_id=[CLIENT_ID]& redirect_uri=[REDIRECT_URI]& scope=photos& state=dd624a841f5& code_challenge=[CODE_CHALLENGE]& code_challenge_method=S256 Front Channel Redirect

Slide 42

Slide 42 text

https://example-app.com/redirect? code=bLvgTm0vjQLo08gxCreLcxrJwyFq0KnKBH& state=dd624a841f5 Front Channel Redirect

Slide 43

Slide 43 text

POST /token Host: authorization-server.com grant_type=authorization_code& client_id=[CLIENT_ID]& redirect_uri=[REDIRECT_URI]& code_verifier=[CODE_VERIFIER]& code=bLvgTm0vjQLo08gxCreLcxrJwyFq0KnKBH Back Channel POST Request

Slide 44

Slide 44 text

Content-type: application/json { "token_type": "Bearer" "expires_in": 86400, "access_token": "eyJraWQiOiJHSDZmqr...", "scope": "photos" } Back Channel POST Response

Slide 45

Slide 45 text

Front Channel Back Channel https://accounts.google.com/?... Passing data via the browser's address bar The user, or malicious software, can modify the requests and responses Sent from client to server HTTPS request from client to server, so requests cannot be tampered with

Slide 46

Slide 46 text

Back Channel

Slide 47

Slide 47 text

Front Channel

Slide 48

Slide 48 text

PKCE Ensures the app that receives the authorization code is the same one that started the exchange

Slide 49

Slide 49 text

OAuth 2.1 Consolidate the OAuth 2.0 specs,  adding best practices,   removing deprecated features Capture current best practices in OAuth 2.0 under a single name

Slide 50

Slide 50 text

OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for con fi dential clients Security BCP

Slide 51

Slide 51 text

OAuth 2.1 Authorization Code Client Credentials +PKCE Tokens in HTTP Header Tokens in POST Form Body

Slide 52

Slide 52 text

OAuth 2.1 oauth.net/2.1 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11

Slide 53

Slide 53 text

RECENT OAUTH EXTENSIONS

Slide 54

Slide 54 text

User Agent (Browser) Authorization Server Resource Server (API) Client (App) Pushed Authorization Requests (PAR) RFC9126

Slide 55

Slide 55 text

oauth.net/2/pushed-authorization-requests PUSHED AUTHORIZATION REQUESTS (PAR) Typically, the authorization request is sent in the front channel Front channel is susceptible to inspection and modi f ication PAR initiates the OAuth f low from the back channel RFC9126

Slide 56

Slide 56 text

PUSHED AUTHORIZATION REQUESTS (PAR) oauth.net/2/pushed-authorization-requests RFC9126

Slide 57

Slide 57 text

User Agent (Browser) Authorization Server Resource Server (API) Client (App) Rich Authorization Requests (RAR) RFC 9396

Slide 58

Slide 58 text

oauth.net/2/rich-authorization-requests RICH AUTHORIZATION REQUESTS OAuth “scope” is limited to strings Need a way to authorize f ine-grained transactions or resources And present that to the user in the authorization interface RFC 9396

Slide 59

Slide 59 text

oauth.net/2/rich-authorization-requests RICH AUTHORIZATION REQUESTS RFC 9396

Slide 60

Slide 60 text

User Agent (Browser) Authorization Server Resource Server (API) Client (App) Step-Up Authentication Challenge RFC 9470

Slide 61

Slide 61 text

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-step-up-authn-challenge STEP-UP AUTHENTICATION CHALLENGE A Resource Server can respond with an error telling the client to re-authenticate the user or get a higher level authentication The client sends the user through the OAuth f low again to get a new access token RFC 9470

Slide 62

Slide 62 text

User Agent (Browser) Authorization Server Resource Server (API) Client (App) JWT Profile for Access Tokens RFC9068

Slide 63

Slide 63 text

oauth.net/2/jwt-access-tokens JWT PROFILE FOR ACCESS TOKENS eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2 F1dGhvcml6YXRpb24tc2VydmVyLmV4YW1wbGUuY29tLyIsInN1YiI6IiA1Y mE1NTJkNjciLCJhdWQiOiJodHRwczovL3JzLmV4YW1wbGUuY29tLyIsImV4 cCI6MTU5MzQ4NjY0OCwiY2xpZW50X2lkIjoiczZCaGRSa3F0M18iLCJzY29 wZSI6Im9wZW5pZCBwcm9maWxlIHJlYWRlbWFpbCIsImp0aSI6IjAxODEwMm E1LTkzYmQtNDE0OC05ODI2LThlYTE3NTBjMjMyNiIsImlhdCI6MTU5MzQ4M zA0OH0.lWWmEU2kxTtlwu5TOTkXa7e7ZUNd0WbKtsef7EuJyB8 RFC9068

Slide 64

Slide 64 text

User Agent (Browser) Authorization Server Resource Server (API) Client (App) OAuth for Browser-Based Applications (Best Current Practice) https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/

Slide 65

Slide 65 text

authorization token Pure SPA Access token is obtained by JS in the browser. No backend, browser JS makes API requests directly.

Slide 66

Slide 66 text

TMI-BFF Token Mediating Backend Access token is obtained by the backend, but then retrieved by the frontend. Browser JS makes API calls directly.

Slide 67

Slide 67 text

BFF Backend-for-Frontend Access token is never sent to the browser. All API requests are proxied through the BFF. XSS is limited to the attacker telling your app server to make requests.

Slide 68

Slide 68 text

Specs Built on OAuth • OpenID Connect (openid.net) • FAPI (High-Security OAuth Pro fi le) • UMA (User-Managed Access) • IndieAuth (indieauth.net)

Slide 69

Slide 69 text

aaronpk.com oauth.wtf oauth.net