Tweet
Tweet

Slide 1

Slide 1 text

How to Think About OAuth Security AARON PARECKI @aaronpk Disclosure Conference • September 2020

Slide 2

Slide 2 text

@aaronpk September 2020 oauth.net/2

Slide 3

Slide 3 text

@aaronpk THE PASSWORD ANTI-PATTERN

Slide 4

Slide 4 text

@aaronpk THE PASSWORD ANTI-PATTERN facebook.com ~2010

Slide 5

Slide 5 text

@aaronpk

Slide 6

Slide 6 text

@aaronpk so... how can I let an app access my data without giving it my password?

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

@aaronpk A HOTEL KEY CARD, FOR APPS Authorization Server Access Token Resource (API)

Slide 9

Slide 9 text

@aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types

Slide 10

Slide 10 text

User: I’d like to use this great app App: Please go to the authorization server to grant me access User: I’d like to log in to “Yelp”, it wants to access my contacts AS: Here is a temporary code the app can use App: Here is the temporary code, and my secret, please give me a token User: Here is the temporary code, please use this to get a token AS: Here is an access token! App: Please let me access this user’s data with this access token! User Agent App OAuth Server API ?

Slide 11

Slide 11 text

@aaronpk September 2020

Slide 12

Slide 12 text

@aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types RFC6750 Bearer Tokens Token Usage Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

Slide 13

Slide 13 text

@aaronpk POST /resource/1/update HTTP/1.1 Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia Host: api.authorization-server.com description=Hello+World

Slide 14

Slide 14 text

@aaronpk GET /resource/1?access_token=RsT5OjbzRn430zq Host: api.authorization-server.com

Slide 15

Slide 15 text

@aaronpk September 2020

Slide 16

Slide 16 text

@aaronpk 2013

Slide 17

Slide 17 text

@aaronpk

Slide 18

Slide 18 text

@aaronpk DON'T PUT SECRETS
 IN NATIVE APPS! https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps

Slide 19

Slide 19 text

@aaronpk PKCE PROOF-KEY FOR CODE EXCHANGE RFC 7636 (pronounced "pixie")

Slide 20

Slide 20 text

@aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

Slide 21

Slide 21 text

@aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

Slide 22

Slide 22 text

@aaronpk September 2020

Slide 23

Slide 23 text

@aaronpk September 2020 https://example.com https://app.example.com https://auth.example GET / HTML, CSS, etc POST /token access token CORS

Slide 24

Slide 24 text

User: I’d like to use this great app App: Please go to the authorization server to grant me access User: I’d like to log in to “Yelp”, it wants to access my contacts AS: Here is a temporary code the app can use App: Here is the temporary code, and my secret, please give me a token User: Here is the temporary code, please use this to get a token AS: Here is an access token! App: Please let me access this user’s data with this access token! User Agent App OAuth Server API ?

Slide 25

Slide 25 text

Front Channel Back Channel https://accounts.google.com/?... Passing data via the browser's address bar The user, or malicious software, can modify the requests and responses Sent from client to server HTTPS request from client to server, so requests cannot be tampered with

Slide 26

Slide 26 text

OAuth Server OAuth Client Passing Data via the Back Channel

Slide 27

Slide 27 text

@aaronpk September 2020 OAuth Server OAuth Client Passing Data via the Front Channel Did they catch 
 it? Did someone else 
 steal it? Is this really 
 from the real 
 OAuth server?

Slide 28

Slide 28 text

@aaronpk September 2020 caniuse.com/cors

Slide 29

Slide 29 text

oauth.net/implicit Implicit Flow Detector

Slide 30

Slide 30 text

@aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

Slide 31

Slide 31 text

@aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

Slide 32

Slide 32 text

@aaronpk September 2020 OAuth 2.0 for Browser-Based Apps

Slide 33

Slide 33 text

@aaronpk September 2020 OAuth 2.0 for Browser-Based Apps

Slide 34

Slide 34 text

@aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

Slide 35

Slide 35 text

@aaronpk September 2020 OAuth 2.0 Security BCP • All OAuth clients MUST use PKCE with the authorization code flow • Password grant MUST NOT be used • Use exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens for single page apps must be 
 sender-constrained or one-time use oauth.net/2/oauth-best-practice

Slide 36

Slide 36 text

@aaronpk September 2020 Use PKCE! https://youtu.be/1ot45WwQWJE

Slide 37

Slide 37 text

@aaronpk September 2020 OAuth 2.0 Security BCP • All OAuth clients MUST use PKCE with the authorization code flow • Password grant MUST NOT be used • Use exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens for single page apps must be 
 sender-constrained or one-time use oauth.net/2/oauth-best-practice

Slide 38

Slide 38 text

@aaronpk September 2020 Password oauth.net/2/oauth-best-practice

Slide 39

Slide 39 text

@aaronpk September 2020 Password oauth.net/2/oauth-best-practice • Added to OAuth to enable migrating applications from HTTP Basic Auth or using a stored password to OAuth

Slide 40

Slide 40 text

@aaronpk September 2020 Password • Exposes the username and password to the application • Even for first-party / trusted clients, this increases the attack surface • Trains users that it's okay to enter their password in more than one place • Difficult or impossible to extend to support multifactor or passwordless authentication (WebCrypto, WebAuthn)

Slide 41

Slide 41 text

@aaronpk September 2020 OAuth 2.0 Security BCP • All OAuth clients MUST use PKCE with the authorization code flow • Password grant MUST NOT be used • Use exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens for single page apps must be 
 sender-constrained or one-time use oauth.net/2/oauth-best-practice

Slide 42

Slide 42 text

@aaronpk September 2020

Slide 43

Slide 43 text

RFC6749 RFC6750 CLIENT TYPE AUTH METHOD GRANT TYPE RFC6819 RFC7009 RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 BUILDING YOUR APPLICATION RFC8252 OIDC RFC8414 STATE PARAM TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN BINDING POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN EXCHANGE DPOP

Slide 44

Slide 44 text

@aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

Slide 45

Slide 45 text

@aaronpk September 2020 OAuth 2.1 Authorization Code Client Credentials +PKCE Tokens in HTTP Header Tokens in POST Form Body

Slide 46

Slide 46 text

OAuth 2.1 oauth.net/2.1

Slide 47

Slide 47 text

@aaronpk September 2020 OAuth 2.1 Consolidate the OAuth 2.0 specs,
 adding best practices, 
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name Add references to extensions that didn't exist when OAuth 2.0 was published

Slide 48

Slide 48 text

@aaronpk September 2020 OAuth 2.1 No new behavior defined by OAuth 2.1 Non-Goals: Don't include anything experimental, 
 in progress or not widely implemented

Slide 49

Slide 49 text

@aaronpk September 2020 OAuth 2.1 Authors: Dick Hardt, Aaron Parecki, Torsten Lodderstedt • OAuth 2.1 is a consolidation of: 
 OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps BCP (draft), Security BCP (draft), 
 Bearer Tokens (RFC6750) • Grant types defined: Authorization Code with PKCE, Client Credentials • Exact redirect URI matching • No Bearer tokens in query strings • Refresh tokens for SPAs must be sender-constrained or one-time use • Implicit and password grants are omitted

Slide 50

Slide 50 text

@aaronpk September 2020 OAuth 2.1 Client Types Public Confidential

Slide 51

Slide 51 text

@aaronpk September 2020 OAuth 2.1 Client Types Public Confidential Credentialed

Slide 52

Slide 52 text

@aaronpk September 2020 Credentialed Client This distinction already exists in OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials, the client MUST authenticate... OAuth 2.1: Confidential or credentialed clients MUST authenticate...

Slide 53

Slide 53 text

@aaronpk September 2020 Credentialed Client • A client that has credentials, but whose identity is not confirmed • e.g. a client that obtains a client secret via dynamic client registration

Slide 54

Slide 54 text

@aaronpk September 2020 OAuth 2.1 Client Types Public Confidential Credentialed Confirmed Identity Can Authenticate Confirmed Identity Can Authenticate Confirmed Identity Can Authenticate

Slide 55

Slide 55 text

https://accounts.google.com/oauth/authorize?response_ty

Slide 56

Slide 56 text

@aaronpk 2017

Slide 57

Slide 57 text

@aaronpk September 2020 OAuth 2.1 oauth.net/2.1 tools.ietf.org/html/draft-ietf-oauth-v2-1 Recently adopted by the OAuth Working Group

Slide 58

Slide 58 text

Thank You! @aaronpk aaronpk.com oauth2simplified.com