Tweet
Tweet

Slide 1

Slide 1 text

OAuth 2.1 Aaron Parecki OAuth Security Workshop July 22, 2020 https://tools.ietf.org/html/draft-parecki-oauth-v2-1

Slide 2

Slide 2 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types

Slide 3

Slide 3 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

Slide 4

Slide 4 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials Grant Types RFC6750 Bearer Tokens Token Usage Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

Slide 5

Slide 5 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

Slide 6

Slide 6 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

Slide 7

Slide 7 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

Slide 8

Slide 8 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020

Slide 9

Slide 9 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 https://example.com https://app.example.com https://auth.example GET / HTML, CSS, etc POST /token access token Cross-Origin Resource Sharing

Slide 10

Slide 10 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

Slide 11

Slide 11 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

Slide 12

Slide 12 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

Slide 13

Slide 13 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String

Slide 14

Slide 14 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

Slide 15

Slide 15 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 RFC6749 RFC6750 CLIENT TYPE AUTH GRANT TYPE RFC6819 RFC7009 RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 BUILDING YOUR APPLICATION RFC8252 OIDC RFC8414 STATE TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN DPOP PAR

Slide 16

Slide 16 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP

Slide 17

Slide 17 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.1 Authorization Code Client Credentials +PKCE Tokens in HTTP Header Tokens in POST Form Body

Slide 18

Slide 18 text

OAuth 2.1 oauth.net/2.1

Slide 19

Slide 19 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.1 Consolidate the OAuth 2.0 specs,
 adding best practices, 
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name Add references to extensions that didn't exist when OAuth 2.0 was published

Slide 20

Slide 20 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.1 No new behavior defined by OAuth 2.1 Non-Goals: Don't include anything experimental, 
 in progress or not widely implemented

Slide 21

Slide 21 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.1 Summary Authors: Dick Hardt, Aaron Parecki, Torsten Lodderstedt • OAuth 2.1 is a consolidation of: 
 OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps BCP (draft), Security BCP (draft), 
 Bearer Tokens (RFC6750) • Grant types defined: Authorization Code with PKCE, Client Credentials • Exact redirect URI matching • No Bearer tokens in query strings • Refresh tokens must be sender-constrained or one-time use • Implicit and password grants are omitted

Slide 22

Slide 22 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.1 Client Types Public Confidential

Slide 23

Slide 23 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.1 Client Types Public Confidential Credentialed

Slide 24

Slide 24 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 Credentialed Client This distinction already exists in OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials, the client MUST authenticate... OAuth 2.1: Confidential or credentialed clients MUST authenticate...

Slide 25

Slide 25 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 Credentialed Client This distinction already exists in OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements)... OAuth 2.1: Confidential or credentialed clients...

Slide 26

Slide 26 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 Credentialed Client • A client that has credentials, but whose identity is not confirmed • e.g. a client that obtains a client secret via dynamic client registration

Slide 27

Slide 27 text

OAuth 2.1 • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.1 oauth.net/2.1 tools.ietf.org/html/draft-parecki-oauth-v2-1

Slide 28

Slide 28 text

Thank you! @aaronpk aaronpk.com oauth.wtf