Protecting Single-Page Apps using OAuth

Slide 1

Slide 1 text

OAuth 2.0 for Browser-Based Apps draft-ietf-oauth-browser-based-apps-06 Aaron Parecki OAuth Security Workshop July 22, 2020

Slide 2

Slide 2 text

OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 for Native Apps https://tools.ietf.org/html/rfc8252

Slide 3

Slide 3 text

OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 for Browser-Based Apps https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps

Slide 4

Slide 4 text

OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020

Slide 5

Slide 5 text

OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 for Browser-Based Apps • Includes recommendations for implementors building   browser-based apps using OAuth 2.0 • "Browser-based apps" are deﬁned as applications running in a browser, aka "SPA" or "single-page apps"

Slide 6

Slide 6 text

OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020 OAuth 2.0 for Browser-Based Apps Build oﬀ the Security BCP, adding speciﬁcs that are unique to the browser environment GOAL

Slide 7

Slide 7 text

OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020 Recommendations • MUST NOT return access tokens in the front channel   (e.g. no Implicit ﬂow) • MUST use only exact registered redirect URIs • The AS MUST require an exact match of the redirect URI • The AS MUST issue one-time-use refresh tokens • The AS MUST either set a max lifetime on refresh tokens or expire if they are not used after some time

Slide 8

Slide 8 text

OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020 Architecture Options • Same-domain apps • JS apps with a dynamic app server backend • JS apps without a backend (e.g. static ﬁle hosting)

Slide 9

Slide 9 text

OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020 Same-Domain Applications • Details of this section still TBD • There are still beneﬁts of OAuth such as easier MFA,   avoiding passwords in apps, etc • Thoughts and opinions welcome

Slide 10

Slide 10 text

OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020 JavaScript App with a Backend

Slide 11

Slide 11 text

OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020 JavaScript App without a Backend

Slide 12

Slide 12 text

OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020 Another architectural option? • Performing the OAuth ﬂow within a Web Worker to isolate the tokens from the main JavaScript global scope • https://gitlab.com/jimdigriz/oauth2-worker

Slide 13

Slide 13 text

OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth Security Workshop 2020 Outstanding Work • Collect feedback on the architectural recommendations from people who have deployment experience • Remove details and reference sections that duplicate the Security BCP

Slide 14

Slide 14 text

Thank you! @aaronpk aaronpk.com oauth.wtf