THE MANY LAYERS OF OAUTH D. Keith Casey Jr [email protected] @CaseySoftware 

WHO AM I? 

WHO AM I? 

WHO AM I? http://TheAPIDesignBook.com 

AGENDA • Assumptions • What problems are we solving? • AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware 

AGENDA • Assumptions • What problems are we solving? • AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware 

ASSUMPTIONS • Security is an important part of your job • You are probably using OAuth • You might be building OAuth servers • All the specs drive you nuts @CaseySoftware 

ASSUMPTIONS • Nothing is perfect • You make mistakes • Your providers make mistakes • That other team are all knuckleheads • Your team is great though @CaseySoftware 

btw, I mean OAuth 2.0 @CaseySoftware 

AGENDA • Assumptions • What problems are we solving? • AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware 

HOTEL KEY CARDS BUT FOR APPS @CaseySoftware 

TO PUT IT ANOTHER WAY • Sharing access without sharing creds (aka delegation) • Granting limited access (aka scoping & expiration) • Separating policy decisions from enforcement @CaseySoftware 

BUT THIS DOESN’T SOLVE IDENTITY @CaseySoftware 

WAIT, WHAT? @CaseySoftware 

AGENDA • Assumptions • What problems are we solving? • AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware 

AUTHENTICATION VS AUTHORIZATION • Authentication aka AuthN • Who are you? • Authorization aka AuthZ • Are you allowed to do that? @CaseySoftware 

BACK TO THE SPEC @CaseySoftware 

AUTH CODE GRANT TYPE (there are other grant types, not important atm) Credit: https://developer.okta.com @CaseySoftware 

WHAT ABOUT THOSE TOKENS? @CaseySoftware 

What about a JWT !? (aka JSON Web Token) @CaseySoftware 

JWT SPECIFICATION @CaseySoftware 

JWT SPECIFICATION @CaseySoftware 

ENTER OPENID CONNECT @CaseySoftware 

ADD ANOTHER SPEC @CaseySoftware 

OPINIONATED STRUCTURE • Scopes • openid • profile • email • address • phone • Claims • name • given_name • email • street_address • phone_number • and lots more @CaseySoftware 

AGENDA • Assumptions • What problems are we solving? • AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware 

THE ENDPOINTS • /authorize • /token • JWT • /introspect • /revoke • /logout • /keys • /userinfo • /.well-known/openid-configuration • /.well-known/oauth-authorization-server • RFC 6749 - OAuth Core • RFC 6749 - OAuth Core • RFC 7519 - JSON Web Token • RFC 7662 - Token Introspection • RFC 7009 - Token Revocation • ????? • ???? • OpenID Connect Specification • Draft - OpenID Provider Metadata Spec • Draft - Auth Server Metadata spec 

AGENDA • Assumptions • What problems are we solving? • AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware 

COMPONENTS Credit: https://developer.okta.com 1 2 3 4 @CaseySoftware 

COMPONENTS Credit: https://developer.okta.com 1 2 3 4 @CaseySoftware 

COMPONENTS Credit: https://developer.okta.com 1 2 3 4 @CaseySoftware 

COMPONENTS Credit: https://developer.okta.com 1 2 3 4 @CaseySoftware 

COMPONENTS Credit: https://developer.okta.com 1 2 3 4 @CaseySoftware 

0. THE USER @CaseySoftware 

RECAP • Assumptions • What problems are we solving? • AuthN vs AuthZ all the things • The Specifications • Threat/Attack Vectors @CaseySoftware 

THE MANY LAYERS OF OAUTH D. Keith Casey Jr [email protected] @CaseySoftware