Tweet
Tweet

Slide 1

Slide 1 text

TARGETED LOGOUT FOR OAUTH AND OPENID CONNECT AARON PARECKI OAUTH SECURITY WORKSHOP AUGUST 2023

Slide 2

Slide 2 text

LOGGING IN

Slide 3

Slide 3 text

************ user12 Sign In password strength

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

LOGGING IN

Slide 10

Slide 10 text

LOGGING OUT

Slide 11

Slide 11 text

EXISTING LOGOUT-RELATED SPECS Spec OIDC Backchannel Logout Token Revocation CAEP "Session Revoked" Signal

Slide 12

Slide 12 text

OIDC BACKCHANNEL LOGOUT Authorization Server Web App Server Web App Server Logout Token Logout Token

Slide 13

Slide 13 text

TOKEN REVOCATION Authorization Server OAuth Client Token to revoke

Slide 14

Slide 14 text

CAEP "SESSION REVOKED" Identity Provider Relying Party Subject Identi f ier

Slide 15

Slide 15 text

EXISTING LOGOUT-RELATED SPECS Spec OIDC Backchannel Logout Token Revocation CAEP "Session Revoked" Signal

Slide 16

Slide 16 text

EXISTING LOGOUT-RELATED SPECS Spec Limitation OIDC Backchannel Logout "Refresh tokens issued with o ff line_access SHOULD NOT be revoked" Token Revocation Requires a token as input CAEP "Session Revoked" Signal Is only a signal, not a command, 
 does not guarantee any outcome

Slide 17

Slide 17 text

TYPICAL SOCIAL LOGIN FLOW

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

WHAT SESSIONS + TOKENS ARE CREATED? Web login session on accounts.google.com Google ID Token

Slide 25

Slide 25 text

HOW DOES THE APP TALK TO ITS OWN BACKEND? ?

Slide 26

Slide 26 text

https://developers.google.com/identity/sign-in/ios/backend-auth

Slide 27

Slide 27 text

1. ID Token 2. Access Token

Slide 28

Slide 28 text

Google ID Token App Server Access Token Session

Slide 29

Slide 29 text

Google ID Token App Server Access Token Session

Slide 30

Slide 30 text

Google ID Token App Server Access Token Session

Slide 31

Slide 31 text

ENTERPRISE

Slide 32

Slide 32 text

ENTERPRISE APP ECOSYSTEM Enterprise IdP Chat App Video Conferencing App OpenID Connect OpenID Connect Wiki App SAML Payroll App SAML

Slide 33

Slide 33 text

ENTERPRISE APP ECOSYSTEM Enterprise IdP Chat App Web Server ID Token iPhone iPad Laptop Access Tokens + Refresh Tokens Video Conferencing App Web Server ID Token Access Tokens + Refresh Tokens Native Chat App Native Video App Native Chat App Native Chat App Native Video App

Slide 34

Slide 34 text

TYPICAL ENTERPRISE LOGIN FLOW

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

Web login session on okta.okta.com Slack access + refresh tokens ?

Slide 41

Slide 41 text

FROM THE SAAS DEVELOPER POV ENTERPRISE IDPS Enterprise IdP Chat App OpenID Connect OpenID Connect SAML SAML Enterprise IdP Enterprise IdP Enterprise IdP Google Login OpenID Connect

Slide 42

Slide 42 text

FROM THE SAAS DEVELOPER POV ENTERPRISE IDPS Enterprise IdP Chat App Backend API OpenID Connect OpenID Connect SAML SAML Enterprise IdP Enterprise IdP Enterprise IdP Google Login OpenID Connect Chat App iOS Chat App Desktop Chat App Web

Slide 43

Slide 43 text

OpenID Connect OpenID Connect OpenID Connect/SAML OpenID Connect/SAML App App Backend/API Enterprise IdP

Slide 44

Slide 44 text

OpenID Connect OpenID Connect OpenID Connect/SAML OpenID Connect/SAML App App Backend/API Enterprise IdP

Slide 45

Slide 45 text

USE CASES

Slide 46

Slide 46 text

END-USER USE CASE GAPS • User lost a device • User wants to revoke all sessions and tokens issued to every application on only that device, while retaining sessions and tokens on other devices

Slide 47

Slide 47 text

END-USER USE CASE GAPS • User discovers suspicious activity from an app • User wants to revoke all tokens issued to that application across all their devices

Slide 48

Slide 48 text

ENTERPRISE ADMIN USE CASE GAPS • User is removed from a group or is terminated • Given a subject (user) identi f ier, revoke all sessions and tokens for that user, at the IdP and across all apps • Optionally distinguish between revoking sessions and revoking o ff line_access tokens

Slide 49

Slide 49 text

ENTERPRISE ADMIN USE CASE GAPS • Application is deprovisioned • Given a client (application) identi f ier, revoke all sessions and tokens for all users of the application

Slide 50

Slide 50 text

ENTERPRISE ADMIN USE CASE GAPS • User lost a device • Given a device identi f ier, revoke all sessions and tokens for only that device, across all applications that are logged in on that device

Slide 51

Slide 51 text

WHY CAN'T WE DO THIS TODAY? iPhone App Backend/API Enterprise IdP

Slide 52

Slide 52 text

WHY CAN'T WE DO THIS TODAY? iPhone App Backend/API Enterprise IdP Android Laptop

Slide 53

Slide 53 text

WHY CAN'T WE DO THIS TODAY? iPhone Chat App Backend/API Enterprise IdP Video App Backend/API

Slide 54

Slide 54 text

POSSIBLE SOLUTIONS

Slide 55

Slide 55 text

CLIENT INSTANCE IDENTIFIER

Slide 56

Slide 56 text

OpenID Connect OpenID Connect OpenID Connect/SAML Chat App App Backend/API Enterprise IdP /authorize?client_id=iphone&client_instance=123456 OpenID Connect/SAML /authorize?client_id=chat_app&client_instance=123456

Slide 57

Slide 57 text

TOKEN EXCHANGE

Slide 58

Slide 58 text

OpenID Connect Access Token + Refresh Token ID Token Chat App App Backend/API Enterprise IdP Token Exchange

Slide 59

Slide 59 text

OpenID Connect Access Token + Refresh Token ID Token ( + optional Refresh Token) Chat App App Backend/API Enterprise IdP Token Exchange Con f iguration Query email=aaron.parecki@enterprise.example IDP Con f ig issuer, client_id, redirect_uri

Slide 60

Slide 60 text

CONTEXT IS NOW AVAILABLE AT THE ENTERPRISE IDP

Slide 61

Slide 61 text

USE CASE GAPS • User lost a device • Revoke all sessions and tokens issued to every application on only that device, while retaining sessions and tokens on other devices • POST /revoke 
 client_instance=123456

Slide 62

Slide 62 text

REVOKE ALL APPS FOR A USER iPhone App Backend/API Enterprise IdP Android Laptop client_instance

Slide 63

Slide 63 text

USE CASE GAPS • Application is deprovisioned • Revoke all sessions and tokens for all users of a speci f ic application • POST authorization-server.com/revoke 
 client_id=chat_app 
 
 POST example-app.com/revoke 
 client_id=ios

Slide 64

Slide 64 text

REVOKE AN APP iPhone App Backend/API Enterprise IdP Android Laptop client_id

Slide 65

Slide 65 text

NEEDS Client Instance 
 Identi f ier Management API (provides con f irmation 
 of revocation) ID Token 
 Exchange

Slide 66

Slide 66 text

LET'S TALK! Unconference session! Contact: aaron@parecki.com https://linkedin.com/in/aaronparecki