Tweet
Tweet

Slide 1

Slide 1 text

OAuth 2.0 An Introduction Samuele Lilli * DonCallisto - Rimini, Jan 15 2020

Slide 2

Slide 2 text

WHO AM I? https://github.com/DonCallisto https://stackoverflow.com/users/814253/doncallisto https://labs.madisoft.it/ [email protected]

Slide 3

Slide 3 text

WE’RE HIRING! https://labs.madisoft.it/entra-nel-team/

Slide 4

Slide 4 text

https://xkcd.com/936/

Slide 5

Slide 5 text

SECRET UNIQUE RANDOM LONG (15+ CHARS)

Slide 6

Slide 6 text

CHANGE IT REGULARLY!

Slide 7

Slide 7 text

“Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.” Clifford Stoll

Slide 8

Slide 8 text

PASSWORD SECURITY IS NOT UNDER YOUR DIRECT CONTROL (CAN’T ASSUME YOUR PASSWORD IS STORED IN A SECURE WAY)

Slide 9

Slide 9 text

OAuth 2.0

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

THE ISSUE (OF GIVING TO 3rd PARTY YOUR PASSWORD) ● Password stored in clear-text. ● Servers are required to support password authentication, despite the security weaknesses inherent in passwords. ● Third-party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources. ● Resource owners cannot revoke access to an individual third party without revoking access to all third parties, and must do so by changing the third party's password. ● Compromise of any third-party application results in compromise of the end-user's password and all of the data protected by that password.

Slide 12

Slide 12 text

“The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749

Slide 13

Slide 13 text

“The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749

Slide 14

Slide 14 text

“The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749

Slide 15

Slide 15 text

“The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

stackoverflow.com

Slide 19

Slide 19 text

stackoverflow.com username password login google.com

Slide 20

Slide 20 text

stackoverflow.com username password login google.com google.com stackoverflow.com wants to access your profile grant deny

Slide 21

Slide 21 text

stackoverflow.com username password login google.com google.com stackoverflow.com wants to access your profile grant deny callback

Slide 22

Slide 22 text

stackoverflow.com username password login google.com google.com stackoverflow.com wants to access your profile grant deny callback

Slide 23

Slide 23 text

“The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749

Slide 24

Slide 24 text

AUTHORIZATION != AUTHENTICATION

Slide 25

Slide 25 text

OpenID CONNECT “OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” https://openid.net/specs/openid-connect-core-1_0.html

Slide 26

Slide 26 text

OpenID CONNECT “OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” https://openid.net/specs/openid-connect-core-1_0.html

Slide 27

Slide 27 text

OpenID CONNECT “OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” https://openid.net/specs/openid-connect-core-1_0.html

Slide 28

Slide 28 text

GLOSSARY Resource Owner: An entity capable of granting access to a protected resource. Resource Server: The server hosting the protected resources. Client: An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics. Access Token: Credentials used to access protected resources. An access token is a string representing an authorization issued to the client. Authorization Server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. Refresh Token: Credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires.

Slide 29

Slide 29 text

CLIENT RESOURCE OWNER AUTHORIZATION REQUEST

Slide 30

Slide 30 text

CLIENT RESOURCE OWNER AUTHORIZATION REQUEST AUTHORIZATION GRANT

Slide 31

Slide 31 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER AUTHORIZATION REQUEST AUTHORIZATION GRANT AUTHORIZATION GRANT

Slide 32

Slide 32 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER AUTHORIZATION REQUEST AUTHORIZATION GRANT AUTHORIZATION GRANT ACCESS TOKEN

Slide 33

Slide 33 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION REQUEST AUTHORIZATION GRANT AUTHORIZATION GRANT ACCESS TOKEN ACCESS TOKEN

Slide 34

Slide 34 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION REQUEST AUTHORIZATION GRANT AUTHORIZATION GRANT ACCESS TOKEN ACCESS TOKEN RESOURCES

Slide 35

Slide 35 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION REQUEST AUTHORIZATION GRANT AUTHORIZATION GRANT ACCESS TOKEN ACCESS TOKEN RESOURCES

Slide 36

Slide 36 text

CLIENT AUTHORIZATION SERVER AUTHORIZATION GRANT

Slide 37

Slide 37 text

CLIENT AUTHORIZATION SERVER AUTHORIZATION GRANT ACCESS TOKEN & REFRESH TOKEN

Slide 38

Slide 38 text

CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN & REFRESH TOKEN ACCESS TOKEN

Slide 39

Slide 39 text

CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN & REFRESH TOKEN ACCESS TOKEN RESOURCES

Slide 40

Slide 40 text

CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN & REFRESH TOKEN ACCESS TOKEN INVALID TOKEN

Slide 41

Slide 41 text

CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN & REFRESH TOKEN ACCESS TOKEN INVALID TOKEN REFRESH TOKEN

Slide 42

Slide 42 text

CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN & REFRESH TOKEN ACCESS TOKEN INVALID TOKEN REFRESH TOKEN ACCESS TOKEN & (OPTIONAL) REFRESH TOKEN

Slide 43

Slide 43 text

CLIENT REGISTRATION ● NOT DEFINED BY THE OAUTH SPEC ● SPECIFY CLIENT TYPE (SEE NEXT) ● PROVIDE REDIRECT URIs ● PROVIDE OTHER INFOS (APP NAME, LOGO, …) ● CLIENT OBTAINS AN IDENTIFIER (PUBLIC; NEVER USE FOR CLIENT AUTHENTICATION!)

Slide 44

Slide 44 text

CLIENT TYPES ● BASED ON ABILITY TO MAINTAIN THE CONFIDENTIALITY OF THEIR CREDENTIALS ● CONFIDENTIAL (Backend web app) ● PUBLIC (SPA, native app, …)

Slide 45

Slide 45 text

OBTAINING AUTHORIZATION ● AUTHORIZATION CODE GRANT ● IMPLICIT GRANT ● RESOURCE OWNER PASSWORD CREDENTIAL ● CLIENT CREDENTIALS

Slide 46

Slide 46 text

AUTHORIZATION CODE GRANT

Slide 47

Slide 47 text

CLIENT

Slide 48

Slide 48 text

CLIENT USER AGENT

Slide 49

Slide 49 text

CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

Slide 50

Slide 50 text

CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ

Slide 51

Slide 51 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ

Slide 52

Slide 52 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE.

Slide 53

Slide 53 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.

Slide 54

Slide 54 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE

Slide 55

Slide 55 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE

Slide 56

Slide 56 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE & REDIRECT URI

Slide 57

Slide 57 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE & REDIRECT URI ACCESS TOKEN (& OPTIONAL REFRESH TOKEN)

Slide 58

Slide 58 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.

Slide 59

Slide 59 text

AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

Slide 60

Slide 60 text

AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

Slide 61

Slide 61 text

AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

Slide 62

Slide 62 text

AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

Slide 63

Slide 63 text

AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

Slide 64

Slide 64 text

AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

Slide 65

Slide 65 text

CLIENT AUTHORIZATION SERVER USER AGENT AUTHORIZATION CODE AUTHORIZATION CODE

Slide 66

Slide 66 text

AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

Slide 67

Slide 67 text

AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

Slide 68

Slide 68 text

AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

Slide 69

Slide 69 text

AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

Slide 70

Slide 70 text

CLIENT AUTHORIZATION SERVER AUTHORIZATION CODE & REDIRECT URI

Slide 71

Slide 71 text

ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

Slide 72

Slide 72 text

ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

Slide 73

Slide 73 text

ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

Slide 74

Slide 74 text

ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

Slide 75

Slide 75 text

ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

Slide 76

Slide 76 text

CLIENT AUTHORIZATION SERVER ACCESS TOKEN (& OPTIONAL REFRESH TOKEN)

Slide 77

Slide 77 text

ACCESS TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }

Slide 78

Slide 78 text

ACCESS TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }

Slide 79

Slide 79 text

ACCESS TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }

Slide 80

Slide 80 text

IMPLICIT GRANT

Slide 81

Slide 81 text

CLIENT

Slide 82

Slide 82 text

CLIENT USER AGENT

Slide 83

Slide 83 text

CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

Slide 84

Slide 84 text

CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ

Slide 85

Slide 85 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ

Slide 86

Slide 86 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE.

Slide 87

Slide 87 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.

Slide 88

Slide 88 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT

Slide 89

Slide 89 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT)

Slide 90

Slide 90 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT) SCRIPT

Slide 91

Slide 91 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT) SCRIPT ACCESS TOKEN

Slide 92

Slide 92 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.

Slide 93

Slide 93 text

AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

Slide 94

Slide 94 text

AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

Slide 95

Slide 95 text

AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

Slide 96

Slide 96 text

AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

Slide 97

Slide 97 text

AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

Slide 98

Slide 98 text

AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

Slide 99

Slide 99 text

CLIENT AUTHORIZATION SERVER USER AGENT REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT)

Slide 100

Slide 100 text

ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

Slide 101

Slide 101 text

ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

Slide 102

Slide 102 text

ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

Slide 103

Slide 103 text

ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

Slide 104

Slide 104 text

ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

Slide 105

Slide 105 text

ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

Slide 106

Slide 106 text

QUESTION TIME

Slide 107

Slide 107 text

IS THIS GRANT TYPE SECURE ?

Slide 108

Slide 108 text

● Redirect URI missing or improper validation ● Browser history ● Token injection

Slide 109

Slide 109 text

HISTORICAL REASONS FOR IMPLICIT GRANT ● Browsers can manipulate only url fragment without causing a page reload (not true anymore since HistoryAPI) ● CORS (Authorization Code Flow requires a POST at some point)

Slide 110

Slide 110 text

ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

Slide 111

Slide 111 text

PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) PRONOUNCED PIXIE

Slide 112

Slide 112 text

PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) PRONOUNCED PIXIE(s)

Slide 113

Slide 113 text

PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) AUTHORIZATION CODE GRANT

Slide 114

Slide 114 text

PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) PKCE PKCE AUTHORIZATION CODE GRANT

Slide 115

Slide 115 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE & REDIRECT URI ACCESS TOKEN (& OPTIONAL REFRESH TOKEN)

Slide 116

Slide 116 text

CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID, REDIRECT URI CODE CHALLENGE,CODE CHALLENGE & HASH METHOD AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE, REDIRECT URI & CODE VERIFIER ACCESS TOKEN (& OPTIONAL REFRESH TOKEN) GENERATE CODE VERIFIER AND ITS HASH (CODE CHALLENGE)

Slide 117

Slide 117 text

AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

Slide 118

Slide 118 text

AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz&code_challenge=aeb e62e61ad1d2c1b4290dd&code_challenge_ method=S256 HTTP/1.1 Host: server.example.com

Slide 119

Slide 119 text

AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz&code_challenge=aeb e62e61ad1d2c1b4290dd&code_challenge_ method=S256 HTTP/1.1 Host: server.example.com

Slide 120

Slide 120 text

AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz&code_challenge=aeb e62e61ad1d2c1b4290dd&code_challenge_ method=S256 HTTP/1.1 Host: server.example.com

Slide 121

Slide 121 text

ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

Slide 122

Slide 122 text

ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb&code_verifier=abcd

Slide 123

Slide 123 text

OBTAINING AUTHORIZATION ● AUTHORIZATION CODE GRANT ● IMPLICIT GRANT ● RESOURCE OWNER PASSWORD CREDENTIAL ● CLIENT CREDENTIALS

Slide 124

Slide 124 text

OBTAINING AUTHORIZATION ● AUTHORIZATION CODE GRANT (+PKCE) ● IMPLICIT GRANT ● RESOURCE OWNER PASSWORD CREDENTIAL ● CLIENT CREDENTIALS

Slide 125

Slide 125 text

WORTH OF A LOOK... ● AMAZON COGNITO ● OKTA ● AUTH0 ● ORY HYDRA

Slide 126

Slide 126 text

QUESTIONS?

Slide 127

Slide 127 text

CREDITS - https://stocksnap.io/photo/SZE0NDYC0F (George Becker) - https://stocksnap.io/photo/KV6IATK4SM (Emily Morter) - https://www.iconfinder.com/icons/172626/male_user_icon