OAuth 2.1

Transcript

1. What’s on tonight About OWASP What is OAuth? What is

   changing in OAuth 2.1?

2. Thank you for coming.

3. owasp.org

4. A few OWASP highlights…

5. owasp.org

6. zaproxy.org

7. OWASP Juice Shop owasp-juice.shop An intentionally broken web application aimed

   to help learn about vulnerabilities, with hacking challenges of varying difficulty and a leaderboard. Great for teams and individuals.

8. Application Verification Security Standard (ASVS) owasp.org How do you know

   whether you’re doing the right thing when it comes to security? Have you got any blindspots? What’s the right minimum length for passwords?

9. OWASP NZ Day 2024 appsec.org.nz Auckland • AUT City Campus

   Thu 5-Fri 6 Sept $30 or free for students

10. Top 10 owasp.org Web Application Security Risks The Top 10

    is a great starting point for teams beginning their journey to better security. Targeted by security training platforms. Often referenced in security questionnaires and contractors when vendors and buyers are investigating a product or service.
11. None

12. OAuth 2.0 1 the web’s popular auth standard is changing

    Pete Nicholls • @aupajo

13. What is OAuth?

14. Before OAuth The bad old days (e.g. 2005) Connect your

    Twitter account to our app! Your Twitter username Your Twitter password Connect

15. Before OAuth The bad old days (e.g. 2005) Browser Third-

    party app Twitter “Enter your Twitter username and password” 1 Requests data w/ creds 4 Responds w/ data for user 5 User sends credentials 2 3 Stores in plain-text :( Serves tweet timeline (or whatever) 6

16. OAuth User doesn’t have to share their password Sign in

    with Twitter ✔ You’re signed in! access_token “c4f3…”

17. OAuth Authorisation Code Grant flow A typical 2.0 example Browser

    App Authorisation Server Serves “sign in” link 1 User clicks “sign in” 2 Sends credentials 4 Sign in with Twitter Prompts user for credentials 3 Sends redirect with one-time code 6 5 Creds OK

18. OAuth Authorisation Code Grant flow A typical 2.0 example Browser

    App Authorisation Server Follows redirect 7 Sends one- time code + client secret 8 Issues access token 10 Issues session 12 ✔ You’re signed in! 11 Stores access token 9 Checks

19. OAuth Authorisation Code Grant flow A recap Relying Party a.k.a.

    your app Constructs “sign in” link Handles OAuth redirect callback Exchanges one-time code for access token Issues app-level session

20. OAuth Authorisation Code Grant flow A recap Authorisation Server Offers

    “sign in” user experience Handles authentication May offer consent screen Redirects to app with one-time code Issues access token in exchange for one-time code

21. Demo

22. Authorization Code Grant For web and mobile. Lets a user

    authorise directly with the authorisation server. …and the refresh token grant Implicit Grant Used by Single Page Applications (SPAs). Resource Owner Password Credentials Grant Used in cases where the user trusts the application completely (e.g., first-party clients). Client Credentials Grant Used for server-to-server (machine-to-machine) communication where no user is involved. Device Code Grant Used for devices with limited input capabilities (e.g., smart TVs, IoT devices). JWT Bearer Token Grant Used for exchanging a JWT (JSON Web Token) for an access token.

23. Authorization Code Grant For web and mobile. Lets a user

    authorise directly with the authorisation server. …and the refresh token grant Implicit Grant Used by Single Page Applications (SPAs). Resource Owner Password Credentials Grant Used in cases where the user trusts the application completely (e.g., first-party clients). Client Credentials Grant Used for server-to-server (machine-to-machine) communication where no user is involved. Device Code Grant Used for devices with limited input capabilities (e.g., smart TVs, IoT devices). JWT Bearer Token Grant Used for exchanging a JWT (JSON Web Token) for an access token.

24. OAuth is not… Identity (that’s OpenID Connect) JWTs (ditto) (De-)provisioning

    Exclusively user-facing

25. Why is it changing?

26. 2012 The OAuth 2.0 Authorization Framework RFC 6749 Today Perception:

    OAuth was settled years ago 2014 OpenID Connect Core 1.0 RFC 6749 “OAuth? We added that ye ar s ago.”

27. Reality: OAuth continues to evolve 2013 2015 2017 2019 2021

    2021 2023 2012 2014 2016 2018 2020 2022 2024 RFC 6749 - The OAuth 2.0 Authorization Framework RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients RFC 8414 - OAuth 2.0 Authorization Server Metadata RFC 8628 - OAuth 2.0 Device Authorization Grant RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens RFC 8707 - Resource Indicators for OAuth 2.0 RFC 8725 - JSON Web Token Best Current Practices RFC 8898 - Third-Party Token-Based Authentication and Authorization for Session Initiation Protocol (SIP) RFC 9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens RFC 9101 - The OAuth 2.0 Authorization Framework: JWT- Secured Authorization Request (JAR) RFC 9126 - OAuth 2.0 Pushed Authorization Requests RFC 9200 - Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth) RFC 9207 - OAuth 2.0 Authorization Server Issuer Identification RFC 9278 - JWK Thumbprint URI RFC 9207 - OAuth 2.0 Authorization Server Issuer Identification RFC 9396 - OAuth 2.0 Rich Authorization Requests RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP) OpenID Connect Core 1.0 OpenID Connect Discovery 1.0 OpenID Connect Dynamic Client Registration 1.0 RFC 8252 - OAuth 2.0 for Native Apps RFC 9470 - OAuth 2.0 Step Up Authentication Challenge Protocol Not a c om plete list…

28. OAuth 2.1: “let’s tidy up the specs”

29. What’s drafted for 2.1? 🚫 Implicit Grant flow (response_type=token) gone

    🚫 Resource Owner Password Credentials flow (response_type=password) gone 🚫 Bearer tokens are not allowed in URIs 🔒 Redirect URIs must be compared using exact string matches 🔒 Refresh tokens must either be sender-constrained or one-time use 🔒 When implementing the Authorisation Code Grant flow, the PCKE is now required

30. 🚫 Implicit Grant flow (response_type=token) gone 🚫 Resource Owner Password

    Credentials flow (response_type=password) gone

31. Authorization Code Grant For web and mobile. Lets a user

    authorise directly with the authorisation server. …and the refresh token grant Implicit Grant Used by Single Page Applications (SPAs). Resource Owner Password Credentials Grant Used in cases where the user trusts the application completely (e.g., first-party clients). Client Credentials Grant Used for server-to-server (machine-to-machine) communication where no user is involved. Device Code Grant Used for devices with limited input capabilities (e.g., smart TVs, IoT devices). JWT Bearer Token Grant Used for exchanging a JWT (JSON Web Token) for an access token. response_type=token response_type=password

32. 🚫 Bearer tokens are not allowed in URIs GET 200

    /some-service?access_token=abcdef

33. 🔒 Redirect URIs must be compared using exact string matches

    https://app-42.netlify.app/oauth/callback https://app-53.netlify.app/oauth/callback 🚫 https://*.netlify.app/oauth/callback

34. 🔒 Refresh tokens must either be sender-constrained or one-time use

    sender- constrained one-time use Expire refresh tokens so they can’t be exchanged for a fresh access token Ensure the request to refresh came from the client that was issued the refresh token e.g. Demonstrating Proof of Possession DPoP header e.g. Mutual TLS

35. PKCE: Proof Key for Code Exchange Pronounced “pixie” code_verifier Secret

    held by client Secure, random value Must be web-friendly (e.g. Base64 URL-encoded) code_challenge SHA256 of code_verifier, Base64 URL-encoded

36. Browser App Authorisation Server Follows redirect 7 Sends one-time code

    + client secret + code_verifier 8 Issues access token 10 Issues session 12 11 Stores access token 9 Checks ✔ You’re signed in! PKCE: Proof Key for Code Exchange Pronounced “pixie”

37. What’s drafted for 2.1? 🚫 Implicit Grant flow (response_type=token) gone

    🚫 Resource Owner Password Credentials flow (response_type=password) gone 🚫 Bearer tokens are not allowed in URIs 🔒 Redirect URIs must be compared using exact string matches 🔒 Refresh tokens must either be sender-constrained or one-time use 🔒 When implementing the Authorisation Code Grant flow, the PCKE is now required

38. You can do all of these today. Future-proof your apps.

    Improve your security.

39. References https://oauth.net/2.1/ https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1 https://fusionauth.io/blog/whats-new-in-oauth-2-1 https://developer.okta.com/blog/2019/12/13/oauth-2-1-how-many-rfcs https://www.youtube.com/watch?v=g_aVPdwBTfw https://fusionauth.io/articles/oauth/di ff erences-between-oauth-2-oauth-2-1 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-24