![Page 1: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/1.jpg)
Dominick Baier h.p://leastprivilege.com @leastprivilege
OAuth2 – Ready or not?
![Page 2: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/2.jpg)
2 @leastprivilege
Dominick Baier
• Security consultant at thinktecture • Focus on – security in distributed applica9ons – iden9ty management – access control – Windows/.NET security – cloud compu9ng
• MicrosoE MVP for Developer Security • [email protected] • h.p://leastprivilege.com
think mobile!
![Page 3: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/3.jpg)
3 @leastprivilege
Agenda
• Overview & use cases • Concerns & controversies
![Page 4: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/4.jpg)
4 @leastprivilege
What is OAuth2 ?
![Page 5: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/5.jpg)
5 @leastprivilege
History • OAuth started circa 2007 • 2008 -‐ IETF normalizaUon started in 2008 • 2010 -‐ RFC 5849 defines OAuth 1.0 • 2010 -‐ WRAP (Web Resource AuthorizaUon Profiles) proposed by
MicrosoE, Yahoo! And Google • 2010 -‐ OAuth 2.0 work begins in IETF
• Working deployments of various draEs & versions at Google, MicrosoE, Facebook, Github, Twi.er, Flickr, Dropbox…
• Mid 2012 – Lead author and editor resigned & withdraws his name from all specs
• October 2012 – RFC 6749, RFC 6750
![Page 6: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/6.jpg)
6 @leastprivilege
High level overview
Resource Owner
Client
Resource Server
![Page 7: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/7.jpg)
7 @leastprivilege
![Page 8: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/8.jpg)
8 @leastprivilege
![Page 9: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/9.jpg)
9 @leastprivilege
![Page 10: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/10.jpg)
10 @leastprivilege
![Page 11: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/11.jpg)
11 @leastprivilege
High level overview
Resource Owner
Client
Resource Server
![Page 12: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/12.jpg)
12 @leastprivilege
authorizes
Resource Owner Resource Server
AuthorizaUon Server Client
Confiden9al/Public
Trusted/Untrusted
OAuth2: The Players
"owns" a resource
uses trusts
is registered with
accesses
![Page 13: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/13.jpg)
13 @leastprivilege
OAuth2 Flows • AuthorizaUon Code Flow
– Web applica9on clients 1. Request authoriza9on 2. Request token 3. Access resource
• Implicit Flow – Na9ve / local clients
1. Request authoriza9on & token 2. Access resource
• Resource Owner Password CredenUal Flow – Trusted clients
1. Request token 2. Access resource
"3-‐legged OAuth"
"2-‐legged OAuth"
![Page 14: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/14.jpg)
14 @leastprivilege
Authoriza9on Code Flow (Web Applica9on Clients)
Web Applica9on (Client) Resource Server
Resource Owner
![Page 15: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/15.jpg)
15 @leastprivilege
Step 1a: Authoriza9on Request
Web Applica9on (Client) Authoriza9on Server
Resource Owner
GET /authorize? client_id=webapp& redirect_uri=https://webapp/cb& scope=resource& response_type=code& state=123
![Page 16: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/16.jpg)
16 @leastprivilege
Consent
h.p://zachholman.com/2011/01/oauth_will_murder_your_children/
![Page 17: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/17.jpg)
17 @leastprivilege
Step 1b: Authoriza9on Response
Web Applica9on (Client) Authoriza9on Server
Resource Owner
GET /cb? code=xyz& state=123
![Page 18: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/18.jpg)
18 @leastprivilege
Step 2a: Token Request
Web Applica9on (Client) Authoriza9on Server
Resource Owner
POST /token Authorization: Basic (client_id:secret) grant_type=authorization_code& authorization_code=xyz
![Page 19: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/19.jpg)
19 @leastprivilege
Step 2b: Token Response
Web Applica9on (Client) Authoriza9on Server
Resource Owner
{ "access_token" : "abc", "expires_in" : "360", "token_type" : "Bearer", "refresh_token" : "xyz" }
![Page 20: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/20.jpg)
20 @leastprivilege
Step 3: Resource Access
Web Applica9on (Client)
Resource Owner
GET /resource Authorization: Bearer access_token
Resource Server
![Page 21: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/21.jpg)
21 @leastprivilege
JSON Web Token (JWT) { "typ": "JWT", "alg": "HS256" }
{ "iss": "http://myIssuer", "exp": "1340819380", "aud": "http://myResource", "name": "alice", "role": "foo,bar", }
Header
Claims
eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt
Header Claims Signature
![Page 22: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/22.jpg)
22 @leastprivilege
(Step 4: Refreshing the Token)
Web Applica9on (Client)
Resource Owner
POST /token Authorization: Basic (client_id:secret) grant_type=refresh_token& refresh_token=xyz
Authoriza9on Server
![Page 23: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/23.jpg)
23 @leastprivilege
Client Management (e.g. Flickr)
![Page 24: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/24.jpg)
24 @leastprivilege
Client Management (e.g. Dropbox)
![Page 25: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/25.jpg)
25 @leastprivilege
Implicit Flow (Na9ve / Local Clients)
Resource Owner Client
![Page 26: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/26.jpg)
26 @leastprivilege
Step 1a: Authoriza9on Request
Resource Server
Resource Owner Client
GET /authorize? client_id=nativeapp& redirect_uri=http://localhost/cb& scope=resource& response_type=token& state=123
Authoriza9on Server
![Page 27: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/27.jpg)
27 @leastprivilege
Step 1b: Token Response
Resource Owner Client
GET /cb# access_token=abc& expires_in=3600& state=123
Authoriza9on Server Resource Server
![Page 28: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/28.jpg)
28 @leastprivilege
Step 2: Resource Access
Resource Owner Client
GET /resource Authorization: Bearer access_token
Resource Server
![Page 29: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/29.jpg)
29 @leastprivilege
Resource Owner Password Creden9al Flow (Trusted Applica9on)
Resource Owner Client
Resource Server
![Page 30: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/30.jpg)
30 @leastprivilege
Step 1a: Token Request
Resource Owner Client
Authoriza9on Server
POST /token Authorization: Basic (client_id:secret) grant_type=password& scope=resource& user_name=owner& password=password&
Resource Server
![Page 31: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/31.jpg)
31 @leastprivilege
Step 1b: Token Response
Resource Owner Client
Authoriza9on Server
{ "access_token" : "abc", "expires_in" : "360", "token_type" : "Bearer", "refresh_token" : "xyz" }
Resource Server
![Page 32: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/32.jpg)
32 @leastprivilege
Step 2: Resource Access
Resource Owner Client
GET /resource Authorization: Bearer access_token
Resource Server
![Page 33: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/33.jpg)
33 @leastprivilege
Concerns & Controversies
artwork by @ChrisMCarrasco
![Page 34: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/34.jpg)
34 @leastprivilege
Eran Hammer • h.p://hueniverse.com/2010/09/oauth-‐bearer-‐tokens-‐are-‐a-‐terrible-‐
idea/ • h.p://hueniverse.com/2010/09/oauth-‐2-‐0-‐without-‐signatures-‐is-‐bad-‐
for-‐the-‐web/
• h.p://hueniverse.com/2012/07/oauth-‐2-‐0-‐and-‐the-‐road-‐to-‐hell/
• OAuth2: Looking back and moving on – hdps://vimeo.com/52882780
![Page 35: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/35.jpg)
35 @leastprivilege
![Page 36: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/36.jpg)
36 @leastprivilege
JSON Web Token (JWT) JSON Web Encryp9on (JWE) JSON Web Signatures (JWS) JSON Web Algorithms (JWA)
OAuth2 Resource Set Registra9on Dynamic Client Registra9on User-‐Managed Access Chaining and Redelega9on Metadata & Introspec9on
hdp://openid.net/specs/openid-‐connect basic-‐1_0-‐23.html implicit-‐1_0-‐06.html messages-‐1_0-‐15.html standard-‐1_0-‐16.html discovery-‐1_0-‐12.html registra9on-‐1_0-‐14.html session-‐1_0-‐11.html
Asser9on Framework for OAuth2 JWT Bearer Token Profiles SAML 2.0 Bearer Token Profiles Token Revoca9on MAC Tokens
The OAuth2 AuthorizaUon Framework
(RFC 6749)
OAuth2 Bearer Token Usage
(RFC 6750)
Core (proposed standards)
Threat Model and Security ConsideraUons
(RFC 6819)
Informa9onal
hdp://datatracker.ief.org/wg/oauth/
![Page 37: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/37.jpg)
37 @leastprivilege
Bearer Token!!A security token with the property that any party !in possession of the token (a "bearer") can use the !token in any way that any other party in possession !of it can. Using a bearer token does not !require a bearer to prove possession of !cryptographic key material (proof-of-possession).!
![Page 38: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/38.jpg)
38 @leastprivilege
Developers & SSL
![Page 39: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/39.jpg)
39 @leastprivilege
Infrastructure & SSL
hdp://gigaom.com/2013/01/10/nokia-‐yes-‐we-‐decrypt-‐your-‐hdps-‐data-‐but-‐dont-‐worry-‐about-‐it/
![Page 40: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/40.jpg)
40 @leastprivilege
Security Theater
hdps://wellsoffice.wellsfargo.com/ceoportal/signon/loader.jsp
![Page 41: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/41.jpg)
41 @leastprivilege
OAuth2 for Authen9ca9on
• OAuth2 is for authorizaUon – authen9ca9on is a pre-‐requisite for that
• What many people really want is: – let's use OAuth2 for authen9ca9on
• "Sign-‐in with social provider X" • à especially mobile apps
h.p://www.thread-‐safe.com/2012/01/problem-‐with-‐oauth-‐for-‐authenUcaUon.html
![Page 42: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/42.jpg)
42 @leastprivilege
OAuth2 for Authen9ca9on: Request
UserInfo RS
Resource Owner Client
GET /authorize? client_id=nativeapp& redirect_uri=http://localhost/cb& scope=userinfo& response_type=token& state=123
Authoriza9on Server
![Page 43: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/43.jpg)
43 @leastprivilege
OAuth2 for Authen9ca9on: Response
UserInfo RS
Resource Owner Client
GET /cb? access_token=abc& userid=123& expires_in=3600& state=123
Authoriza9on Server
![Page 44: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/44.jpg)
44 @leastprivilege
OAuth2 for Authen9ca9on: Accessing User Data
UserInfo RS
Resource Owner Client
GET /userinfo Authorization: Bearer access_token
Firstname, Lastname, Email…
![Page 45: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/45.jpg)
45 @leastprivilege
The Problem
1. User logs into malicious app (app steals token)
userid, access token
2. Malicious developer uses stolen access token in legiUmate app
access token
Impersonated!
![Page 46: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/46.jpg)
46 @leastprivilege
(Other recent) Facebook Hacks
• h.p://www.darkreading.com/blog/240148995/ the-‐road-‐to-‐hell-‐is-‐authenUcated-‐by-‐facebook.html
• h.p://homakov.blogspot.no/2013/02/hacking-‐facebook-‐with-‐oauth2-‐and-‐chrome.html
• www.nirgoldshlager.com/2013/03/ how-‐i-‐hacked-‐any-‐facebook-‐accountagain.html
![Page 47: OAuth2(– Ready(or(not?( · 2019. 9. 3. · @leastprivilege" 36 JSONWebToken(JWT) " JSONWebEncrypon(JWE) JSON"Web"Signatures"(JWS)" JSON"Web"Algorithms"(JWA)" …](https://reader036.vdocuments.us/reader036/viewer/2022081601/60fd456f5a3f344e574e71d0/html5/thumbnails/47.jpg)
47 @leastprivilege
Conclusion • OAuth2 is already widely used on the internet • It will find its way into your scenarios
• Current implementaUons are lacking – even by the big guys – let alone the myriad of DIY implementa9ons
• Spec needs some refinement – "basic profile" – MAC tokens
• Very good & balanced view – hdps://www.tbray.org/ongoing/When/201x/2013/01/23/OAuth