Recent Evolutions in the Oauth 2.0 and Openid Connect Landscape

Recent Evolutions in the Oauth 2.0 and Openid Connect Landscape

RECENT EVOLUTIONS IN THE OAUTH 2.0 AND OPENID CONNECT LANDSCAPE DR. PHILIPPE DE RYCK https://Pragmatic Web Security.com DR. PHILIPPE DE RYCK - Deep understanding of the web security landscape - Google Developer Expert (not employed by Google) - Course curator of the SecAppDev course (https://secappdev.org) Pragmatic Web Security High-quality security training for developers and managers Custom courses covering web security, API security, Angular security, … Consulting services on security, Oauth 2.0, OpenID Connect, … @PHILIPPEDERYCK @PhilippeDeRyck HTTPS://PRAGMATICWEBSECURITY.COM2 User authentication Read & write data @PhilippeDeRyck 3 User authentication Read & write data @PhilippeDeRyck 4 User authentication Read & write data @PhilippeDeRyck 5 OpenID Connect User authentication Read & write data OAuth 2.0 @PhilippeDeRyck 6 OpenID Connect User authentication Read & write data Read data OAuth 2.0 OAuth 2.0 @PhilippeDeRyck 7 Results in an identity token and access token User authentication Read & write data Read data Uses an access Uses an access token token @PhilippeDeRyck 8 OAUTH 2.0 AND OPENID CONNECT OpenID Connect provides user authentication OAuth 2.0 allows a client to access resources on behalf of the user Modern applications use a combination of both protocols @PhilippeDeRyck 9 THE OIDC HYBRID FLOW 5 Request client authorization 3 Authenticate yourself 4 Login credentials 6 Authorize client Authorization code 10 11 Access token / refresh token Redirect for with client credentials authentication 2 Redirect with 7 authorization code and identity token 1 Request access 12 Access resource 8 Authorization code and identity token 13 Protected resource @PhilippeDeRyck Authenticate user with identity token 9 10 THE REFRESH TOKEN FLOW Refresh token 1 2 Access token & refresh token with client credentials 3 Access resource 4 Protected resource @PhilippeDeRyck 11 THE OIDC HYBRID FLOW • Clients are backend applications running in a "secure" environment • The hybrid flow returns an identity token, access token and refresh token • Identity tokens are issued through the frontchannel, along with an authorization code • The authorization code can be exchanged for an access token and refresh token • Using the authorization code requires client authentication • Refresh tokens allow the client to obtain a new access token • Using a refresh token requires client authentication @PhilippeDeRyck 12 The hackers were able to steal some of our Facebook “ and Twitter access tokens from our users. “ 13 THE DANGER OF BEARER TOKENS 5 Request client authorization 3 Authenticate yourself 4 Login credentials Access tokens are bearer 6 Authorize client tokens, allowing immediate abuse upon theft Authorization code 10 11 Access token / refresh token Redirect for with client credentials authentication 2 Redirect with 7 authorization code and identity token 1 Request access 12 Access resource 8 Authorization code and identity token 13 Protected resource @PhilippeDeRyck Authenticate user with identity token 9 14 BINDING TOKENS TO TLS CERTIFICATES 5 Request client authorization 3 Authenticate yourself 4 Login credentials 6 Authorize client Authorization code 10 11 Access token bound to the TLS certificate / Redirect for with mTLS refresh token authentication 2 Redirect with 7 authorization code and identity token Access resource 12 1 Request access with mTLS 8 Authorization code and identity token 13 Protected resource @PhilippeDeRyck Authenticate user with identity token 9 15 { "sub": "[email protected]", "aud": "https://api.example.com", "azp": "RandomClientID", "iss": "https://authorizationserver.example.com/", "exp": 1419356238, "iat": 1419350238, "scope": "read write", "jti": "405b4d4e-8501-4e1a-a138-ed8455cd1d47", "cnf":{ "x5t#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2" } } @PhilippeDeRyck 16 PROOF-OF-POSSESSION FOR ACCESS TOKENS Many confidential clients still rely on bearer access tokens The confidential client can authenticate with a TLS certificate The TLS certificate can be used to enable token binding @PhilippeDeRyck 17 THE OIDC HYBRID FLOW 5 Request client authorization Mobile applications cannot 3 Authenticate yourself handle client credentials in a secure way 4 Login credentials 6 Authorize client Authorization code 10 11 Access token / refresh token Redirect for with client credentials authentication 2 Redirect with 7 authorization code and identity token 1 Request access 12 Access resource 8 Authorization code and identity token 13 Protected resource @PhilippeDeRyck Authenticate user with identity token 9 18 THE OIDC HYBRID FLOW 5 Request client authorization Malicious applications can 3 Authenticate yourself intercept the authorization code and exchange it 4 Login credentials 6 Authorize client Authorization code 10 11 Access token / refresh token Redirect for without client credentials authentication 2 Redirect with 7 authorization code and identity token 1 Request access 12 Access resource 8 Authorization code and identity token 13 Protected resource @PhilippeDeRyck Authenticate user with identity token 9 19 THE OIDC HYBRID FLOW WITH PKCE 7 Request client authorization 5 Authenticate yourself Store code challenge 6 Login credentials 4 8 Authorize client 13 Match code challenge to verifier Authorization code 12 14 Access token / refresh token Redirect for with code verifier authentication 3 Redirect with 9 authorization code and identity token 1 Generate code verifier 2 Request access 15 Access resource 10 Authorization code and identity token 16 Protected resource @PhilippeDeRyck Authenticate user with identity token 11 20 THE OIDC HYBRID FLOW WITH PKCE • Mobile applications are public clients • The lack of client authentication exposes the authorization code to attacks • The Proof-Key-for-Code-Exchange addition keeps the authorization code secure • PKCE essentially acts as a one-time password for each individual client • Prevents the abuse of a stolen authorization code • Mobile applications can use refresh tokens if they store them securely • Refresh tokens do not require authentication, so are bearer tokens • Only good place to store is in the OS's secure application storage @PhilippeDeRyck 21 THE DANGER OF BEARER TOKENS Access and refresh tokens are 7 Request client authorization bearer tokens, allowing 5 Authenticate yourself immediate abuse upon theft Store code challenge 6 Login credentials 4 8 Authorize client 13 Match code challenge to verifier Authorization code 12 14 Access token / refresh token Redirect for with code verifier authentication 3 Redirect with 9 authorization code and identity token 1 Generate code verifier 2 Request access 15 Access resource 10 Authorization code and identity token 16 Protected resource @PhilippeDeRyck Authenticate user with identity token 11 22 BINDING TOKENS TO TLS CERTIFICATES ON PUBLIC CLIENTS 7 Request client authorization 5 Authenticate yourself Store code challenge 6 Login credentials 4 8 Authorize client 13 Match code challenge to verifier Authorization code 12 14 mTLS-bound access token & refresh token Redirect for with code verifier & mTLS authentication 3 Redirect with 9 authorization code and identity token 1 Generate code verifier Access resource 15 2 Request access with mTLS 10 Authorization code and identity token 16 Protected resource @PhilippeDeRyck Authenticate user with identity token 11 23 PROOF-OF-POSSESSION IN MOBILE CLIENTS Each client instance generates its own certificate The client uses the self-signed certificate during TLS connections The authorization server ties the tokens to the client certificate @PhilippeDeRyck 24 THE OIDC IMPLICIT FLOW 5 Request client authorization 3 Authenticate yourself 4 Login credentials 6 Authorize client Redirect for authentication 2 Redirect with 7 access token and identity token 1 Request access 10 Access resource 8 access token and identity token 11 Protected resource @PhilippeDeRyck Authenticate user with identity token 9 25 THE OIDC IMPLICIT FLOW 5 Request client authorization 3 Authenticate yourself 4 Login credentials 6 Authorize client Access token in URL and Redirect for browser history authentication 2 Redirect with 7 access token and identity token 1 Request access 10 Access resource 8 access token and identity token 11 Protected resource @PhilippeDeRyck Authenticate user with identity token 9 26 THE OIDC HYBRID FLOW WITH PKCE 7 Request client authorization 5 Authenticate yourself Store code challenge 6 Login credentials 4 8 Authorize client 14 Match code challenge to verifier Authorization code 12 13 Access token Redirect for with code verifier authentication 3 Redirect with 9 authorization code and identity token 1 Generate code verifier 2 Request access 15 Access resource 10 Authorization code and identity token 16 Protected resource @PhilippeDeRyck Authenticate user with identity token 11 27 THE OIDC HYBRID FLOW WITH PKCE 7 Request client authorization Re-running the flow allows the re-use of the user's 5 Authenticate yourself session Store code challenge 6 Login credentials 4 8 Authorize client 14 Match code challenge to verifier Web applications cannot Authorization code 12 13 Access token store a refresh token in a Redirect for with code verifier authentication 3 secure location Redirect with 9 authorization code and identity token 1 Generate code verifier 2 Request access 15 Access resource 10 Authorization code and identity token 16 Protected resource @PhilippeDeRyck Authenticate user with identity token 11 28 THE OIDC HYBRID FLOW WITH PKCE Refresh token lifetime is 7 Request client authorization linked

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    35 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us