o h h auth th
play

O H! H! Auth th Implementation pitfalls & the auth providers - PowerPoint PPT Presentation

Oct 30, 2022 •139 likes •724 views

H! H! O H! H! Auth th Implementation pitfalls & the auth providers who have fell in it @samitanwer1 samit.anwer@gmail.com C: C:\>whoami Samit Anwer Product Security Team @Citrix Web/Mobile App Security Enthusiast

  1. H! H! O H! H! Auth th Implementation pitfalls & the auth providers who have fell in it @samitanwer1 samit.anwer@gmail.com

  2. C: C:\>whoami • Samit Anwer • Product Security Team @Citrix • Web/Mobile App Security Enthusiast • Spoken @: • SecurityFest (Gothenburg, Sweden) 2019, • DEFCON China (Beijing) 2018, • BlackHat Asia (Singapore) 2018, • AppSec USA (Orlando, USA) 2017, • CodeBlue (Tokyo, Japan) 2017

  3. Agenda • OAuth – What and Why? • Access & Identity tokens • OAuth Grant Types • OAuth flow for Native (Mobile) Apps • Attacks & Mitigations – 1. Authorization code interception attack 2. CSRF 3. Client open redirects 4. Phishing using user’s trust in AS 5. Mix-up attack • Q/A

  4. Disclaimer Disclaimer • Ideas presented are personal • Ideas presented are personal • Some content borrowed from • Brian David Campbell’s slides on “ OAuth 2.0 and Mobile Devices ”, • Some content borrowed from • Auth0 & • Brian David Campbell’s slides on “ OAuth 2.0 and • the RFC documents Mobile Devices ”, • Auth0 & the RFC documents • Don’t kill me for my humour! • I am a Marvel fan! Expect some references to • I am a Marvel fan! Expect some references to ‘Avengers: Infinity War’ ‘Avengers: Infinity War’

  5. LinkedIn wants to fetch your contacts from Gmail. LinkedIn asks your Gmail password Why OAuth? Why OAuth?

  6. Knowledge of your Gmail password allows LinkedIn to do everything What Access can’t be revoked from LinkedIn without revoking access from all other 3 rd problems do parties you observe with this LinkedIn would be required to store your Gmail credentials approach? Google will be required to support password based authentication

  7. Why OAuth? Enter OAuth Protocol for delegating authorization supported by web, desktop and native apps Knowledge of your Gmail password allows LinkedIn to do everything Scope of access granted to a 3 rd party can be 1. constrained Access can’t be revoked from LinkedIn without revoking access from all other 3 rd parties Access granted to a specific 3 rd party is 2. revocable LinkedIn would be required to store your Gmail credentials Avoids sharing of creds with 3 rd party 3. Google will be required to support password based authentication 4. Foundation for an authentication protocol

  8. • Resource Owner : entity that can grant access to a protected resource, e.g. End-User • Client/Application/Relying Party (RP) : application requesting access to a protected resource on behalf of the Resource Owner , e.g. LinkedIn Actors • Resource Server : the server hosting the protected resources, e.g. Gmail • Authorization Server : the server that authenticates the Resource Owner & issues Access Tokens after getting proper authorization, e.g. Google • User Agent : the agent used by the Resource Owner to interact with the application, e.g. browser

  9. Client Registration • You must register the client/application/RP with the auth/identity service Before we AS Client 1. Generates App name, website, logo & a redirect URI begin…. Client ID & Client Secret 2. Stores Client ID & Client Secret Client ID , redirect URI mapping • Client ID is public info and is used to build login URLs • Client Secret must be kept confidential • If a deployed app cannot keep the secret confidential (like SPA, native app) then the secret is not used

  10. OAuth in a nutshell Google (AS) Stack Exchange (Client/Application/RP) 5. Access Token to client’s redirect URI /token 4. Request Token /authorize 6. Request resource with 3. Authorization Code 2. User Token to client’s redirect URI Authorizes 1. Initiate RS Authorization 1. Initiate Request Authorization request End-user

  11. Open ID Connect Stack Exchange Google (AS) (Client/Application/RP) 5. Access & ID Token to client’s redirect URI /token 4. Request Token /authorize 2. User Authorizes 3. Authorization Code to client’s redirect URI 1. Initiate 1. Initiate Authorization Authorization Request request End-user

  12. A sample access token A sample ID token (JWT) payload Access Token Identity Token eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXki LCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIyYzNkYzZmNTNlNTI0N mQzYWZhNDIwZDgyMTg5YTk2YyIsInN1YiI6IjlhYzJkNzA 0LTI1NDAtNDlkNi05ZjJlLTQ4ZThlYWIyODE4MCIsInNjb3 Is typically opaque (a.k.a. bearer token) The ID Token is a JWT BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJvYXV0aF9za G93Y2FzZV9hdXRob3JpemF0aW9uX2NvZGUiLCJjaWQi OiJvYXV0aF9zaG93Y2FzZV9hdXRob3JpemF0aW9uX2Nv It conveys authentication status & user ZGUiLCJhenAiOiJvYXV0aF9zaG93Y2FzZV9hdXRob3Jpem It conveys authorization identity info. like the user's name, email, etc. F0aW9uX2NvZGUiLCJncmFudF90eXBlIjoiYXV0aG9yaXp hdGlvbl9jb2RlIiwidXNlcl9pZCI6IjlhYzJkNzA0LTI1NDAtND lkNi05ZjJlLTQ4ZThlYWIyODE4MCIsIm9yaWdpbiI6InVhY It is consumed by the client for UI display It is consumed by the resource server SIsInVzZXJfbmFtZSI6Im1hcmlzc2EiLCJlbWFpbCI6Im1hc mlzc2FAdGVzdC5vcmciLCJhdXRoX3RpbWUiOjE0Njk4N DY3NjIsInJldl9zaWciOiJiZTU0OTFkYyIsImlhdCI6MTQ2OT g0Njg3NiwiZXhwIjoxNDY5ODkwMDZSJdfQ.1AXtzNGdW XL77i7TqeZOYfMbP4CT8pMnqBihmvg8woY.eyJqdGkiOi IyYzNkYzZmNTNlNTI0NmQzYWZhNDIwZDgyMTg5YTk2Y yIsInNSI6Im1hcmlzc2EiLCJlbWFpbCI6Im1hcmlzc2FAdG VzdC5vcmciLCJhdXRoX3RpbWUiOjE0Njk4NDY3NjIsInJld l9zaWciOiJiZTU0OTFkYyIsImlhdCI6MTQ2OTg0Njg3Niwi ZXhwIjoxNDY5ODkwMDc2LCJpc3MiOiJodHRwOi8vbG9j YWxob3N0

  13. Authorization Implicit Grant Code Grant OAuth Grants Types Resource Owner Client Password Credentials Credential Grant Grant

  14. Resource Server Authorization Server Supervises access to Has Wants Resource Owner Client/Application/Relying Party The Real Actors

  15. 1. Authorization Code Grant Resource Authorization Resource Client / Application / RP Owner Server Server Access Resource Unauthorized Give me approval Authenticate & Grant Authorization /authorize Send Authorization Code Exchange code with client credentials for token /token Send Token Access protected resource (with token) Send resource

  16. Authorization Au Auth thorization Code Grant Request (ACG) Response Tok oken Ex Exch change Request Advantages of ACG Provides the ability to authenticate the client Response Transmission of access token to client without passing it through Browser Ref: https://aaronparecki.com/oauth-2-simplified/

  17. 2. Implicit Grant Resource Authorization Resource Client/ Application/ RP Owner Server Server Access Resource Unauthorized Give me approval Authenticate & Grant Authorization /authorize Send Authorization Code Exchange code with client credentials for token /token Send Token /authorize Access protected resource (with token) Send resource

  18. Implicit Grant Au Auth thorization Request Disadvantages of Implicit Grant No client authentication Response Access token can end up in Browser history Access token leakage through Referrer header Ref: https://aaronparecki.com/oauth-2-simplified/

  19. 1. Client initiates authorization request 2. End-user authenticates & approves the requested access OAuth for Mobile clients/ 3. Server returns control to the app & includes an auth. code Native apps (RFC-8252) 4. The auth. code is traded for access token & refresh token 5. Protected APIs invoked using the access token

  20. Google 1. Request Authorization • When user needs to access some protected resource, client opens a browser and sends user to the authorization endpoint Stack Exchange

  21. Google 2. Authenticate and Approve • The AS authenticates the user Stack Exchange

  22. Google Approve • User approves the request Stack Exchange

  23. Google 3. Handle Callback • Server returns control to the app via HTTP redirection and includes an authorization code Stack Exchange Custom URI Scheme

  24. Google 3. Handle Callback Stack Exchange • Registering a custom URI scheme

  25. 4. Trade code for token • Token Endpoint Request • Token Endpoint Response

  26. 5. Using an access token • Once an access token is obtained, it can be used to authorize calls to the protected resources at the RS by including it in HTTP Authorization header

  27. Agenda – What have we covered? • OAuth – What and Why? • Access & Identity tokens • OAuth Grant Types • OAuth with Native (Mobile) Apps • Attacks & Mitigations – 1. Authorization code interception attack 2. CSRF 3. Client open redirects 4. Phishing using user’s trust in AS 5. Mix-up attack • Q/A

  28. Attacks & Mit itigations 1. Authorization code intercept attack on mobile clients/native apps

  29. Authorization code intercept attack Preconditions • "client_secret" is not provisioned • Attacker manages to install malicious app on device • Attacker manages to register the same custom URI scheme used by legitimate app Img. Ref.: RFC-7636

  30. Mitigation 1. Handle redirections carefully • Avoid Custom URI Scheme Redirection There is no naming authority • Use Claimed HTTPs Scheme URI Redirection The identity of the destination app is guaranteed by the OS to the authorization server

  31. Mitigation ( continued ) 2. Use Proof Key for Code Exchange (PKCE) with apps that use custom URI scheme Code Challenge <= t(code_verifier) (CC) Generate code_verifier Is CC = t(code_verifier)? Malicious Store Client where: t(code_verifier) = code challenge t_m = code challenge method RFC-7636

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MOEBIUS Mobility Management Application Niavi Stefania AUTh IT Center Liolios Nikos AUTh

MOEBIUS Mobility Management Application Niavi Stefania AUTh IT Center Liolios Nikos AUTh

MOEBIUS Mobility Management Application Niavi Stefania AUTh IT Center Liolios Nikos AUTh Department of European Educational Programmes 1 Moebius - AUTh, Greece Main challenges of mobility management 1. Large volume of bilateral agreements

483 views • 30 slides
Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and

Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and

CSS441 Introduction Functions Auth. with Encryption Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

673 views • 21 slides
Turning AUTh into e-University Pinelopi Giovanitsa, Academic Support IT Center introduction 2

Turning AUTh into e-University Pinelopi Giovanitsa, Academic Support IT Center introduction 2

Turning AUTh into e-University Pinelopi Giovanitsa, Academic Support IT Center introduction 2 learning management systems in AUTh centra eClass blackboard moodle 3 timeline of transition September 2014 March 2014 eLearning on

526 views • 16 slides
Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications Injection, broken authentication , XSS, CSRF, etc. Checklist of 23 Node.js security best practices Auth: Authentication, authorization, and

336 views • 30 slides
General LTL Specification Mining Caroline Lemieux , Dennis Park and Ivan Beschastnikh University

General LTL Specification Mining Caroline Lemieux , Dennis Park and Ivan Beschastnikh University

login attempt auth failed login attempt guest login login attempt authorized Texada auth failed login attempt G( x XF y ) login attempt G( guest login XF authorized ) guest login authorized auth failed login attempt Authorized

1.11k views • 59 slides
Let us l s lea ead d you ou t to a an AUTH THENT NTIC TE TEXAS RA RANC NCH E EXPERI

Let us l s lea ead d you ou t to a an AUTH THENT NTIC TE TEXAS RA RANC NCH E EXPERI

Let us l s lea ead d you ou t to a an AUTH THENT NTIC TE TEXAS RA RANC NCH E EXPERI RIENC NCE!!! JUST ST 2 25 MINU INUTES f fro rom DO DOWNTOWN SA SAN ANTONI NIO Guests Choose fro rom one of our r thre ree Uniq ique

187 views • 16 slides
Scientific Program HMC2016 4th Historic Mortars Conference Organizing Committee Papayianni

Scientific Program HMC2016 4th Historic Mortars Conference Organizing Committee Papayianni

HMC2016 4th Historic Mortars Conference Scientific Program HMC2016 4th Historic Mortars Conference Organizing Committee Papayianni Ioanna Professor AUTH Stefanidou Maria Associate Professor AUTH Palyvou Clairy Emeritus Professor AUTH Pachta

95 views • 5 slides
Afzaal zaal Mau auth thoor oor Mad Scientist. Travel Entrepreneur. Philanthropist Co

Afzaal zaal Mau auth thoor oor Mad Scientist. Travel Entrepreneur. Philanthropist Co

Afzaal zaal Mau auth thoor oor Mad Scientist. Travel Entrepreneur. Philanthropist Co Co-found under er - Inspi pired ed Esca capes pes Founder der - The e Philanth lanthropy y Club b London on In every rything thing I do I

326 views • 16 slides
Environmental Informatics ICT for the Environment Kostas Karatzas Informatics Applications

Environmental Informatics ICT for the Environment Kostas Karatzas Informatics Applications

Environmental Informatics ICT for the Environment Kostas Karatzas Informatics Applications and Systems Group Dept. of Mechanical E ngineering Aristotle University of Thessaloniki kkara@ eng.auth.gr , http:/ / isag.meng.auth.gr

1.56k views • 107 slides
Big Data Analytics with Apache Apostolos N. Papadopoulos (Associate Prof.)

Big Data Analytics with Apache Apostolos N. Papadopoulos (Associate Prof.)

chiPSet Training School, September 2017, Novi Sad, Serbia Big Data Analytics with Apache Apostolos N. Papadopoulos (Associate Prof.) (papadopo@csd.auth.gr, http://datalab.csd.auth.gr/~apostol) Data Science &amp; Engineering Lab Department of

934 views • 81 slides
Introduction to the urban environment Kostas Karatzas Informatics A pplications and Systems

Introduction to the urban environment Kostas Karatzas Informatics A pplications and Systems

Introduction to the urban environment Kostas Karatzas Informatics A pplications and Systems Group Dept. of Mechanical E ngineering A ristotle University of Thessalonik i k k ara@ eng.auth.gr , http:/ / isag.meng.auth.gr Contents Part A:

983 views • 76 slides
An Information-Theoretic Approach to Detecting Changes in Multi-Dimensional Data Streams Auth

An Information-Theoretic Approach to Detecting Changes in Multi-Dimensional Data Streams Auth

An Information-Theoretic Approach to Detecting Changes in Multi-Dimensional Data Streams Auth thors: Presentatio ion: Dasu, T., Krishnan, S., Vincent Chu Venkatasubramanian, S., 22 November 2017 &amp; Yi, K. (2006). Content Introduction

512 views • 48 slides
An Introduction to Apostolos N. Papadopoulos (papadopo@csd.auth.gr) Assistant Professor Data

An Introduction to Apostolos N. Papadopoulos (papadopo@csd.auth.gr) Assistant Professor Data

An Introduction to Apostolos N. Papadopoulos (papadopo@csd.auth.gr) Assistant Professor Data Engineering Lab Department of Informatics Aristotle University of Thessaloniki Thessaloniki Greece 1 Outline What is Spark? Basic features

951 views • 64 slides
CMC's &amp; The FCA Jeremy Smith Director B-Compliant Ltd Do I I need to be auth thoris

CMC's &amp; The FCA Jeremy Smith Director B-Compliant Ltd Do I I need to be auth thoris

CMC's &amp; The FCA Jeremy Smith Director B-Compliant Ltd Do I I need to be auth thoris ised? CMR Regulated Seeking out persons who may have a claim Referring details of a claim or potential claim or potential claimant to another

96 views • 7 slides
Usi Using Stew tewar ardsh ship Au Auth thor ority y to Advan to Advance ce Restor

Usi Using Stew tewar ardsh ship Au Auth thor ority y to Advan to Advance ce Restor

Collaborative restoration Workshop april, 2016 Usi Using Stew tewar ardsh ship Au Auth thor ority y to Advan to Advance ce Restor Restorati tion on Rebecca B cca Barn rnar ard National Forestry Programs Manager

669 views • 21 slides
45nm High-k + Metal Gate Strain-Enhanced Transistors C. Auth, A. Cappellani, J.-S. Chun, A.

45nm High-k + Metal Gate Strain-Enhanced Transistors C. Auth, A. Cappellani, J.-S. Chun, A.

45nm High-k + Metal Gate Strain-Enhanced Transistors C. Auth, A. Cappellani, J.-S. Chun, A. Dalis, A. Davis, T. Ghani, G. Glass, T. Glassman, M. Harper, M. Hattendorf, P. Hentges, S. Jaloviar, S. Joshi, J. Klaus, K. Kuhn, D. Lavric, M. Lu, H.

1.17k views • 42 slides
Access and forward- looking charges London and Glasgow Workshops 28 February 2018 Agenda

Access and forward- looking charges London and Glasgow Workshops 28 February 2018 Agenda

Access and forward- looking charges London and Glasgow Workshops 28 February 2018 Agenda Overview of the Electricity 13:00 - 13:20 Network Access Project Linking the options for change 13:20 - 14:50 large users Breakout 14:50 - 15:10

504 views • 39 slides
Collaborative Ontology Development with Protg Tania Tudorache, Natasha Noy Jennifer

Collaborative Ontology Development with Protg Tania Tudorache, Natasha Noy Jennifer

Collaborative Ontology Development with Protg Tania Tudorache, Natasha Noy Jennifer Vendetti, Timothy Redmond Stanford Center for Biomedical Informatics Tutorial at the Protg conference 2009 Amsterdam, June 23, 2009 Outline

878 views • 57 slides
Race Conditions A common cause of security bugs Usually involve multiprogramming or

Race Conditions A common cause of security bugs Usually involve multiprogramming or

Race Conditions A common cause of security bugs Usually involve multiprogramming or multithreaded programs Caused by different threads of control operating in unpredictable fashion When programmer thought theyd work in a

649 views • 21 slides
The Ponder Policy Specification Language Markus Lorch CS 6204, Spring 2005 1 Motivation

The Ponder Policy Specification Language Markus Lorch CS 6204, Spring 2005 1 Motivation

The Ponder Policy Specification Language Markus Lorch CS 6204, Spring 2005 1 Motivation (security) management for large scale IT systems challenging topic - number of components in enterprise-wide networks and distributed systems is high

366 views • 14 slides
Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData

Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData

Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData Percona Live Europe 2017 Sounds familiar? Hey, Jane Doe from that department youve never heard of wants to do some analysis and she needs

692 views • 21 slides
openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem -

openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem -

openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem - More Client Devices per-Human - Many Cloud Accounts - More Apps: yay k8s - More Distributed Teams - VPNs arent fun - Legacy Solutions

788 views • 32 slides
Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2

Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2

Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2 and OpenID Connect to Science Gateways https://tools.ietf.org/html/rfc6749 Three Layers of Science Gateway Cyberinfrastructure Tenants Resources

813 views • 43 slides
Network Tokens A DPI-alternative to deploy network services ONF Spotlight: 5G Transformation with

Network Tokens A DPI-alternative to deploy network services ONF Spotlight: 5G Transformation with

Network Tokens A DPI-alternative to deploy network services ONF Spotlight: 5G Transformation with Open Source Yiannis Yiakoumis, Co-Founder &amp; CEO, Selfie Networks Work with Nick McKeown (Stanford), Frode Sorensen (NKOM)

506 views • 29 slides

More recommend