oauth 2 0 for browser based apps
play

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David - PowerPoint PPT Presentation

Feb 29, 2024 •277 likes •386 views

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical Architect, Ping Identity Purpose Best Current Practices Document Builds mostly on RFC 8252 - OAuth 2.0 for Native Apps I-D

  1. OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical Architect, Ping Identity

  2. Purpose • Best Current Practices Document • Builds mostly on • RFC 8252 - OAuth 2.0 for Native Apps • I-D oauth-security-topics - OAuth 2.0 Security BCP

  3. What is a Browser-Based App • Application code delivered to and run inside a browser • Single Page Application (SPA) • Progressive Web Application (PWA) • This BCP is around how to support these applications as OAuth Public Clients

  4. Similarities to AppAuth • Public Client • Authorization Code flow • Recommend against Implicit • PKCE • Ownership of HTTPS URLs • justification to persist consent

  5. How do they differ? • Running sandboxed inside user agent • No reason to prefer an external user agent • Actually: external user agent conflicts with multiple local browsers • Same Origin security model - require exceptions using CORS • Greater potential for malicious code injection and tra ffi c capture • XSS, third party script loading, site compromise, service workers • Recommend Content-Security-Policy

  6. No Implicit • In addition to the Security Topics BCP: • Supporting the implicit flow requires additional code and a di ff erent set of security considerations • Browser and Native apps versions/packaging should not require two di ff erent OAuth flows • id_token in front channel must be signature verified, which clients might skip. Delivery over backchannel is more secure by default.

  7. URL Ownership as (weak) Client Authentication • Using the Authorization Code Flow • Code can only be delivered to redirect URL owned by the application • Used to justify: • Cached consent • Requires HTTPS URL schemes only • Client cannot have custom scheme or localhost redirect URIs

  8. Refresh Tokens • Current guidance is that the AS should not issue refresh tokens • due to fears of token theft • Would like to change to give more (and possibly general) guidance • Lack of token binding (or alternatives) hurts implementors

  9. Architectural Alternatives • “When you could avoid using OAuth” • Di ffi cult line for guidance - telling people to punt on well-defined security recommendations/considerations for simplicity • May use cookie instead of access tokens - HttpOnly, SameSite • Same domain, first-party apps • OAuth-handling component • Back-end API for doing OAuth flow • Front-end reverse proxy authenticating and applying OAuth

  10. Eventual Wishes • Sender constrained / PoP mechanism for browsers • General (non-FUD) guidance on token lifetime policy • General guidance on policy geared toward public / confidential clients • not based on client implementation technology • Guidance against localhost/custom URL • External User Agent UX

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Browser Support for the Open Authoriza4on (OAuth) Protocol

Browser Support for the Open Authoriza4on (OAuth) Protocol

Browser Support for the Open Authoriza4on (OAuth) Protocol hGp://www.w3.org/2011/iden4ty-ws/papers/idbrowser2011_submission_32.pdf Hannes Tschofenig, Barry Leiba, Blaine Cook,

434 views • 8 slides
What is a good pen based application? The windows desktop and browser are HCI For Pen Based

What is a good pen based application? The windows desktop and browser are HCI For Pen Based

What is a good pen based application? The windows desktop and browser are HCI For Pen Based Computing NOT good pen based apps! Richard Anderson CSE 481 B Winter 2007 What is a good UI? How do you measure it? Mechanical Properties

208 views • 8 slides
OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth protocol workflow Server-side web application flow Client-side web application flow Whats the problem As the web grows, more and more sites

786 views • 45 slides
Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2 What is OAuth? Your Valet Key for the Web Delegated Authentication Protocol 2 What is OAuth? Your Valet Key for the Web Delegated Authentication

357 views • 33 slides
Hej! @ryguyrg ABOUT ME Developed web apps for 5 years including e-commerce, business

Hej! @ryguyrg ABOUT ME Developed web apps for 5 years including e-commerce, business

Hej! @ryguyrg ABOUT ME Developed web apps for 5 years including e-commerce, business workflow, more. Worked at Google for 8 years on Google Apps, Cloud Platform Technologies: Python, Java, BigQuery, Oracle, MySQL, OAuth

791 views • 60 slides
How to use Encryption for Defense in Depth In Native and Browser Apps Isaac Potoczny-Jones

How to use Encryption for Defense in Depth In Native and Browser Apps Isaac Potoczny-Jones

How to use Encryption for Defense in Depth In Native and Browser Apps Isaac Potoczny-Jones ijones@tozny.com November 13, 2019 @SyntaxPolice https://tozny.com When we think of driving safety We address both the road and the car.

446 views • 42 slides
OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 .eyJhdWQiOiJjb25uZWN0MjAxNCIsImlzc

869 views • 42 slides
Browser UX in VR Is The Web Accessible at All in VR? Oculus Overview Virtual Desktop &

Browser UX in VR Is The Web Accessible at All in VR? Oculus Overview Virtual Desktop &

Oculus Browser UX in VR Is The Web Accessible at All in VR? Oculus Overview Virtual Desktop & Browser VR Apps Have Long Engagement Times How? Did they do something special? Uncomfortable Yet Still Compelling Content High

362 views • 6 slides
REST-GSS Authentication for HTTP Apps, Browser and Otherwise Nicolas Williams

REST-GSS Authentication for HTTP Apps, Browser and Otherwise Nicolas Williams

REST-GSS Authentication for HTTP Apps, Browser and Otherwise Nicolas Williams nico@cryptonector.com Cryptonector, LLC HTTP Authentication Challenges Use multiple, existing authentication infrastructures, even concurrently on a site

367 views • 16 slides
OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

* OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF 95, Buenos Aires April 2016 1 Document Status Current draft addresses WGLC feedback See

423 views • 8 slides
LAKC - 9th Annual IP CLE: US TM Apps and Registrations based on Foreign Apps and Registrations

LAKC - 9th Annual IP CLE: US TM Apps and Registrations based on Foreign Apps and Registrations

2/23/2017 LAKC - 9th Annual IP CLE: US TM Apps and Registrations based on Foreign Apps and Registrations A Review of Issues associated with Identifications and Use Kent Erickson and Timothy Feathers Two Filing Bases for US Owners A US

426 views • 13 slides
The SciTokens Authorization Model: JSON Web Tokens & OAuth Jim Basney

The SciTokens Authorization Model: JSON Web Tokens & OAuth Jim Basney

The SciTokens Authorization Model: JSON Web Tokens & OAuth Jim Basney <jbasney@ncsa.Illinois.edu> Brian Bockelman <bbockelm@cse.unl.edu> This material is based upon work supported by the National S cience Foundation under Grant

379 views • 20 slides
Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com AG The OAuth 2.0 Success Story Tremendous adoption since publication in 2012 Driven by large service providers and OpenID Connect

594 views • 30 slides
OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

draft-fett-oauth-dpop-03 OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106 Singapore Nov 2019 Brian Campbell (presenter, co-author, workation photographer) John Bradley (co-author of sorts) Torsten

407 views • 19 slides
OAuth 2.0 authorization using blockchain-based tokens Nikos Fotiou, Iakovos Pittaras, Vasilios

OAuth 2.0 authorization using blockchain-based tokens Nikos Fotiou, Iakovos Pittaras, Vasilios

OAuth 2.0 authorization using blockchain-based tokens Nikos Fotiou, Iakovos Pittaras, Vasilios A. Siris, Spyros Voulgaris, George C. Polyzos Resource sharing Authorization Client Resource owner Resource storage Resource access Resource

1.11k views • 18 slides
Lessons learned from six years of cloud technology transformation in government David Turner

Lessons learned from six years of cloud technology transformation in government David Turner

Lessons learned from six years of cloud technology transformation in government David Turner Managing Director, MSC Digital MSC Digital Independent and vendor agnostic Formed specifically to assist the UK Public Sector - Its

386 views • 19 slides
Was I supposed to Mix the Was I supposed to Mix the Security in Before I Baked It? Security in

Was I supposed to Mix the Was I supposed to Mix the Security in Before I Baked It? Security in

Was I supposed to Mix the Was I supposed to Mix the Security in Before I Baked It? Security in Before I Baked It? Security Beyond the Clich Security Beyond the Clich W. Brandon Martin W. Brandon Martin Deconstructed Security, LLC

307 views • 28 slides
Enterprise Storage Architecture Fall 2019 Storage Efficiency Tyler Bletsch Duke University Two

Enterprise Storage Architecture Fall 2019 Storage Efficiency Tyler Bletsch Duke University Two

ECE566 Enterprise Storage Architecture Fall 2019 Storage Efficiency Tyler Bletsch Duke University Two views of file system usage User data view: How large are my files? (bytes -used metric) or How much capacity am I given?

749 views • 35 slides
VFIO, OVMF, GPU, and You The state of GPU assignment in QEMU/KVM Alex Williamson /

VFIO, OVMF, GPU, and You The state of GPU assignment in QEMU/KVM Alex Williamson /

VFIO, OVMF, GPU, and You The state of GPU assignment in QEMU/KVM Alex Williamson / alex.williamson@redhat.com The current state of VGA assignment VGA assignment defined: Graphics card assigned as primary graphics for the VM Uses VGA BIOS for

688 views • 29 slides
Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief

Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief

Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief Open Source Officer Sun Microsystems http://www.webmink.net/ Systems Middleware Cloud 3 1 Third Wave? Stallman Software Freedoms Use

1.31k views • 87 slides
FrankenLaws: The Sad State of the Information Security Regulatory Landscape UNCC 12 th Annual

FrankenLaws: The Sad State of the Information Security Regulatory Landscape UNCC 12 th Annual

1 Charlotte, North Carolina Tuesday, October 11, 2011 FrankenLaws: The Sad State of the Information Security Regulatory Landscape UNCC 12 th Annual Cyber Security Symposium Tuesday, October 11, 2011 Charlotte, North Carolina John Linkous |

488 views • 26 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
The electroweak effective field theory

The electroweak effective field theory

The electroweak effective field theory from on-shell amplitudes (KMI) /

565 views • 25 slides

More recommend