SlideShare uma empresa Scribd logo

OAuth 2.0 Security Reinforced

T
Torsten Lodderstedt

The OAuth working group recently decided to discourage use of the implicit grant. But that’s just the most prominent recommendation the working group is about to publish in the upcoming OAuth 2.0 Security Best Current Best Practice (https://tools.ietf.org/html/draft-ietf-oauth-security-topics), which will elevate OAuth security to the next level. The code flow shall be used with PKCE only and tokens should be sender constraint to just mention a few. Development of this enhanced recommendations was driven by several factors, including experiences gathered in the field, security research results, the increased dynamics and sensitivity of the use cases OAuth is used protect and technological changes. This session will present the new security recommendations in detail along with the underlying rationales.

Tecnologia
1 de 27
Baixar para ler offline
OAuth 2.0 Security Reinforced Dr. Torsten Lodderstedt @tlodderstedt yes® European Identity & Cloud Conference 2019
Who uses OAuth?
The OAuth 2.0 Success Story ● Tremendous adoption since publication as RFC 6749 in 2012 ● Driven by large service providers and OpenID Connect ● Key success factors: simplicity & versatility But: Is it secure?
Security Challenges for OAuth
Implementations … ● [Li et al., 2014] 60 chinese clients, more than half vulnerable to CSRF ● [Yang et al., 2016] Out of 405 clients, 55% do not handle state (CSRF protection) correctly ● [Shebab et al., 2015] 25% of OAuth clients in Alexa Top 10000 vulnerable to CSRF ● [Chen et al., 2014] 89 of 149 mobile clients vulnerable to one or more attacks ● [Wang et al., 2013] Vulnerabilities in Facebook PHP SDK and other OAuth SDKs ● [Sun et al., 2012] 96 Clients, almost all vulnerable to one or more attacks … plus known hacks of
Challenge 1: Implementation Flaws ● We still see many implementation flaws
Challenge 1: Implementation Flaws ● We still see many implementation flaws ● Known anti-patterns are still used ○ Insufficient redirect URI checking (code/token is redirected to attacker) ○ state parameter is not used properly to defend against CSRF ○ …
Challenge 1: Implementation Flaws ● We still see many implementation flaws ● Known anti-patterns are still used ○ Insufficient redirect URI checking (code/token is redirected to attacker) ○ state parameter is not used properly to defend against CSRF ○ … ● Technological changes bring new problems ○ E.g., URI fragment handling in browsers changed → Vulnerability when used with open redirectors Open Redirector: Parameterized, unchecked redirection. E.g.: https://client.example/anything?resume_at=https://evil.example Redirects to https://evil.example
Challenge 2: High-Stakes Environments New Use Cases, e.g., Open Banking, require a very high level of security Also: eIDAS/QES (legally binding electronic signatures) and eHealth Far beyond the scope of the original security threat model!
Challenge 3: Dynamic and Complex Setups Originally anticipated: One trustworthy OAuth provider, statically configured per client Client Resource ServerResource Server Authorization ServerResource Server OAuth Provider
OAuth Provider B Challenge 3: Dynamic and Complex Setups Client Resource ServerResource Server Authorization Server Resource Server Resource Server OAuth Provider C Resource Server Authorization ServerResource Server OAuth Provider A Resource ServerResource Server Authorization Server Resource Server Dynamic relationships Multiple AS/RS per client Today: Not all entities are trustworthy! AS M ix-Up Attack! Found through formal analysis
● OAuth Security Workshop ● New RFC draft: OAuth Security Best Current Practice AS Mix-Up Attack: Fallout #osw2019
OAuth 2.0 Security Best Current Practice RFC ● Currently under development at the IETF ● Refined and enhanced security guidance for OAuth 2.0 implementers ● Complements existing security guidance in RFCs 6749, 6750, and 6819 ● Updated, more comprehensive Threat Model ● Description of Attacks and Mitigations ● Simple and actionable recommendations
The Seven Most Important Recommendations in the OAuth Security BCP
User ① Do not use the OAuth Implicit Grant any longer! GET /authorize?… Redirect to Authorization Server AS/RS User authenticates & consents Redirect to rp.com/authok#access_token=foo23&… Use access_token (Single-Page Apps) Access token available in web application Send access_token (Non-SPA) Use access_token Threat: Access token leakage from web application (XSS, browser history, proxies, operating systems, ...) Threat: Access token replay! Threat: Access token injection! Client
The Implicit Grant ... ● sends powerful and potentially long-lived tokens through the browser, ● lacks features for sender-constraining access tokens, ● provides no protection against access token replay and injection, and ● provides no defense in depth against XSS, URL leaks, etc.! Why is Implicit even in RFC6749? No Cross-Origin Resource Sharing in 2012! ⇒ No way of (easily) using OAuth in SPAs. ⇒ Not needed in 2019! Recommendation “Clients SHOULD NOT use the implicit grant [...]” “Clients SHOULD instead use the response type code (aka authorization code grant type) [...]”
AS/RSUser Use the Authorization Code Grant! GET /authorize?code_challenge=sha256xyz&... Redirect to Authorization Server ... Redirect to rp.com/authok?code=bar42&... POST /token, code=bar42 &code_verifier=xyz... Use access_token Send code Send access_token Mitigation: Sender-Constrained Token E.g., access token bound to mTLS certificate. Mitigation: Single-use Code Double use leads to access token invalidation! Client Mitigation: Proof Key for Code Exchange (PKCE) - Code only useful with code_verifier - Code replay/injection prevented by PKCE.
Authorization Code Grant with PKCE & mTLS … ● protects against code and token replay and injection, ● supports sender-constraining of access tokens, ● provides defense in depth! Recommendation “Clients utilizing the authorization grant type MUST use PKCE [...]” “Authorization servers SHOULD use TLS-based methods for sender-constrained access tokens [...]”
② Prevent Mix-Up Attacks! ● Clients must be able to see originator of authorization response ○ Clients should use a separate redirect URI for each AS ○ Alternative: issuer in authorization response for OpenID Connect ● Clients must keep track of desired AS (“explicit tracking”)
③ Stop Redirects Gone Wild! ● Enforce exact redirect URI matching ○ Simpler to implement on AS side ○ Adds protection layer against open redirection ● Clients MUST avoid open redirectors! ○ Use whitelisting of target URLs ○ or authenticate redirection request
④ Prevent CSRF Attacks! ● RFC 6749 and RFC 6819 recommend use of state parameter ● Updated advice (proposed): ○ If PKCE is used, state is not needed for CSRF protection ○ state can again be used for application state
⑤ Limit Privileges of Access Tokens! ● Sender-constraining (mTLS or HTTP Token Binding) ● Receiver-constraining (only valid for certain RS) ● Reduce scope and lifetime and use refresh tokens - defense in depth!
AS/RSUser Refresh Tokens ... POST /token, code=... Use access_token¹ Send code access_token¹ refresh_token¹ Access Token: Narrow scope and limited lifetime! Access Token expires. POST /token, refresh_token¹ access_token² refresh_token² Use access_token² Client
⑥ Protect Refresh Tokens! ● Attractive target since refresh tokens represent overall grant ● Requirement: Protection from theft and replay ○ Client Binding and Authentication ■ Confidential clients only ○ Sender-Constrained Refresh Tokens ■ mTLS now supports this even for public clients ○ Refresh Token Rotation ■ For public clients unable to use mTLS
⑦ Do not use the R.O.P.C.G.* any longer! *Resource Owner Password Credentials Grant AS/RSUser Username/Password for AS Username/Password for AS Use access_token Send access_token ● Client sees username/password of user ● Complicated or impossible to integrate 2-factor-authentication ● Stopgap solution for migrating to OAuth flows ● Grant name too long, even for Germans ;-) Client
Summary ● OAuth 2.0 implementations often vulnerable ● Protocol needs updated security guidance ○ Protection against new attacks ○ Adaptations to evolving web environment ○ Accounting for new use cases ● New IETF OAuth Security BCP (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) ○ Addresses new and old security vulnerabilities ○ Provides actionable solutions
Q&A! Latest Drafts & Publications OAuth 2.0 Security BCP https://tools.ietf.org/html/draft-ietf-oauth-security-topics OpenID Connect 4 Identity Assurance https://openid.net/specs/openid-connect-4-identity-assurance.html Transaction Authorization or why we need to re-think OAuth scopes https://cutt.ly/oauth-transaction-authorization Cross-Browser Payment Initiation Attack https://cutt.ly/cross-browser-payment-initation JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) https://openid.net/specs/openid-financial-api-jarm-ID1.html OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer https://tools.ietf.org/html/draft-fett-oauth-dpop Dr. Torsten Lodderstedt CTO, yes.com torsten@yes.com @tlodderstedt yes® Talk to me about - Details on attacks and mitigations - The OAuth Security Workshop - Other emerging OAuth & OpenID stuff - Working at yes.com

Recomendados

OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDC
ForgeRock Identity Tech Talks
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
Ishan A B Ambanwela
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
Oliver Mueller
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 

Recomendados

OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDC
ForgeRock Identity Tech Talks
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
Ishan A B Ambanwela
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
Oliver Mueller
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4
Aaron Ralls
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
n|u - The Open Security Community
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
JaroslavChmurny
 
Enterprise single sign on
Enterprise single sign onEnterprise single sign on
Enterprise single sign on
Archit Sharma
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
Amar Shah
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
Aidy Tificate
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
Buddhika Karunanayaka
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
Cleo
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
 
Enterprise single sign on
Enterprise single sign onEnterprise single sign on
Enterprise single sign on
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
 
OAuth
OAuthOAuth
OAuth
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 

Semelhante a OAuth 2.0 Security Reinforced

Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
 

Semelhante a OAuth 2.0 Security Reinforced (20)

Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdf
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 

Mais de Torsten Lodderstedt

The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
Torsten Lodderstedt
 

Mais de Torsten Lodderstedt (20)

OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
GAIN Presentation.pptx
GAIN Presentation.pptxGAIN Presentation.pptx
GAIN Presentation.pptx
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
 

Último

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

OAuth 2.0 Security Reinforced

  • 1. OAuth 2.0 Security Reinforced Dr. Torsten Lodderstedt @tlodderstedt yes® European Identity & Cloud Conference 2019
  • 3. The OAuth 2.0 Success Story ● Tremendous adoption since publication as RFC 6749 in 2012 ● Driven by large service providers and OpenID Connect ● Key success factors: simplicity & versatility But: Is it secure?
  • 5. Implementations … ● [Li et al., 2014] 60 chinese clients, more than half vulnerable to CSRF ● [Yang et al., 2016] Out of 405 clients, 55% do not handle state (CSRF protection) correctly ● [Shebab et al., 2015] 25% of OAuth clients in Alexa Top 10000 vulnerable to CSRF ● [Chen et al., 2014] 89 of 149 mobile clients vulnerable to one or more attacks ● [Wang et al., 2013] Vulnerabilities in Facebook PHP SDK and other OAuth SDKs ● [Sun et al., 2012] 96 Clients, almost all vulnerable to one or more attacks … plus known hacks of
  • 6. Challenge 1: Implementation Flaws ● We still see many implementation flaws
  • 7. Challenge 1: Implementation Flaws ● We still see many implementation flaws ● Known anti-patterns are still used ○ Insufficient redirect URI checking (code/token is redirected to attacker) ○ state parameter is not used properly to defend against CSRF ○ …
  • 8. Challenge 1: Implementation Flaws ● We still see many implementation flaws ● Known anti-patterns are still used ○ Insufficient redirect URI checking (code/token is redirected to attacker) ○ state parameter is not used properly to defend against CSRF ○ … ● Technological changes bring new problems ○ E.g., URI fragment handling in browsers changed → Vulnerability when used with open redirectors Open Redirector: Parameterized, unchecked redirection. E.g.: https://client.example/anything?resume_at=https://evil.example Redirects to https://evil.example
  • 9. Challenge 2: High-Stakes Environments New Use Cases, e.g., Open Banking, require a very high level of security Also: eIDAS/QES (legally binding electronic signatures) and eHealth Far beyond the scope of the original security threat model!
  • 10. Challenge 3: Dynamic and Complex Setups Originally anticipated: One trustworthy OAuth provider, statically configured per client Client Resource ServerResource Server Authorization ServerResource Server OAuth Provider
  • 11. OAuth Provider B Challenge 3: Dynamic and Complex Setups Client Resource ServerResource Server Authorization Server Resource Server Resource Server OAuth Provider C Resource Server Authorization ServerResource Server OAuth Provider A Resource ServerResource Server Authorization Server Resource Server Dynamic relationships Multiple AS/RS per client Today: Not all entities are trustworthy! AS M ix-Up Attack! Found through formal analysis
  • 12. ● OAuth Security Workshop ● New RFC draft: OAuth Security Best Current Practice AS Mix-Up Attack: Fallout #osw2019
  • 13. OAuth 2.0 Security Best Current Practice RFC ● Currently under development at the IETF ● Refined and enhanced security guidance for OAuth 2.0 implementers ● Complements existing security guidance in RFCs 6749, 6750, and 6819 ● Updated, more comprehensive Threat Model ● Description of Attacks and Mitigations ● Simple and actionable recommendations
  • 14. The Seven Most Important Recommendations in the OAuth Security BCP
  • 15. User ① Do not use the OAuth Implicit Grant any longer! GET /authorize?… Redirect to Authorization Server AS/RS User authenticates & consents Redirect to rp.com/authok#access_token=foo23&… Use access_token (Single-Page Apps) Access token available in web application Send access_token (Non-SPA) Use access_token Threat: Access token leakage from web application (XSS, browser history, proxies, operating systems, ...) Threat: Access token replay! Threat: Access token injection! Client
  • 16. The Implicit Grant ... ● sends powerful and potentially long-lived tokens through the browser, ● lacks features for sender-constraining access tokens, ● provides no protection against access token replay and injection, and ● provides no defense in depth against XSS, URL leaks, etc.! Why is Implicit even in RFC6749? No Cross-Origin Resource Sharing in 2012! ⇒ No way of (easily) using OAuth in SPAs. ⇒ Not needed in 2019! Recommendation “Clients SHOULD NOT use the implicit grant [...]” “Clients SHOULD instead use the response type code (aka authorization code grant type) [...]”
  • 17. AS/RSUser Use the Authorization Code Grant! GET /authorize?code_challenge=sha256xyz&... Redirect to Authorization Server ... Redirect to rp.com/authok?code=bar42&... POST /token, code=bar42 &code_verifier=xyz... Use access_token Send code Send access_token Mitigation: Sender-Constrained Token E.g., access token bound to mTLS certificate. Mitigation: Single-use Code Double use leads to access token invalidation! Client Mitigation: Proof Key for Code Exchange (PKCE) - Code only useful with code_verifier - Code replay/injection prevented by PKCE.
  • 18. Authorization Code Grant with PKCE & mTLS … ● protects against code and token replay and injection, ● supports sender-constraining of access tokens, ● provides defense in depth! Recommendation “Clients utilizing the authorization grant type MUST use PKCE [...]” “Authorization servers SHOULD use TLS-based methods for sender-constrained access tokens [...]”
  • 19. ② Prevent Mix-Up Attacks! ● Clients must be able to see originator of authorization response ○ Clients should use a separate redirect URI for each AS ○ Alternative: issuer in authorization response for OpenID Connect ● Clients must keep track of desired AS (“explicit tracking”)
  • 20. ③ Stop Redirects Gone Wild! ● Enforce exact redirect URI matching ○ Simpler to implement on AS side ○ Adds protection layer against open redirection ● Clients MUST avoid open redirectors! ○ Use whitelisting of target URLs ○ or authenticate redirection request
  • 21. ④ Prevent CSRF Attacks! ● RFC 6749 and RFC 6819 recommend use of state parameter ● Updated advice (proposed): ○ If PKCE is used, state is not needed for CSRF protection ○ state can again be used for application state
  • 22. ⑤ Limit Privileges of Access Tokens! ● Sender-constraining (mTLS or HTTP Token Binding) ● Receiver-constraining (only valid for certain RS) ● Reduce scope and lifetime and use refresh tokens - defense in depth!
  • 23. AS/RSUser Refresh Tokens ... POST /token, code=... Use access_token¹ Send code access_token¹ refresh_token¹ Access Token: Narrow scope and limited lifetime! Access Token expires. POST /token, refresh_token¹ access_token² refresh_token² Use access_token² Client
  • 24. ⑥ Protect Refresh Tokens! ● Attractive target since refresh tokens represent overall grant ● Requirement: Protection from theft and replay ○ Client Binding and Authentication ■ Confidential clients only ○ Sender-Constrained Refresh Tokens ■ mTLS now supports this even for public clients ○ Refresh Token Rotation ■ For public clients unable to use mTLS
  • 25. ⑦ Do not use the R.O.P.C.G.* any longer! *Resource Owner Password Credentials Grant AS/RSUser Username/Password for AS Username/Password for AS Use access_token Send access_token ● Client sees username/password of user ● Complicated or impossible to integrate 2-factor-authentication ● Stopgap solution for migrating to OAuth flows ● Grant name too long, even for Germans ;-) Client
  • 26. Summary ● OAuth 2.0 implementations often vulnerable ● Protocol needs updated security guidance ○ Protection against new attacks ○ Adaptations to evolving web environment ○ Accounting for new use cases ● New IETF OAuth Security BCP (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) ○ Addresses new and old security vulnerabilities ○ Provides actionable solutions
  • 27. Q&A! Latest Drafts & Publications OAuth 2.0 Security BCP https://tools.ietf.org/html/draft-ietf-oauth-security-topics OpenID Connect 4 Identity Assurance https://openid.net/specs/openid-connect-4-identity-assurance.html Transaction Authorization or why we need to re-think OAuth scopes https://cutt.ly/oauth-transaction-authorization Cross-Browser Payment Initiation Attack https://cutt.ly/cross-browser-payment-initation JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) https://openid.net/specs/openid-financial-api-jarm-ID1.html OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer https://tools.ietf.org/html/draft-fett-oauth-dpop Dr. Torsten Lodderstedt CTO, yes.com torsten@yes.com @tlodderstedt yes® Talk to me about - Details on attacks and mitigations - The OAuth Security Workshop - Other emerging OAuth & OpenID stuff - Working at yes.com