1. OAuth Security 4 Dummies
OAuth 2.0 Security Best Current Practice
Hannes Tschofenig, Torsten Lodderstedt
IIW#27
Oct 25 2018
2. What is it?
● Comprehensive overview on open OAuth security topics
● Complements and enhances RFC 6819
● Based on experiences gathered since publication of RFC 6749, 6750 & 6819
○ Implementation weaknesses and anti-patterns
○ OAuth is used in much more dynamic setups than originally anticipated
○ Much broader set of use cases, a lot of them with much higher security requirements
● Systematically captures and discusses these security topics and respective
mitigations
● Recommends security best current practice
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-08
4. Recommendations
● Exact redirect URI matching at AS (token leakage, mix-up)
● Avoid any redirects or forwards, which can be parameterized by URI query
parameters (open redirection, token/code leakage)
● One-time use tokens carried in the STATE parameter for XSRF prevention
● AS-specific redirect URIs (mix-up)
● Clients shall use PKCE (or nonce) to prevent code injection/replay
● Use of TLS-based methods for sender constraint access tokens (token
replay)
● Use end-to-end TLS whenever possible (token leakage)
● Access Token Privileges Restriction: resource server, resource, actions
5. Token Leakage and Implicit
● token binding
● code /w PKCE or nonce
● OpenID Connect with response type "token id_token" and the "nonce"
parameter