1.
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OAuth 2.0 & Security
Considerations
Vaibhav Gupta
Twitter: @VaibhavGupta_1
Blog: exploits.workDelhi Chapter Meet – 30 July 2016

2.
OWASP 2
Agenda
Agenda (recursion! #GeekHumour :-P)
Problem Statement: Why
OAuth?
What is OAuth?
Typical OAuth Dance
Lets talk security!

3.
OWASP
Disclaimer!
OAuth has a lot of stuff to cover and given the time
constraints, I will stick to the important ones 
3

4.
OWASP
Problem Statement: Why OAuth?
Password sharing anti-pattern
4
Resource owner
(You!)
Client
(Photo Printing Service)
Protected Resource
(facebook.com)
Aim:
To give client access to the
protected resource on behalf
of resource owner

5.
OWASP
What is OAuth
Authorization (not authentication!) framework
Security delegation protocol
Based on token
How to “get token” and how to “use token”
5

6.
OWASP 6
So you think I am understanding it !!

7.
OWASP
Typical OAuth 2.0 Dance Party!
Here are the invitees:
Resource owner
Protected resource
Client
Authorization server
7

8.
OWASP 8
Image: OAuth 2 in action

9.
OWASP 9

10.
OWASP 10
Image: OAuth 2 in action

11.
OWASP
Let’s Talk Security!
CSRF – “state” parameter [Client Vuln]
<img src=“
https://photoprinting.local/callback?code=Attacker_Auth_Code
”>
11
Image: OAuth 2 in action

12.
OWASP
“redirect_uri” mismatch [Auth Server Vuln.]
How about stealing auth code from referrer
header?
A lot others!! Time constraint 
12

13.
OWASP
References
OAuth 2.0 Specs
http://tools.ietf.org/html/rfc6749
OAuth 2.0 – Threat model
https://tools.ietf.org/html/rfc6819
Book: “OAuth 2 in Action” by Justin Richer and
Antonio Sanso
13

14.
OWASP 14
Questions?