SlideShare ist ein Scribd-Unternehmen logo

OAuth 2.0 Security Reinforced

T
Torsten Lodderstedt

The OAuth working group recently decided to discourage use of the implicit grant. But that’s just the most prominent recommendation the working group is about to publish in the upcoming OAuth 2.0 Security Best Current Best Practice (https://tools.ietf.org/html/draft-ietf-oauth-security-topics), which will elevate OAuth security to the next level. The code flow shall be used with PKCE only and tokens should be sender constraint to just mention a few. Development of this enhanced recommendations was driven by several factors, including experiences gathered in the field, security research results, the increased dynamics and sensitivity of the use cases OAuth is used protect and technological changes. This session will present the new security recommendations in detail along with the underlying rationales.

Technologie
1 von 27
Downloaden Sie, um offline zu lesen
OAuth 2.0 Security Reinforced Dr. Torsten Lodderstedt @tlodderstedt yes® European Identity & Cloud Conference 2019
Who uses OAuth?
The OAuth 2.0 Success Story ● Tremendous adoption since publication as RFC 6749 in 2012 ● Driven by large service providers and OpenID Connect ● Key success factors: simplicity & versatility But: Is it secure?
Security Challenges for OAuth
Implementations … ● [Li et al., 2014] 60 chinese clients, more than half vulnerable to CSRF ● [Yang et al., 2016] Out of 405 clients, 55% do not handle state (CSRF protection) correctly ● [Shebab et al., 2015] 25% of OAuth clients in Alexa Top 10000 vulnerable to CSRF ● [Chen et al., 2014] 89 of 149 mobile clients vulnerable to one or more attacks ● [Wang et al., 2013] Vulnerabilities in Facebook PHP SDK and other OAuth SDKs ● [Sun et al., 2012] 96 Clients, almost all vulnerable to one or more attacks … plus known hacks of
Challenge 1: Implementation Flaws ● We still see many implementation flaws
Challenge 1: Implementation Flaws ● We still see many implementation flaws ● Known anti-patterns are still used ○ Insufficient redirect URI checking (code/token is redirected to attacker) ○ state parameter is not used properly to defend against CSRF ○ …
Challenge 1: Implementation Flaws ● We still see many implementation flaws ● Known anti-patterns are still used ○ Insufficient redirect URI checking (code/token is redirected to attacker) ○ state parameter is not used properly to defend against CSRF ○ … ● Technological changes bring new problems ○ E.g., URI fragment handling in browsers changed → Vulnerability when used with open redirectors Open Redirector: Parameterized, unchecked redirection. E.g.: https://client.example/anything?resume_at=https://evil.example Redirects to https://evil.example
Challenge 2: High-Stakes Environments New Use Cases, e.g., Open Banking, require a very high level of security Also: eIDAS/QES (legally binding electronic signatures) and eHealth Far beyond the scope of the original security threat model!
Challenge 3: Dynamic and Complex Setups Originally anticipated: One trustworthy OAuth provider, statically configured per client Client Resource ServerResource Server Authorization ServerResource Server OAuth Provider
OAuth Provider B Challenge 3: Dynamic and Complex Setups Client Resource ServerResource Server Authorization Server Resource Server Resource Server OAuth Provider C Resource Server Authorization ServerResource Server OAuth Provider A Resource ServerResource Server Authorization Server Resource Server Dynamic relationships Multiple AS/RS per client Today: Not all entities are trustworthy! AS M ix-Up Attack! Found through formal analysis
● OAuth Security Workshop ● New RFC draft: OAuth Security Best Current Practice AS Mix-Up Attack: Fallout #osw2019
OAuth 2.0 Security Best Current Practice RFC ● Currently under development at the IETF ● Refined and enhanced security guidance for OAuth 2.0 implementers ● Complements existing security guidance in RFCs 6749, 6750, and 6819 ● Updated, more comprehensive Threat Model ● Description of Attacks and Mitigations ● Simple and actionable recommendations
The Seven Most Important Recommendations in the OAuth Security BCP
User ① Do not use the OAuth Implicit Grant any longer! GET /authorize?… Redirect to Authorization Server AS/RS User authenticates & consents Redirect to rp.com/authok#access_token=foo23&… Use access_token (Single-Page Apps) Access token available in web application Send access_token (Non-SPA) Use access_token Threat: Access token leakage from web application (XSS, browser history, proxies, operating systems, ...) Threat: Access token replay! Threat: Access token injection! Client
The Implicit Grant ... ● sends powerful and potentially long-lived tokens through the browser, ● lacks features for sender-constraining access tokens, ● provides no protection against access token replay and injection, and ● provides no defense in depth against XSS, URL leaks, etc.! Why is Implicit even in RFC6749? No Cross-Origin Resource Sharing in 2012! ⇒ No way of (easily) using OAuth in SPAs. ⇒ Not needed in 2019! Recommendation “Clients SHOULD NOT use the implicit grant [...]” “Clients SHOULD instead use the response type code (aka authorization code grant type) [...]”
AS/RSUser Use the Authorization Code Grant! GET /authorize?code_challenge=sha256xyz&... Redirect to Authorization Server ... Redirect to rp.com/authok?code=bar42&... POST /token, code=bar42 &code_verifier=xyz... Use access_token Send code Send access_token Mitigation: Sender-Constrained Token E.g., access token bound to mTLS certificate. Mitigation: Single-use Code Double use leads to access token invalidation! Client Mitigation: Proof Key for Code Exchange (PKCE) - Code only useful with code_verifier - Code replay/injection prevented by PKCE.
Authorization Code Grant with PKCE & mTLS … ● protects against code and token replay and injection, ● supports sender-constraining of access tokens, ● provides defense in depth! Recommendation “Clients utilizing the authorization grant type MUST use PKCE [...]” “Authorization servers SHOULD use TLS-based methods for sender-constrained access tokens [...]”
② Prevent Mix-Up Attacks! ● Clients must be able to see originator of authorization response ○ Clients should use a separate redirect URI for each AS ○ Alternative: issuer in authorization response for OpenID Connect ● Clients must keep track of desired AS (“explicit tracking”)
③ Stop Redirects Gone Wild! ● Enforce exact redirect URI matching ○ Simpler to implement on AS side ○ Adds protection layer against open redirection ● Clients MUST avoid open redirectors! ○ Use whitelisting of target URLs ○ or authenticate redirection request
④ Prevent CSRF Attacks! ● RFC 6749 and RFC 6819 recommend use of state parameter ● Updated advice (proposed): ○ If PKCE is used, state is not needed for CSRF protection ○ state can again be used for application state
⑤ Limit Privileges of Access Tokens! ● Sender-constraining (mTLS or HTTP Token Binding) ● Receiver-constraining (only valid for certain RS) ● Reduce scope and lifetime and use refresh tokens - defense in depth!
AS/RSUser Refresh Tokens ... POST /token, code=... Use access_token¹ Send code access_token¹ refresh_token¹ Access Token: Narrow scope and limited lifetime! Access Token expires. POST /token, refresh_token¹ access_token² refresh_token² Use access_token² Client
⑥ Protect Refresh Tokens! ● Attractive target since refresh tokens represent overall grant ● Requirement: Protection from theft and replay ○ Client Binding and Authentication ■ Confidential clients only ○ Sender-Constrained Refresh Tokens ■ mTLS now supports this even for public clients ○ Refresh Token Rotation ■ For public clients unable to use mTLS
⑦ Do not use the R.O.P.C.G.* any longer! *Resource Owner Password Credentials Grant AS/RSUser Username/Password for AS Username/Password for AS Use access_token Send access_token ● Client sees username/password of user ● Complicated or impossible to integrate 2-factor-authentication ● Stopgap solution for migrating to OAuth flows ● Grant name too long, even for Germans ;-) Client
Summary ● OAuth 2.0 implementations often vulnerable ● Protocol needs updated security guidance ○ Protection against new attacks ○ Adaptations to evolving web environment ○ Accounting for new use cases ● New IETF OAuth Security BCP (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) ○ Addresses new and old security vulnerabilities ○ Provides actionable solutions
Q&A! Latest Drafts & Publications OAuth 2.0 Security BCP https://tools.ietf.org/html/draft-ietf-oauth-security-topics OpenID Connect 4 Identity Assurance https://openid.net/specs/openid-connect-4-identity-assurance.html Transaction Authorization or why we need to re-think OAuth scopes https://cutt.ly/oauth-transaction-authorization Cross-Browser Payment Initiation Attack https://cutt.ly/cross-browser-payment-initation JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) https://openid.net/specs/openid-financial-api-jarm-ID1.html OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer https://tools.ietf.org/html/draft-fett-oauth-dpop Dr. Torsten Lodderstedt CTO, yes.com torsten@yes.com @tlodderstedt yes® Talk to me about - Details on attacks and mitigations - The OAuth Security Workshop - Other emerging OAuth & OpenID stuff - Working at yes.com

Empfohlen

OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
Glen Plantz
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
Torsten Lodderstedt
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
Devang Badrakiya
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 

Empfohlen

OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
Glen Plantz
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
Torsten Lodderstedt
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
Devang Badrakiya
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
Svetlin Nakov
 
kerberos
kerberoskerberos
kerberos
sameer farooq
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
Beau Bullock
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAP
Cynoteck Technology Solutions Private Limited
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
Cleo
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
n|u - The Open Security Community
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Nordic APIs
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
Ldap intro
Ldap introLdap intro
Ldap intro
yousry ibrahim
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
Theo Gravity
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 

Weitere ähnliche Inhalte

Was ist angesagt?

PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
Svetlin Nakov
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
Beau Bullock
 

Was ist angesagt? (20)

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
 
kerberos
kerberoskerberos
kerberos
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAP
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
Ldap intro
Ldap introLdap intro
Ldap intro
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 

Ähnlich wie OAuth 2.0 Security Reinforced

Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
 

Ähnlich wie OAuth 2.0 Security Reinforced (20)

Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdf
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 

Mehr von Torsten Lodderstedt

The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
Torsten Lodderstedt
 

Mehr von Torsten Lodderstedt (20)

OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
GAIN Presentation.pptx
GAIN Presentation.pptxGAIN Presentation.pptx
GAIN Presentation.pptx
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity Assurance
 

Kürzlich hochgeladen

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 

OAuth 2.0 Security Reinforced

  • 1. OAuth 2.0 Security Reinforced Dr. Torsten Lodderstedt @tlodderstedt yes® European Identity & Cloud Conference 2019
  • 3. The OAuth 2.0 Success Story ● Tremendous adoption since publication as RFC 6749 in 2012 ● Driven by large service providers and OpenID Connect ● Key success factors: simplicity & versatility But: Is it secure?
  • 5. Implementations … ● [Li et al., 2014] 60 chinese clients, more than half vulnerable to CSRF ● [Yang et al., 2016] Out of 405 clients, 55% do not handle state (CSRF protection) correctly ● [Shebab et al., 2015] 25% of OAuth clients in Alexa Top 10000 vulnerable to CSRF ● [Chen et al., 2014] 89 of 149 mobile clients vulnerable to one or more attacks ● [Wang et al., 2013] Vulnerabilities in Facebook PHP SDK and other OAuth SDKs ● [Sun et al., 2012] 96 Clients, almost all vulnerable to one or more attacks … plus known hacks of
  • 6. Challenge 1: Implementation Flaws ● We still see many implementation flaws
  • 7. Challenge 1: Implementation Flaws ● We still see many implementation flaws ● Known anti-patterns are still used ○ Insufficient redirect URI checking (code/token is redirected to attacker) ○ state parameter is not used properly to defend against CSRF ○ …
  • 8. Challenge 1: Implementation Flaws ● We still see many implementation flaws ● Known anti-patterns are still used ○ Insufficient redirect URI checking (code/token is redirected to attacker) ○ state parameter is not used properly to defend against CSRF ○ … ● Technological changes bring new problems ○ E.g., URI fragment handling in browsers changed → Vulnerability when used with open redirectors Open Redirector: Parameterized, unchecked redirection. E.g.: https://client.example/anything?resume_at=https://evil.example Redirects to https://evil.example
  • 9. Challenge 2: High-Stakes Environments New Use Cases, e.g., Open Banking, require a very high level of security Also: eIDAS/QES (legally binding electronic signatures) and eHealth Far beyond the scope of the original security threat model!
  • 10. Challenge 3: Dynamic and Complex Setups Originally anticipated: One trustworthy OAuth provider, statically configured per client Client Resource ServerResource Server Authorization ServerResource Server OAuth Provider
  • 11. OAuth Provider B Challenge 3: Dynamic and Complex Setups Client Resource ServerResource Server Authorization Server Resource Server Resource Server OAuth Provider C Resource Server Authorization ServerResource Server OAuth Provider A Resource ServerResource Server Authorization Server Resource Server Dynamic relationships Multiple AS/RS per client Today: Not all entities are trustworthy! AS M ix-Up Attack! Found through formal analysis
  • 12. ● OAuth Security Workshop ● New RFC draft: OAuth Security Best Current Practice AS Mix-Up Attack: Fallout #osw2019
  • 13. OAuth 2.0 Security Best Current Practice RFC ● Currently under development at the IETF ● Refined and enhanced security guidance for OAuth 2.0 implementers ● Complements existing security guidance in RFCs 6749, 6750, and 6819 ● Updated, more comprehensive Threat Model ● Description of Attacks and Mitigations ● Simple and actionable recommendations
  • 14. The Seven Most Important Recommendations in the OAuth Security BCP
  • 15. User ① Do not use the OAuth Implicit Grant any longer! GET /authorize?… Redirect to Authorization Server AS/RS User authenticates & consents Redirect to rp.com/authok#access_token=foo23&… Use access_token (Single-Page Apps) Access token available in web application Send access_token (Non-SPA) Use access_token Threat: Access token leakage from web application (XSS, browser history, proxies, operating systems, ...) Threat: Access token replay! Threat: Access token injection! Client
  • 16. The Implicit Grant ... ● sends powerful and potentially long-lived tokens through the browser, ● lacks features for sender-constraining access tokens, ● provides no protection against access token replay and injection, and ● provides no defense in depth against XSS, URL leaks, etc.! Why is Implicit even in RFC6749? No Cross-Origin Resource Sharing in 2012! ⇒ No way of (easily) using OAuth in SPAs. ⇒ Not needed in 2019! Recommendation “Clients SHOULD NOT use the implicit grant [...]” “Clients SHOULD instead use the response type code (aka authorization code grant type) [...]”
  • 17. AS/RSUser Use the Authorization Code Grant! GET /authorize?code_challenge=sha256xyz&... Redirect to Authorization Server ... Redirect to rp.com/authok?code=bar42&... POST /token, code=bar42 &code_verifier=xyz... Use access_token Send code Send access_token Mitigation: Sender-Constrained Token E.g., access token bound to mTLS certificate. Mitigation: Single-use Code Double use leads to access token invalidation! Client Mitigation: Proof Key for Code Exchange (PKCE) - Code only useful with code_verifier - Code replay/injection prevented by PKCE.
  • 18. Authorization Code Grant with PKCE & mTLS … ● protects against code and token replay and injection, ● supports sender-constraining of access tokens, ● provides defense in depth! Recommendation “Clients utilizing the authorization grant type MUST use PKCE [...]” “Authorization servers SHOULD use TLS-based methods for sender-constrained access tokens [...]”
  • 19. ② Prevent Mix-Up Attacks! ● Clients must be able to see originator of authorization response ○ Clients should use a separate redirect URI for each AS ○ Alternative: issuer in authorization response for OpenID Connect ● Clients must keep track of desired AS (“explicit tracking”)
  • 20. ③ Stop Redirects Gone Wild! ● Enforce exact redirect URI matching ○ Simpler to implement on AS side ○ Adds protection layer against open redirection ● Clients MUST avoid open redirectors! ○ Use whitelisting of target URLs ○ or authenticate redirection request
  • 21. ④ Prevent CSRF Attacks! ● RFC 6749 and RFC 6819 recommend use of state parameter ● Updated advice (proposed): ○ If PKCE is used, state is not needed for CSRF protection ○ state can again be used for application state
  • 22. ⑤ Limit Privileges of Access Tokens! ● Sender-constraining (mTLS or HTTP Token Binding) ● Receiver-constraining (only valid for certain RS) ● Reduce scope and lifetime and use refresh tokens - defense in depth!
  • 23. AS/RSUser Refresh Tokens ... POST /token, code=... Use access_token¹ Send code access_token¹ refresh_token¹ Access Token: Narrow scope and limited lifetime! Access Token expires. POST /token, refresh_token¹ access_token² refresh_token² Use access_token² Client
  • 24. ⑥ Protect Refresh Tokens! ● Attractive target since refresh tokens represent overall grant ● Requirement: Protection from theft and replay ○ Client Binding and Authentication ■ Confidential clients only ○ Sender-Constrained Refresh Tokens ■ mTLS now supports this even for public clients ○ Refresh Token Rotation ■ For public clients unable to use mTLS
  • 25. ⑦ Do not use the R.O.P.C.G.* any longer! *Resource Owner Password Credentials Grant AS/RSUser Username/Password for AS Username/Password for AS Use access_token Send access_token ● Client sees username/password of user ● Complicated or impossible to integrate 2-factor-authentication ● Stopgap solution for migrating to OAuth flows ● Grant name too long, even for Germans ;-) Client
  • 26. Summary ● OAuth 2.0 implementations often vulnerable ● Protocol needs updated security guidance ○ Protection against new attacks ○ Adaptations to evolving web environment ○ Accounting for new use cases ● New IETF OAuth Security BCP (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) ○ Addresses new and old security vulnerabilities ○ Provides actionable solutions
  • 27. Q&A! Latest Drafts & Publications OAuth 2.0 Security BCP https://tools.ietf.org/html/draft-ietf-oauth-security-topics OpenID Connect 4 Identity Assurance https://openid.net/specs/openid-connect-4-identity-assurance.html Transaction Authorization or why we need to re-think OAuth scopes https://cutt.ly/oauth-transaction-authorization Cross-Browser Payment Initiation Attack https://cutt.ly/cross-browser-payment-initation JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) https://openid.net/specs/openid-financial-api-jarm-ID1.html OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer https://tools.ietf.org/html/draft-fett-oauth-dpop Dr. Torsten Lodderstedt CTO, yes.com torsten@yes.com @tlodderstedt yes® Talk to me about - Details on attacks and mitigations - The OAuth Security Workshop - Other emerging OAuth & OpenID stuff - Working at yes.com