with oauth 2.0 in§in-depth understanding of the subtleties of oauth 2.0 −the difference between...

@baaz / @PhilippeDeRyck

SECURE AUTHENTICATION

WITH OAUTH 2.0IN

Balint Erdi - PhilippeDeRyckEmberconf 2017

https://balinterdi.com/@baaz @PhilippeDeRyck

https://www.websec.be

WHO HERE FULLY UNDERSTANDS OAUTH 2.0?

OAUTH 2.0IS A MESS

ABOUT US – BALINT ERDI

§ Balint isatotalEmberenthusiast−RegularlyconsultswithlargecompaniesonbuildingEmberapps−NumerousscreencastsandblogpostsaboutEmberconcepts−OrganizesworkshopsonvariousEmbertopics,includingauthentication−GivesanothertalkhereatEmberConf!−Moreinfoonhttps://balinterdi.com/

§ AuthorofthepopularbookRockandRollwithEmber.js−Keptup-to-datewiththelatestevolutionsinEmber−Pinpointsthecoreconceptsandexplainsthemindetail

ABOUT US – PHILIPPE DE RYCK

§Mygoalistohelpyoubuildsecurewebapplications−Hostedandcustomizedin-housetraining− Specializedsecurityassessmentsofcriticalsystems− Threatlandscapeanalysisandprioritizationofsecurityefforts−Moreinformationandresourcesonhttps://www.websec.be

§Mysecurityexpertiseisbroad,withafocusonWebSecurity−PhDinclient-sidewebsecurity−MainauthorofthePrimeronclient-sidewebsecurity

WE WILL FOCUS ON AUTHENTICATION WITH OAUTH 2.0

§OAuth2.0isaveryversatileframework,usedforvariouspurposes− Inthisworkshop,weexplicitlylimitthescopetoauthentication− Theadvicegivenherethereforeappliestoauthenticationscenarios

§ Inthecominghours,wewilldivedeepintoOAuth2.0−Acoupleoflecturesexplainimportantconceptsandsecurityproperties− Thehands-onlabsessionsputyouinthedriver’sseat

§ Ifyouhaveanyquestions,don’twaittoaskthem!−Duringthelabsessions,thereshouldbesometimeforbroaderquestionsaswell

WHAT YOU WILL LEARN IN THIS WORKSHOP

§ In-depthunderstandingofthesubtletiesofOAuth2.0− ThedifferencebetweenthefourmainOAuth2.0flows−Practicaladvicewhichflowyoushouldbeusing,andwhy− TherelationofOpenIDConnectwithOAuth2.0andauthentication

§Hands-onexperiencewithimplementingOAuth2.0authenticationinEmber−UsingacombinationofEmber-Simple-Auth andTorii−AlookunderthehoodofaToriiprovider

§ DetailedoverviewofcommonthreatsagainstOAuth2.0flows−Hands-onexperiencewithinvestigatingthestepsinanOAuth2.0flow−Practicalattackscenariosandimportantcountermeasures

OAUTH 2.0AND AUTHENTICATION

WHAT IS OAUTH 2.0ALL ABOUT?

Delegation

WHAT DELEGATION IS ALL ABOUT …

accountantCTO bank

accountX

IwanttoaccessaccountX1

Sure,here’smypermission

IwanttoaccessaccountX3

Sure,here’sanaccesscard

ShowmethebalanceofaccountX

5 $50 6

APRACTICAL EXAMPLE OF DELEGATION

SO WE CAN USE THIS FOR AUTHENTICATION?

BUT AUTHENTICATION WITH OAUTH 2.0SEEMS SIMPLE …

Rock&Roll

IwanttologinwithFacebook1

Welcome“PhilDR”4

Facebook

Whoisthisguy?2 Userinfophilippe.deryck@cs.kuleuven.be

WHY AUTHENTICATION WITH OAUTH 2.0IS NOT SIMPLE

§ Authenticatingauserisaboutgettingverifiableuserinformation−Butweneedtoknowwhowearegettingthatinformationfor− Theauthenticationproviderprobablydoesnotjustshareanybody’sinformation

§ RememberthatOAuth2.0isallaboutdelegation− Theusercandelegateaccesstohisinformationtoourapplication−Wecanusethataccesstofetchuserinformation,andauthenticatetheuser

§WhatmakesOAuth2.0(andauthentication)complexisthisdelegation−We’reusingtheentireOAuth2.0frameworktoonlydelegateatinybitofaccess−Andbecauseweonlyneedabit,wewillalsobeabletosimplifythingsabit

IN PRACTICE,IT’S A BIT MORE COMPLICATED …

Rock&Roll

IwanttologinwithFacebook1

GivemeaccesstoyourFBuserinfo2

FacebookIwanttogiveR&RaccesstomyFBuserinfo3

OK,here’satokenthatgrantsaccess4

Here’satokentogetmyinfo5

Showmetheuserinfo6 Userinfophilippe.deryck@cs.kuleuven.be

7Welcome“PhilDR”8

MAKING SENSE OF OAUTH 2.0FLOWS

§ TheOAuth2.0specoffers4distinctflows,eachwiththeirownpurpose−Choosingtherightflowishard− Terminologycanalsobefairlyconfusing

§ PuttingOAuth2.0rolesincontextforauthentication−Client:theRock&Rollapplication−Useragent:thebrowser−Resourceowner:theuserthatownstheaccount−Resourceserver:theserverhostingtheaccountinformation(e.g.Facebook)−Authorizationserver:theserverthatauthenticatestheclient(e.g.Facebook)

FLOW 1:RESOURCE OWNER PASSWORD CREDENTIALS

Client AuthorizationServer

LoginwithFBuser:philippe

pass:qwerty12345

1 Hello“PhilDR”6

Iwantaccessasuserphilippe withpass…2

OK,here’satokenthatgrantsaccess

Iwanttoaccesstheuserinfo4

Userinfophilippe.deryck@cs.kuleuven.be5

Resourceserver

UserAgent(resourceowner)

FLOW 2:IMPLICIT GRANT

LoginwithFB1

OK,gotoFBplease2

IwanttogiveR&Raccess3

Resourceserver

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’satoken6

Here’stheFBtoken7

FLOW 3:AUTHORIZATION CODE

LoginwithFB1

OK,gotoFBplease2

Iwanttoaccesstheuserinfo

Userinfophilippe.deryck@cs.kuleuven.beResource

server

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’sanauthorizationcode

Here’sthecode7

CanIhaveanaccesstokenplease?8

9 Hereyougo

FLOW 4:CLIENT CREDENTIALS

Iwantaccessasmyself1

OK,here’satokenforthat2

AccessAPI3

info4Resourceserver

MAKING SENSE OF OAUTH 2.0FLOWS

§ Resourceownerpasswordcredentials− Onlyrelevantiftheclientandtheresourceownertrusteachother100%

• E.g.whenFacebookbuildsaFacebookclient

§ ImplicitGrant− Directlyexposestheaccesstokentothefrontendapplication

• MainlyusefulfordirectAPIaccessfromwithinJavaScript

§ Authorizationcode− Preferredflowtoensurethesecurityoftheaccesstoken

• TheflowtouseforwhenthebackendneedstoaccessanAPI

§ Clientcredentials− UsefulforwhentheapplicationneedsaccesstoanAPI

WHICH FLOW CAN WE USE TO SUPPORT AUTHENTICATION?

§ Thereisalotofconflictingadviceoutthere−Manyapplicationsusetheresourceownerpasswordcredentialsflow−Mosttutorialsrecommendtheuseoftheimplicitgrant flow

§ Inthiscase,theonlyrightansweristheauthorizationcode flow− Thisflowoffersthestrongestsecuritybenefits− Itlooksmorecomplexthantheimplicitgrant flow,butinpracticeitisnot

§ Thisworkshopwillfocusontheimplicitgrant andauthorizationcode flow−Wewillshowyouthedifferencesandsecuritybenefits− Thelabsessionscoverbothimplementationandsecurityaspects

SUPPORTING OAUTH 2.0IN EMBER

AUTHENTICATION IN EMBER

§ EmberSimpleAuth (ESA) isapopularauthenticationlibraryforEmber− Itoffersabstractionsforauthenticationandauthorization− Itofferssessionmanagementfeaturestokeeptrackofauthenticationstate

§ Tosupportdifferentauthenticationstrategies,authenticatorsareused− Theauthenticationprocessisdelegatedtothespecifiedauthenticator

§ Tosupportauthorization,variousmixins areprovided−Addanauthorizationchecktoroutes−Addasessiontokentooutgoingrequests−…

EMBER SIMPLE AUTH CODE EXAMPLE

RUNNING OAUTH 2.0FLOWS WITH TORII

§ ToriiisanotherpopularEmberlibrarytointegrateauthentication− ItmainlyfocusesoncomplexOAuth2.0flows−Butalsoofferssupportforauthorizationandsessionmanagement

§ Toriimakespowerfulabstractionsfromcomplexflows−AnOAuth2.0providerrunstheentireflowinapopup,andsimplyreturnstheresults−Allthecomplexconfigurationishiddenintheprovider

§ ToriialreadysupportsnumerousOAuth2.0flowsoutofthebox− SupportforGoogle,Facebook,Github,…− Supportforbothimplicitgrant andauthorizationcode flows

TORII CODE EXAMPLE

INTEGRATING TORII WITH EMBER SIMPLE AUTH

§ ThepowerofToriiisthatiteasilyintegrateswithexistingapplications− ExistingauthenticationmechanismscaneasilycallaToriiprovider

§ CustomESAauthenticatorsdelegatetheflowtoaToriiprovider− ToriitakescareofrunningtheOAuth2.0flow− ESAtakescareofstoringtheauthenticationinformationafterasuccessfulflow− Thisintegratesdirectlywiththealreadyexistingauthorizationmixins

§ Thisisexactlywhatyouwilldointhisworkshop

BACKEND SUPPORT FOR TORII AND ESA

§ ThebackendisresponsibleforprocessingtheOAuth2.0results− Thiscaneitherbeanaccesstoken orauthorizationcode−Withthisinformation,thebackendfetchesassociatedidentityinformation

§ Contactingthebackendcaneasilybedonefromwithintheauthenticator−AftertheOAuth2.0flowhascompleted,theresultissenttotheserverwithAJAX− Theserverreturnsasessiontokenafterasuccessfulauthentication− ThisisthetokenthatESAstoresinlocalStorage

§ Forthisworkshop,wehavealreadyimplementedthebackendendpoints

AUTHENTICATION WITH OAUTH 2.0Labsession

PRACTICAL INFO FOR THE LAB SESSIONS

§ YouwillbeworkingonthefrontendoftheRock&Roll application− Youshouldhaveclonedtherepobynow

• Ifnot,checkyouremailforinstructions,orcalloneoftheusinaminute−WewilladdauthenticationwithOAuth2.0byusingGoogle,FacebookandGithub

§ Allofthelabsessionsarefullydocumented− Theguidesthattellyouwhatyouneedtodo,withdetailedinstructionsifnecessary− Therepositoryhasbranchesforeachstep,soyoucanalwaysstartwithacleanslate

§ ThebackendisrunningonHeroku,andissharedforeveryone− Therelevantsourcecodeisincludedintheguidesascodesnippets

Guidesforthelabsessionshttp://bit.ly/2nEAdRj

Slideshttp://bit.ly/2n9NzC5

SlackChannelhttps://balinterdi.slack.com/,#emberconf17-workshop

WHAT YOU SHOULD TAKE AWAY FROM THIS LAB SESSION

§ ToriiandESAprovideacleansetofabstractionsforauthentication− TiesinrealnicewithexistingconceptsinyourEmberapplication−DoseparateyoursessionmanagementfromtheOAuth2.0authentication

§OAuth2.0caneffectivelybeusedforauthentication−Boththeimplicitgrant andauthorizationcodeflowsarewellsupported− ThankstoTorii,frontendimplementationisreallylimitedforbothflows

§ Thebackendalsoplaysanimportantroleintheauthenticationprocess−Wehaveshieldedyoufromthebackend,butwilltakealookatitnow

SECURITY IN OAUTH 2.0

OAUTH 2.0FLOWS ARE ALL ABOUT ACCESS TOKENS

§ Ineveryflow,theclientgetsanaccesstoken toaccessprotectedresources− Theaccesstokenisabearertoken,sowhoeverpossessesitcanuseit

§ Forauthentication,theaccesstoken isonlyneededonce−Withtheaccesstoken,theclientcanfetchuseridentityinformation−Withthisinformation,anewsessionfortheusercanbeestablished−Afterthat,theaccesstokenshouldbediscarded,asaccessisnolongerneeded

§ Duringtheflows,theaccesstokensneedtobeadequatelyprotectedaswell−AlltrafficshouldhappenoverasecureHTTPSchannel− Exposureoftheaccesstokenshouldbelimited− TheintegrityoftheOAuth2.0flowshouldbeensured

NETWORK ATTACKS ARE EASIER THAN EVER TO EXECUTE

ACCESS TOKENS TRAVEL ACROSS THE NETWORK

LoginwithFB1

OK,gotoFBplease2

Resourceserver

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’satoken6

Here’stheFBtoken7

LIMITING THE EXPOSURE OF THE ACCESS TOKEN IS CRUCIAL

ACCESS TOKENS TRAVEL THROUGHOUT THE APPLICATION

LoginwithFB1

OK,gotoFBplease2

Resourceserver

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’satoken6

Here’stheFBtoken7

ACCESS TOKENS TRAVEL THROUGHOUT THE APPLICATION

LoginwithFB1

OK,gotoFBplease2

server

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

Here’sthecode7

9 Hereyougo

LIMITING THE EXPOSURE OF THE ACCESS TOKEN IN THE BACKEND

§Manybackendsystemsneedcontinuousaccesstotheprotectedresource− Thisrequirespossessionoftheaccesstoken−Butifthesetokensgetstolen,theuser’sareinserioustrouble

§ Forauthenticationpurposes,theaccesstoken canbediscardedafteruse−Atthatpoint,thebackendhasfetchedtheuser’sidentityinformation−Discardingthetokenlimitstheriskoftheftinadatabreach

§ Theriskoftheftisevengreaterwithrefreshtokens− Thesetokensarelonglivedandallowaclienttogetanewaccesstoken−Wedon’tneedthoseatall,soifyougetthem,discardthemimmediately

THE HIDDEN PARTS OF SETTING UP OAUTH 2.0

§ Theresourceownerneedstogranttheclientaccesstotheresources− Thisrequirestheregistrationofaclientapplicationwiththeresourceprovider− Youneedtoprovideclientinformation,includingspecificredirectURIs−Duringregistration,yougetaclientIDandaclientsecret

THE HIDDEN PARTS OF SETTING UP OAUTH 2.0

§ Theresourceownerneedstogranttheclientaccesstotheresources− Thisrequirestheregistrationofaclientapplicationwiththeresourceprovider− Youneedtoprovideclientinformation,includingspecificredirectURIs−Duringregistration,yougetaclientIDandaclientsecret

§ TheclientIDisusedtoidentifytheclient− Thisisnon-sensitiveinformationanddoesnotneedtobekeptsecret

§ Theclientsecretisusedtoauthenticatetheclient− Thisisessentiallyapassword,andshouldbekeptconfidential− Itcanbeusedinthebackend,butshouldneverbesharedwiththefrontend

IDENTIFYING THE CLIENT IN THE IMPLICIT GRANT FLOW

LoginwithFB1

OK,gotoFBplease2

Resourceserver

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’satoken6

Here’stheFBtoken7

RedirectthebrowsertoFacebookwiththeclientID2

THE IMPORTANCE OF PROPER CLIENT IDENTIFICATION

§ Clientidentificationintheimplicitgrantflowisdifficult− Theflowrunsentirelyinthebrowser,whichisconsideredtobeuntrusted− Theclientsecretcannotbesharedwiththebrowser

§Mostimplicitgrant flowseasilyacceptfraudulenttokens−HappenswhenapplicationhappilyacceptstokensthatareissuedforapplicationA

UserAgent(attacker)

Goodclient

AccessAPI

Resourceserver

Hello“PhilDR”

Token15

Userinfo

Badclient

AuthorizationServer

LoginwithFB1

GotoFB2

Authorizebadclient3

CredentialsforFB5

Pleaselogin4

OK,here’satoken6

FBtoken7

Resourceserver

AccessAPI8

Userinfo9

Hello“PhilDR”10

§Mostimplicitgrant flowseasilyacceptfraudulenttokens−HappenswhenapplicationhappilyacceptstokensthatareissuedforapplicationA− Toavoidthis,theclientmustexplicitlyvalidatethetokenbeforeuse

§Mostimplicitgrantflowseasilyacceptfraudulenttokens−HappenswhenapplicationhappilyacceptstokensthatareissuedforapplicationA− Toavoidthis,theclientmustexplicitlyvalidatethetokenbeforeuse

§ AsimilarproblemexistsiftheredirectURIcanbetamperedwith− Thiswillcausethetokentobesentdirectlytotheattacker,allowingreuse

REDIRECT URIS HELP ENSURE THE INTEGRITY OF A FLOW

LoginwithFB1

OK,gotoFBplease2

Resourceserver

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’satoken6

Here’stheFBtoken7

RedirectthebrowsertoFacebook,andincludetheURItoredirecttoinstep6

https://accounts.google.com/o/oauth2/auth?client_id=…&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Foauth2callback

TheredirectURIwillbepropagatedalongsteps3,

§ Amaliciousredirectcanresultinleakingtheaccesstoken− Topreventthis,theauthorizationserverneedstoverifythevalidityoftheURI− That’salsowhyyouneedtospecifytheredirectURIupfront

§Openredirectscanbeabusedtostealtokensaswell−AnopenredirectisaURIwithinyourdomainthatwilltriggeracontrollableredirect− Thiswillenablethestealingoftheaccesstoken

§MakesureyourbackenddoesnothavearedirectwithacontrollableURI

http://example.com/login?src=http://www.example.com/secretCats

WHY THE AUTHORIZATION CODE FLOW IS BETTER

§ Bynow,youprobablyrealizethattheimplicitgrant flowisnotverysecure− Thereisnoclientauthentication,onlyidentificationwithapublicidentifier− Itrequiresadditionalefforttoensurethevalidityofthetokens− Tokenspassthroughthebrowser,makingthemmorevulnerabletoexposure

§ Theauthorizationcode flowhandlestheseproblemsalotbetter−Accesstokensareneverseenbythebrowser−ClientauthenticationisdonebytheauthorizationserverusingclientIDandsecret

§ Evenifanauthorizationcodeisstolen,theimpactislimitedtonone− Exchangingastolenauthorizationcodeforanaccesstokenrequirestheclientsecret−Authorizationcodesareone-timeuseonly

IDENTIFYING THE CLIENT IN THE AUTHORIZATION CODE FLOW

LoginwithFB1

OK,gotoFBplease2

server

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

Here’sthecode7

9 Hereyougo

RedirectthebrowsertoFacebookwiththeclientID2

ExchangetheauthorizationcodeforanaccesstokenusingclientIDandclientsecret

THE HIDDEN PARTS OF USING AN OAUTH 2.0FLOW

§ AnOAuth2.0flowstartswitharedirecttotheauthorizationserver− Thisfirstrequestcontainsparameterstosetthepropertiesoftheflow−WealreadycoveredtheclientIDandredirectURI,buttherearemore

§ Commonparameterstoconfiguretheflow−Responsetype:whattheresponseshouldinclude(codeortoken)− Scope:thepermissionstheclientisrequestingfromtheresourceowner− State:arandom,uniquestringtoprotectagainstCross-SiteRequestForgery

§ Theseparametershavebeenhiddensofar,becauseToriitookcareofthis− Thisbecomesextremelyrelevantifyouhavetowriteyourownprovidersomeday

SCOPE AND PERMISSIONS

§ Thescope parameterallowstheclienttorequestspecificpermissions− Thesepermissionsareshowntotheuserduringauthorizationoftheapplication− Thelistofavailablepermissionsisspecifictoeachprovider

§ Thesepermissionsareassociatedwiththeaccesstoken−Accesstokensarebearertokens,sotheycanbere-usedwhenstolen−Donotoverreachonthescope,andlimitthescopetotheaccessyouneed− Forauthenticationpurposes,accesstotheemailaddressisgenerallysufficient

§Notethatthegrantedpermissionscandifferfromtherequestedpermissions−Checkthegrantedpermissionstoseeifyouhaveallyouneed

VIOLATING FLOW INTEGRITY THROUGH CSRF

§ Cross-SiteRequestForgeryallowsanattackertodisrupttheOAuth2.0flow− Theattackistostoptheflowinonebrowserandresumingitintheotherbrowser− Thisresultsinthesuccessfulauthenticationasadifferentuser

AuthorizationServer

UserAgent(attacker)

Client

Resourceserver

Hello“Balint”

Here’stheFBtoken7

Userinfobalinterdi@gmail.com

LoginwithFB1

OK,gotoFBplease2

Authorizate R&R3

Pleaselogin4

Token6

Credentials5

§ Cross-SiteRequestForgeryallowsanattackertodisrupttheOAuth2.0flow− Theattackistostoptheflowinonebrowserandresumingitintheotherbrowser− Thisresultsinthesuccessfulauthenticationasadifferentuser

§ Theconsequenceofthisattackisverysubtle−Allactionstheuserperformswillbedoneinthenameoftheattacker− E.g.iftheapplicationstoressensitiveuserdata,suchassearchqueries− E.g.iftheattackerputmaliciouscodeinhisaccount,itwillbeexecutedbytheuser

§ Therootcauseistheseparationbetweeninitializationandfinalization− Thesolutionistotiebothstepstogetherwiththestateparameter

LINKING INITIALIZATION AND FINALIZATION WITH STATE

LoginwithFB1

OK,gotoFBplease2

Resourceserver

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’satoken6

Here’stheFBtoken7

TheclientincludesarandomstateparameterintheURI

Clientcomparesstateparameterwiththestoredvalue7

Stateparameterispropagatedthroughsteps3,4,5,6and7

AuthorizationServer

UserAgent(attacker)

Client

Resourceserver

Hello“Balint”

Here’stheFBtoken7

Userinfobalinterdi@gmail.com

LoginwithFB1

OK,gotoFBplease2

Authorizate R&R3

Pleaselogin4

Token6

Credentials5

Stateinstep7doesnotmatchanystoredstate

RECAPPING SECURITY BEST PRACTICES

§ Limittheexposureoftheaccesstoken−RunalltrafficoverasecureHTTPSchannel−Choosetheauthorizationcode flowovertheimplicitgrant flow−Removetheaccesstokenafteruse

§ Limitthescopeoftheaccesstoken

§ EnsuretheintegrityofanOAuth2.0flow− SpecifyconcreteredirectURIsandvoidthepresenceofopenredirects−Verifythevalidityofaccesstokens comingfromtheclient−Usethestate parametertopreventCSRFattacks(includedinTorii’sdefaultproviders)

SECURING OAUTH 2.0FLOWS

Labsession

§ Forthislabsession,weneedaworkingimplementationofOAuth2.0flows− Youcancontinueonyourownimplementation−Alternatively,youcancheckoutthefacebook-authentication-code branch

§Wearegoingtoinvestigatethesecuritypropertiesofthedifferentflows− Seewhatyoucandowithanaccesstokenandauthorizationcode−WearegoingtouseBurpandFirefoxformostofthis− Ifyourunintoproblems,don’thesitatetocallusover!

§WecanusethesamesharedbackendrunningonHeroku− Therelevantsourcecodeisincludedintheguidesascodesnippets

Guidesforthelabsessionshttp://bit.ly/2nEAdRj

Slideshttp://bit.ly/2n9NzC5

TokenInspectorhttp://bit.ly/2nsybU7

Slackteamandchannelhttps://balinterdi.slack.com/,#emberconf17-workshop

WHAT YOU SHOULD TAKE AWAY FROM THIS LAB SESSION

§ Theimplicitgrant flowisinherentlyinsecure,butoftenused− Themainreasonpeopleadvisethisflowisbecauseofease-of-use−Butwehaveseenthatifyoudoitright,therequiredeffortisverysimilar

§ SecureOAuth2.0flowsareallaboutthedetails− Subtledifferencesbetweentheimplicitgrant andauthorizationcode flow− Settingthescope,redirectURIandstateparametersrequiresknowledge

§ Limitingtheexposureoftheaccesstokenisabsolutelycrucial−Donotsenditviathebrowser−Deleteitfromthebackendafterauthentication

OAUTH 2.0AND OPENIDCONNECT

AUTHENTICATION WITH OAUTH 2.0IS MESSY

§ FetchinguserinformationwithOAuth2.0highlydependsontheprovider− Everyproviderhasdifferentendpointsforallkindsofdata− Someprovidershavecustomsettings(e.g.theemailaddressonGithub)

§ Supportingmultipleprovidersisnotreallyeasy−Requiresalotofmaintenance,especiallywhenAPIsevolve

§ Thingsbecomeevenworsewhenyouneedtorelyonthirdpartyservices− Inthisworkshop,wehadourownindependentsessionmanagement− Thisisnotalwaysthecase,andpropagatingthatinfoacrossthebackendisdifficult

OPENIDCONNECT TO THE RESCUE

§OpenIDConnect(OIDC)aimstosolvetheseissues−Astandardizedwaytoexchangeidentityinformationbetweenservices−HeavilybasedonJSONWebTokens(JWT)

§OIDCisactuallybuiltontopofOAuth2.0−OAuth2.0isaveryflexibleandopenframework−OIDCmakesveryexplicitchoices,andlocksOAuth2.0downintoaspecificscenario

§OIDCstillusestheOAuth2.0flowswecoveredheretoday− First,theclientusesanauthorizationcode flowtogetanauthorizationcode−Next,theauthorizationcodeisexchangedforanidentitytoken

FLOW 3:AUTHORIZATION CODE

LoginwithFB1

OK,gotoFBplease2

server

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

Here’sthecode7

9 Hereyougo

OPENIDCONNECT WITH THE AUTHORIZATION CODE FLOW

Client Tokenendpoint

LoginwithGoogle1

GotoGoogle2

CredentialsforGoogle5

Hello“PhilDR”

Pleaselogin4

Here’sthecode7

Idtokenandaccesstokenplease?8

9 Hereyougo

OPENIDCONNECT RETURNS AN IDENTITY TOKEN

@baaz / @PhilippeDeRyck 74http://jwt.io/

AJWTIS A BASE64-ENCODED DATA OBJECT

{"alg": "HS256","typ": "JWT"

{"iss": ”distrinet.cs

.kuleuven.be","exp": 1425078000000,"name": "philippe","admin": true

HMACSHA256(base64UrlEncode(header)+ "." +base64UrlEncode(payload),“secret”

Header Payload Signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkaXN0cmluZXQuY3Mua3VsZXV2ZW4uYmUiLCJleHAiOjI0MjUwNzgwMDAwMDAsIm5hbWUiOiJwaGlsaXBwZSIsImFkbWluIjp0c

nVlfQ.dIi1OguZ7K3ADFnPOsmX2nEpF2Asq89g7GTuyQuN3so

JWTIS AN OPEN STANDARD TO EXCHANGE INFORMATION

§ JWTtokensrepresenteasy-to-exchangedataobjects−Contentissignedtoensureintegrity−Contentisbase64-encoded,toensuresafehandlingacrosstheweb

§ JWTsupportsvariouskindsofalgorithms− E.g.signaturewithonesharedkeyontheserver-side,forusewithinoneapplication− E.g.signaturewithapublic/privatekeypair,foruseacrossapplications

§ ThismakesJWTtokenssousefulinanOIDCenvironment− IdentityinformationisencodedasaJWTtoken,signedwithaprivatekey−Anypartyrelyingonthisinfocanverifythesignaturebeforeusingtheclaims

LoginwithGoogle1 GotoGoogle2

Moar userinfo

ClaimsabouttheuserUserInfoendpoint

Hello“PhilDR”

Pleaselogin4

Here’sthecode7 10

9 Hereyougo

ADDITIONAL CLAIMS ARE ALSO REPRESENTED AS A JWT

THE DETAILS BEHIND AN OPENIDCONNECT FLOW

§ ThescopeoftheOAuth2.0flowshouldbeopenid− Thistellstheproviderthatthegoalistogetanidentitytoken−Additionalscopescanbeaddedalongsideopenid (e.g.email,…)

LoginwithGoogle1 GotoGoogle2

Moar userinfo

ClaimsabouttheuserUserInfoendpoint

Hello“PhilDR”

Pleaselogin4

Here’sthecode7 10

9 Hereyougo

Scopeshouldbeopenidbutcanalsoincludeothers

(e.g.openid email)

THE DETAILS BEHIND AN OPENIDCONNECT FLOW

§ ThescopeoftheOAuth2.0flowshouldbeopenid− Thistellstheproviderthatthegoalistogetanidentitytoken−Additionalscopescanbeaddedalongsideopenid (e.g.email,…)

§ TheendpointsinanOIDCflowarefixed− The/token endpointexchangesanauthorizationcodeforanidentity+accesstoken− The/UserInfo endpointrequiresanaccesstokenandgivesclaimsabouttheuser

§ ClaimsreturnedbyanOIDCserviceusetheJSONWebToken(JWT)format−AstandardizedJSONformatwhichsupportsintegrityvalidationthroughsignatures

SUPPORTING OPENIDCONNECT IN TORII

§ Bydefault,ToriidoesnotcomewithprovidersforOIDC−OnlyOAuth2.0implicitgrant andauthorizationcode flowsaresupported−However,implementingsupportcanbedonewithacustomprovider

§ AnOIDCproviderinToriineedstoperformthefollowingsteps−Runtheauthorizationcode flowwiththeopenid scope−Configurethecorrectproviderandendpointtolaunchthatflow

§ Thebackendwilltakecareofalltheothersteps− Exchangingtheauthorizationcode foranidentitytoken−Requestingadditionaluserinformationfromthe/UserInfo endpoint

WRAPPING THINGS UP

AUTHENTICATION WITH OAUTH 2.0

§WehavecoveredhowtouseOAuth2.0flowsforauthentication− ThereisalotmoretoOAuth2.0,thatwehavenotcovered−WhenyouneedtocontinuouslyaccessAPIs,thingsbecomeevenmoretricky

§ Specificallyforauthentication,takethefollowingintoaccount−Donotusetheimplicitgrant flowunlessthereisabsolutelynowayaroundit−Makesurethebackendimplementsproperchecks(e.g.tokenvalidity,…)

§ AlwaysrememberthatOAuth2.0isadelegationprotocol− Itdoesnotperformauthenticationorauthorization,that’salluptoyou

IMPLEMENTING OAUTH 2.0FLOWS IN EMBER

§ ToriiandESAareawinningcombination− TheyintegratenicelyintoyourEmberapplication− ToriihandlestheOAuth2.0flows,andESAhandlesthesessionmanagement

§ Toriioffersplentyofauthenticatorsoutofthebox− Toriitakescareofsecuritybestpractices(e.g.usingandcheckingthestate parameter)−Makesuretofollowthiswhenyoubuildacustomprovider

§ Rememberthatthefrontendisonlyonepartofthestory− Thebackendisresponsibleforprocessingthetokens/codes−Additionalsecuritychecksshouldbeperformedinthebackendaswell

SECURITY BEST PRACTICES

§Usetheauthorizationcode flow−Byknowyoushouldknowwhy−RunitoverHTTPS,noexcuses

§ Limittheexposureofyouraccesstokens− Forauthentication,throwthemawayafteruse− ForcontinuousAPIaccess,considerencryptingthembeforestoring

§ TakecareofthelittledetailswhenimplementinganOAuth2.0flow−Verifyalldatacomingfromtheclientbeforeusingit− Limitthescopetowhatyouneed

NOW IT’S UP TO YOU …

Secure ShareFollow

https://balinterdi.com/@baaz @PhilippeDeRyck

https://www.websec.bephilippe.deryck@cs.kuleuven.be/in/philippederyck

balint@balinterdi.com/in/balinterdi

with oauth 2.0 in§in-depth understanding of the subtleties of oauth 2.0 −the difference between...

Documents

oauth 2.0 security

understanding oauth 2.0

oauth 2.0 #idit2012

[ms-oapxbc]: oauth 2.0 protocol extensions for …...the...

adwords api & oauth 2.0, advanced

[ms-oapx]: oauth 2.0 protocol extensions · pdf filethe...

securing apis using oauth 2.0

oauth 2.0 - assaf arkin

the oauth 2.0 authorization protocol - cleesh.com · the...

oracle oauth serviceoauth 2.0 authorization server and also...

automated analysis and the subtleties of authentication...

securing apis with oauth 2.0

introducción al protocolo oauth 2.0

cis13: introduction to oauth 2.0

identity...

[ms-oapxbc-diff]: oauth 2.0 protocol extensions …...the...

[ms-xoauth]: oauth 2.0 authorization protocol...

oauth 2.0 refresher (russian)

rfc 6749 - the oauth 2.0 authorization framework...the oauth...

oauth 2.0 simplified