@baaz / @PhilippeDeRyck
SECURE AUTHENTICATION
WITH OAUTH 2.0IN
Balint Erdi - PhilippeDeRyckEmberconf 2017
https://balinterdi.com/@baaz @PhilippeDeRyck
https://www.websec.be
@baaz / @PhilippeDeRyck
WHO HERE FULLY UNDERSTANDS OAUTH 2.0?
@baaz / @PhilippeDeRyck
OAUTH 2.0IS A MESS
@baaz / @PhilippeDeRyck
ABOUT US – BALINT ERDI
§ Balint isatotalEmberenthusiast−RegularlyconsultswithlargecompaniesonbuildingEmberapps−NumerousscreencastsandblogpostsaboutEmberconcepts−OrganizesworkshopsonvariousEmbertopics,includingauthentication−GivesanothertalkhereatEmberConf!−Moreinfoonhttps://balinterdi.com/
§ AuthorofthepopularbookRockandRollwithEmber.js−Keptup-to-datewiththelatestevolutionsinEmber−Pinpointsthecoreconceptsandexplainsthemindetail
@baaz / @PhilippeDeRyck
ABOUT US – PHILIPPE DE RYCK
§Mygoalistohelpyoubuildsecurewebapplications−Hostedandcustomizedin-housetraining− Specializedsecurityassessmentsofcriticalsystems− Threatlandscapeanalysisandprioritizationofsecurityefforts−Moreinformationandresourcesonhttps://www.websec.be
§Mysecurityexpertiseisbroad,withafocusonWebSecurity−PhDinclient-sidewebsecurity−MainauthorofthePrimeronclient-sidewebsecurity
5
@baaz / @PhilippeDeRyck
WE WILL FOCUS ON AUTHENTICATION WITH OAUTH 2.0
§OAuth2.0isaveryversatileframework,usedforvariouspurposes− Inthisworkshop,weexplicitlylimitthescopetoauthentication− Theadvicegivenherethereforeappliestoauthenticationscenarios
§ Inthecominghours,wewilldivedeepintoOAuth2.0−Acoupleoflecturesexplainimportantconceptsandsecurityproperties− Thehands-onlabsessionsputyouinthedriver’sseat
§ Ifyouhaveanyquestions,don’twaittoaskthem!−Duringthelabsessions,thereshouldbesometimeforbroaderquestionsaswell
@baaz / @PhilippeDeRyck
WHAT YOU WILL LEARN IN THIS WORKSHOP
§ In-depthunderstandingofthesubtletiesofOAuth2.0− ThedifferencebetweenthefourmainOAuth2.0flows−Practicaladvicewhichflowyoushouldbeusing,andwhy− TherelationofOpenIDConnectwithOAuth2.0andauthentication
§Hands-onexperiencewithimplementingOAuth2.0authenticationinEmber−UsingacombinationofEmber-Simple-Auth andTorii−AlookunderthehoodofaToriiprovider
§ DetailedoverviewofcommonthreatsagainstOAuth2.0flows−Hands-onexperiencewithinvestigatingthestepsinanOAuth2.0flow−Practicalattackscenariosandimportantcountermeasures
@baaz / @PhilippeDeRyck
@baaz / @PhilippeDeRyck
OAUTH 2.0AND AUTHENTICATION
@baaz / @PhilippeDeRyck
WHAT IS OAUTH 2.0ALL ABOUT?
Delegation
@baaz / @PhilippeDeRyck
WHAT DELEGATION IS ALL ABOUT …
accountantCTO bank
accountX
IwanttoaccessaccountX1
Sure,here’smypermission
2
IwanttoaccessaccountX3
Sure,here’sanaccesscard
4
ShowmethebalanceofaccountX
5 $50 6
@baaz / @PhilippeDeRyck
APRACTICAL EXAMPLE OF DELEGATION
@baaz / @PhilippeDeRyck
SO WE CAN USE THIS FOR AUTHENTICATION?
No
@baaz / @PhilippeDeRyck
BUT AUTHENTICATION WITH OAUTH 2.0SEEMS SIMPLE …
user
Rock&Roll
IwanttologinwithFacebook1
Welcome“PhilDR”4
Whoisthisguy?2 [email protected]
3
@baaz / @PhilippeDeRyck
WHY AUTHENTICATION WITH OAUTH 2.0IS NOT SIMPLE
§ Authenticatingauserisaboutgettingverifiableuserinformation−Butweneedtoknowwhowearegettingthatinformationfor− Theauthenticationproviderprobablydoesnotjustshareanybody’sinformation
§ RememberthatOAuth2.0isallaboutdelegation− Theusercandelegateaccesstohisinformationtoourapplication−Wecanusethataccesstofetchuserinformation,andauthenticatetheuser
§WhatmakesOAuth2.0(andauthentication)complexisthisdelegation−We’reusingtheentireOAuth2.0frameworktoonlydelegateatinybitofaccess−Andbecauseweonlyneedabit,wewillalsobeabletosimplifythingsabit
@baaz / @PhilippeDeRyck
IN PRACTICE,IT’S A BIT MORE COMPLICATED …
user
Rock&Roll
IwanttologinwithFacebook1
GivemeaccesstoyourFBuserinfo2
FacebookIwanttogiveR&RaccesstomyFBuserinfo3
OK,here’satokenthatgrantsaccess4
Here’satokentogetmyinfo5
Showmetheuserinfo6 [email protected]
7Welcome“PhilDR”8
@baaz / @PhilippeDeRyck
MAKING SENSE OF OAUTH 2.0FLOWS
§ TheOAuth2.0specoffers4distinctflows,eachwiththeirownpurpose−Choosingtherightflowishard− Terminologycanalsobefairlyconfusing
§ PuttingOAuth2.0rolesincontextforauthentication−Client:theRock&Rollapplication−Useragent:thebrowser−Resourceowner:theuserthatownstheaccount−Resourceserver:theserverhostingtheaccountinformation(e.g.Facebook)−Authorizationserver:theserverthatauthenticatestheclient(e.g.Facebook)
@baaz / @PhilippeDeRyck
FLOW 1:RESOURCE OWNER PASSWORD CREDENTIALS
Client AuthorizationServer
LoginwithFBuser:philippe
pass:qwerty12345
1 Hello“PhilDR”6
Iwantaccessasuserphilippe withpass…2
OK,here’satokenthatgrantsaccess
3
Iwanttoaccesstheuserinfo4
Resourceserver
UserAgent(resourceowner)
@baaz / @PhilippeDeRyck
FLOW 2:IMPLICIT GRANT
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo8
Resourceserver
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’satoken6
Here’stheFBtoken7
10
@baaz / @PhilippeDeRyck
FLOW 3:AUTHORIZATION CODE
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo
server
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7
12
CanIhaveanaccesstokenplease?8
9 Hereyougo
10
11
@baaz / @PhilippeDeRyck
FLOW 4:CLIENT CREDENTIALS
Client AuthorizationServer
Iwantaccessasmyself1
OK,here’satokenforthat2
AccessAPI3
info4Resourceserver
@baaz / @PhilippeDeRyck
MAKING SENSE OF OAUTH 2.0FLOWS
§ Resourceownerpasswordcredentials− Onlyrelevantiftheclientandtheresourceownertrusteachother100%
• E.g.whenFacebookbuildsaFacebookclient
§ ImplicitGrant− Directlyexposestheaccesstokentothefrontendapplication
• MainlyusefulfordirectAPIaccessfromwithinJavaScript
§ Authorizationcode− Preferredflowtoensurethesecurityoftheaccesstoken
• TheflowtouseforwhenthebackendneedstoaccessanAPI
§ Clientcredentials− UsefulforwhentheapplicationneedsaccesstoanAPI
@baaz / @PhilippeDeRyck
WHICH FLOW CAN WE USE TO SUPPORT AUTHENTICATION?
§ Thereisalotofconflictingadviceoutthere−Manyapplicationsusetheresourceownerpasswordcredentialsflow−Mosttutorialsrecommendtheuseoftheimplicitgrant flow
§ Inthiscase,theonlyrightansweristheauthorizationcode flow− Thisflowoffersthestrongestsecuritybenefits− Itlooksmorecomplexthantheimplicitgrant flow,butinpracticeitisnot
§ Thisworkshopwillfocusontheimplicitgrant andauthorizationcode flow−Wewillshowyouthedifferencesandsecuritybenefits− Thelabsessionscoverbothimplementationandsecurityaspects
@baaz / @PhilippeDeRyck
SUPPORTING OAUTH 2.0IN EMBER
@baaz / @PhilippeDeRyck
AUTHENTICATION IN EMBER
§ EmberSimpleAuth (ESA) isapopularauthenticationlibraryforEmber− Itoffersabstractionsforauthenticationandauthorization− Itofferssessionmanagementfeaturestokeeptrackofauthenticationstate
§ Tosupportdifferentauthenticationstrategies,authenticatorsareused− Theauthenticationprocessisdelegatedtothespecifiedauthenticator
§ Tosupportauthorization,variousmixins areprovided−Addanauthorizationchecktoroutes−Addasessiontokentooutgoingrequests−…
@baaz / @PhilippeDeRyck
EMBER SIMPLE AUTH CODE EXAMPLE
@baaz / @PhilippeDeRyck
RUNNING OAUTH 2.0FLOWS WITH TORII
§ ToriiisanotherpopularEmberlibrarytointegrateauthentication− ItmainlyfocusesoncomplexOAuth2.0flows−Butalsoofferssupportforauthorizationandsessionmanagement
§ Toriimakespowerfulabstractionsfromcomplexflows−AnOAuth2.0providerrunstheentireflowinapopup,andsimplyreturnstheresults−Allthecomplexconfigurationishiddenintheprovider
§ ToriialreadysupportsnumerousOAuth2.0flowsoutofthebox− SupportforGoogle,Facebook,Github,…− Supportforbothimplicitgrant andauthorizationcode flows
@baaz / @PhilippeDeRyck
TORII CODE EXAMPLE
@baaz / @PhilippeDeRyck
INTEGRATING TORII WITH EMBER SIMPLE AUTH
§ ThepowerofToriiisthatiteasilyintegrateswithexistingapplications− ExistingauthenticationmechanismscaneasilycallaToriiprovider
§ CustomESAauthenticatorsdelegatetheflowtoaToriiprovider− ToriitakescareofrunningtheOAuth2.0flow− ESAtakescareofstoringtheauthenticationinformationafterasuccessfulflow− Thisintegratesdirectlywiththealreadyexistingauthorizationmixins
§ Thisisexactlywhatyouwilldointhisworkshop
@baaz / @PhilippeDeRyck
BACKEND SUPPORT FOR TORII AND ESA
§ ThebackendisresponsibleforprocessingtheOAuth2.0results− Thiscaneitherbeanaccesstoken orauthorizationcode−Withthisinformation,thebackendfetchesassociatedidentityinformation
§ Contactingthebackendcaneasilybedonefromwithintheauthenticator−AftertheOAuth2.0flowhascompleted,theresultissenttotheserverwithAJAX− Theserverreturnsasessiontokenafterasuccessfulauthentication− ThisisthetokenthatESAstoresinlocalStorage
§ Forthisworkshop,wehavealreadyimplementedthebackendendpoints
@baaz / @PhilippeDeRyck
AUTHENTICATION WITH OAUTH 2.0Labsession
@baaz / @PhilippeDeRyck
PRACTICAL INFO FOR THE LAB SESSIONS
§ YouwillbeworkingonthefrontendoftheRock&Roll application− Youshouldhaveclonedtherepobynow
• Ifnot,checkyouremailforinstructions,orcalloneoftheusinaminute−WewilladdauthenticationwithOAuth2.0byusingGoogle,FacebookandGithub
§ Allofthelabsessionsarefullydocumented− Theguidesthattellyouwhatyouneedtodo,withdetailedinstructionsifnecessary− Therepositoryhasbranchesforeachstep,soyoucanalwaysstartwithacleanslate
§ ThebackendisrunningonHeroku,andissharedforeveryone− Therelevantsourcecodeisincludedintheguidesascodesnippets
@baaz / @PhilippeDeRyck
PRACTICAL INFO FOR THE LAB SESSIONS
Guidesforthelabsessionshttp://bit.ly/2nEAdRj
Slideshttp://bit.ly/2n9NzC5
SlackChannelhttps://balinterdi.slack.com/,#emberconf17-workshop
@baaz / @PhilippeDeRyck
WHAT YOU SHOULD TAKE AWAY FROM THIS LAB SESSION
§ ToriiandESAprovideacleansetofabstractionsforauthentication− TiesinrealnicewithexistingconceptsinyourEmberapplication−DoseparateyoursessionmanagementfromtheOAuth2.0authentication
§OAuth2.0caneffectivelybeusedforauthentication−Boththeimplicitgrant andauthorizationcodeflowsarewellsupported− ThankstoTorii,frontendimplementationisreallylimitedforbothflows
§ Thebackendalsoplaysanimportantroleintheauthenticationprocess−Wehaveshieldedyoufromthebackend,butwilltakealookatitnow
@baaz / @PhilippeDeRyck
SECURITY IN OAUTH 2.0
@baaz / @PhilippeDeRyck
OAUTH 2.0FLOWS ARE ALL ABOUT ACCESS TOKENS
§ Ineveryflow,theclientgetsanaccesstoken toaccessprotectedresources− Theaccesstokenisabearertoken,sowhoeverpossessesitcanuseit
§ Forauthentication,theaccesstoken isonlyneededonce−Withtheaccesstoken,theclientcanfetchuseridentityinformation−Withthisinformation,anewsessionfortheusercanbeestablished−Afterthat,theaccesstokenshouldbediscarded,asaccessisnolongerneeded
§ Duringtheflows,theaccesstokensneedtobeadequatelyprotectedaswell−AlltrafficshouldhappenoverasecureHTTPSchannel− Exposureoftheaccesstokenshouldbelimited− TheintegrityoftheOAuth2.0flowshouldbeensured
@baaz / @PhilippeDeRyck
NETWORK ATTACKS ARE EASIER THAN EVER TO EXECUTE
@baaz / @PhilippeDeRyck
ACCESS TOKENS TRAVEL ACROSS THE NETWORK
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo8
Resourceserver
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’satoken6
Here’stheFBtoken7
10
@baaz / @PhilippeDeRyck
LIMITING THE EXPOSURE OF THE ACCESS TOKEN IS CRUCIAL
@baaz / @PhilippeDeRyck
ACCESS TOKENS TRAVEL THROUGHOUT THE APPLICATION
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo8
Resourceserver
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’satoken6
Here’stheFBtoken7
10
@baaz / @PhilippeDeRyck
ACCESS TOKENS TRAVEL THROUGHOUT THE APPLICATION
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo
server
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7
12
CanIhaveanaccesstokenplease?8
9 Hereyougo
10
11
@baaz / @PhilippeDeRyck
LIMITING THE EXPOSURE OF THE ACCESS TOKEN IN THE BACKEND
§Manybackendsystemsneedcontinuousaccesstotheprotectedresource− Thisrequirespossessionoftheaccesstoken−Butifthesetokensgetstolen,theuser’sareinserioustrouble
§ Forauthenticationpurposes,theaccesstoken canbediscardedafteruse−Atthatpoint,thebackendhasfetchedtheuser’sidentityinformation−Discardingthetokenlimitstheriskoftheftinadatabreach
§ Theriskoftheftisevengreaterwithrefreshtokens− Thesetokensarelonglivedandallowaclienttogetanewaccesstoken−Wedon’tneedthoseatall,soifyougetthem,discardthemimmediately
@baaz / @PhilippeDeRyck
THE HIDDEN PARTS OF SETTING UP OAUTH 2.0
§ Theresourceownerneedstogranttheclientaccesstotheresources− Thisrequirestheregistrationofaclientapplicationwiththeresourceprovider− Youneedtoprovideclientinformation,includingspecificredirectURIs−Duringregistration,yougetaclientIDandaclientsecret
@baaz / @PhilippeDeRyck
THE HIDDEN PARTS OF SETTING UP OAUTH 2.0
§ Theresourceownerneedstogranttheclientaccesstotheresources− Thisrequirestheregistrationofaclientapplicationwiththeresourceprovider− Youneedtoprovideclientinformation,includingspecificredirectURIs−Duringregistration,yougetaclientIDandaclientsecret
§ TheclientIDisusedtoidentifytheclient− Thisisnon-sensitiveinformationanddoesnotneedtobekeptsecret
§ Theclientsecretisusedtoauthenticatetheclient− Thisisessentiallyapassword,andshouldbekeptconfidential− Itcanbeusedinthebackend,butshouldneverbesharedwiththefrontend
@baaz / @PhilippeDeRyck
IDENTIFYING THE CLIENT IN THE IMPLICIT GRANT FLOW
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo8
Resourceserver
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’satoken6
Here’stheFBtoken7
10
RedirectthebrowsertoFacebookwiththeclientID2
@baaz / @PhilippeDeRyck
THE IMPORTANCE OF PROPER CLIENT IDENTIFICATION
§ Clientidentificationintheimplicitgrantflowisdifficult− Theflowrunsentirelyinthebrowser,whichisconsideredtobeuntrusted− Theclientsecretcannotbesharedwiththebrowser
§Mostimplicitgrant flowseasilyacceptfraudulenttokens−HappenswhenapplicationhappilyacceptstokensthatareissuedforapplicationA
@baaz / @PhilippeDeRyck
THE IMPORTANCE OF PROPER CLIENT IDENTIFICATION
UserAgent(attacker)
Goodclient
AccessAPI
Resourceserver
Hello“PhilDR”
Token15
Userinfo
Badclient
UserAgent(resourceowner)
AuthorizationServer
LoginwithFB1
GotoFB2
Authorizebadclient3
CredentialsforFB5
Pleaselogin4
OK,here’satoken6
FBtoken7
Resourceserver
AccessAPI8
Userinfo9
Hello“PhilDR”10
11
12
13
14
@baaz / @PhilippeDeRyck
THE IMPORTANCE OF PROPER CLIENT IDENTIFICATION
§ Clientidentificationintheimplicitgrantflowisdifficult− Theflowrunsentirelyinthebrowser,whichisconsideredtobeuntrusted− Theclientsecretcannotbesharedwiththebrowser
§Mostimplicitgrant flowseasilyacceptfraudulenttokens−HappenswhenapplicationhappilyacceptstokensthatareissuedforapplicationA− Toavoidthis,theclientmustexplicitlyvalidatethetokenbeforeuse
@baaz / @PhilippeDeRyck
THE IMPORTANCE OF PROPER CLIENT IDENTIFICATION
§ Clientidentificationintheimplicitgrantflowisdifficult− Theflowrunsentirelyinthebrowser,whichisconsideredtobeuntrusted− Theclientsecretcannotbesharedwiththebrowser
§Mostimplicitgrantflowseasilyacceptfraudulenttokens−HappenswhenapplicationhappilyacceptstokensthatareissuedforapplicationA− Toavoidthis,theclientmustexplicitlyvalidatethetokenbeforeuse
§ AsimilarproblemexistsiftheredirectURIcanbetamperedwith− Thiswillcausethetokentobesentdirectlytotheattacker,allowingreuse
@baaz / @PhilippeDeRyck
REDIRECT URIS HELP ENSURE THE INTEGRITY OF A FLOW
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo8
Resourceserver
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’satoken6
Here’stheFBtoken7
10
RedirectthebrowsertoFacebook,andincludetheURItoredirecttoinstep6
https://accounts.google.com/o/oauth2/auth?client_id=…&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Foauth2callback
2
TheredirectURIwillbepropagatedalongsteps3,
4and5
@baaz / @PhilippeDeRyck
REDIRECT URIS HELP ENSURE THE INTEGRITY OF A FLOW
§ Amaliciousredirectcanresultinleakingtheaccesstoken− Topreventthis,theauthorizationserverneedstoverifythevalidityoftheURI− That’salsowhyyouneedtospecifytheredirectURIupfront
@baaz / @PhilippeDeRyck
REDIRECT URIS HELP ENSURE THE INTEGRITY OF A FLOW
§ Amaliciousredirectcanresultinleakingtheaccesstoken− Topreventthis,theauthorizationserverneedstoverifythevalidityoftheURI− That’salsowhyyouneedtospecifytheredirectURIupfront
§Openredirectscanbeabusedtostealtokensaswell−AnopenredirectisaURIwithinyourdomainthatwilltriggeracontrollableredirect− Thiswillenablethestealingoftheaccesstoken
§MakesureyourbackenddoesnothavearedirectwithacontrollableURI
http://example.com/login?src=http://www.example.com/secretCats
@baaz / @PhilippeDeRyck
WHY THE AUTHORIZATION CODE FLOW IS BETTER
§ Bynow,youprobablyrealizethattheimplicitgrant flowisnotverysecure− Thereisnoclientauthentication,onlyidentificationwithapublicidentifier− Itrequiresadditionalefforttoensurethevalidityofthetokens− Tokenspassthroughthebrowser,makingthemmorevulnerabletoexposure
§ Theauthorizationcode flowhandlestheseproblemsalotbetter−Accesstokensareneverseenbythebrowser−ClientauthenticationisdonebytheauthorizationserverusingclientIDandsecret
§ Evenifanauthorizationcodeisstolen,theimpactislimitedtonone− Exchangingastolenauthorizationcodeforanaccesstokenrequirestheclientsecret−Authorizationcodesareone-timeuseonly
@baaz / @PhilippeDeRyck
IDENTIFYING THE CLIENT IN THE AUTHORIZATION CODE FLOW
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo
server
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7
12
CanIhaveanaccesstokenplease?8
9 Hereyougo
10
11
RedirectthebrowsertoFacebookwiththeclientID2
ExchangetheauthorizationcodeforanaccesstokenusingclientIDandclientsecret
8
@baaz / @PhilippeDeRyck
THE HIDDEN PARTS OF USING AN OAUTH 2.0FLOW
§ AnOAuth2.0flowstartswitharedirecttotheauthorizationserver− Thisfirstrequestcontainsparameterstosetthepropertiesoftheflow−WealreadycoveredtheclientIDandredirectURI,buttherearemore
§ Commonparameterstoconfiguretheflow−Responsetype:whattheresponseshouldinclude(codeortoken)− Scope:thepermissionstheclientisrequestingfromtheresourceowner− State:arandom,uniquestringtoprotectagainstCross-SiteRequestForgery
§ Theseparametershavebeenhiddensofar,becauseToriitookcareofthis− Thisbecomesextremelyrelevantifyouhavetowriteyourownprovidersomeday
@baaz / @PhilippeDeRyck
SCOPE AND PERMISSIONS
@baaz / @PhilippeDeRyck
SCOPE AND PERMISSIONS
§ Thescope parameterallowstheclienttorequestspecificpermissions− Thesepermissionsareshowntotheuserduringauthorizationoftheapplication− Thelistofavailablepermissionsisspecifictoeachprovider
§ Thesepermissionsareassociatedwiththeaccesstoken−Accesstokensarebearertokens,sotheycanbere-usedwhenstolen−Donotoverreachonthescope,andlimitthescopetotheaccessyouneed− Forauthenticationpurposes,accesstotheemailaddressisgenerallysufficient
§Notethatthegrantedpermissionscandifferfromtherequestedpermissions−Checkthegrantedpermissionstoseeifyouhaveallyouneed
@baaz / @PhilippeDeRyck
VIOLATING FLOW INTEGRITY THROUGH CSRF
§ Cross-SiteRequestForgeryallowsanattackertodisrupttheOAuth2.0flow− Theattackistostoptheflowinonebrowserandresumingitintheotherbrowser− Thisresultsinthesuccessfulauthenticationasadifferentuser
@baaz / @PhilippeDeRyck
VIOLATING FLOW INTEGRITY THROUGH CSRF
AuthorizationServer
UserAgent(attacker)
Client
Iwanttoaccesstheuserinfo8
Resourceserver
Hello“Balint”
Here’stheFBtoken7
10
9
LoginwithFB1
OK,gotoFBplease2
UserAgent(resourceowner)
Authorizate R&R3
Pleaselogin4
Token6
Credentials5
@baaz / @PhilippeDeRyck
VIOLATING FLOW INTEGRITY THROUGH CSRF
§ Cross-SiteRequestForgeryallowsanattackertodisrupttheOAuth2.0flow− Theattackistostoptheflowinonebrowserandresumingitintheotherbrowser− Thisresultsinthesuccessfulauthenticationasadifferentuser
§ Theconsequenceofthisattackisverysubtle−Allactionstheuserperformswillbedoneinthenameoftheattacker− E.g.iftheapplicationstoressensitiveuserdata,suchassearchqueries− E.g.iftheattackerputmaliciouscodeinhisaccount,itwillbeexecutedbytheuser
§ Therootcauseistheseparationbetweeninitializationandfinalization− Thesolutionistotiebothstepstogetherwiththestateparameter
@baaz / @PhilippeDeRyck
LINKING INITIALIZATION AND FINALIZATION WITH STATE
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo8
Resourceserver
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’satoken6
Here’stheFBtoken7
10
TheclientincludesarandomstateparameterintheURI
2
Clientcomparesstateparameterwiththestoredvalue7
Stateparameterispropagatedthroughsteps3,4,5,6and7
@baaz / @PhilippeDeRyck
VIOLATING FLOW INTEGRITY THROUGH CSRF
AuthorizationServer
UserAgent(attacker)
Client
Iwanttoaccesstheuserinfo8
Resourceserver
Hello“Balint”
Here’stheFBtoken7
10
9
LoginwithFB1
OK,gotoFBplease2
UserAgent(resourceowner)
Authorizate R&R3
Pleaselogin4
Token6
Credentials5
Stateinstep7doesnotmatchanystoredstate
7
@baaz / @PhilippeDeRyck
RECAPPING SECURITY BEST PRACTICES
§ Limittheexposureoftheaccesstoken−RunalltrafficoverasecureHTTPSchannel−Choosetheauthorizationcode flowovertheimplicitgrant flow−Removetheaccesstokenafteruse
§ Limitthescopeoftheaccesstoken
§ EnsuretheintegrityofanOAuth2.0flow− SpecifyconcreteredirectURIsandvoidthepresenceofopenredirects−Verifythevalidityofaccesstokens comingfromtheclient−Usethestate parametertopreventCSRFattacks(includedinTorii’sdefaultproviders)
@baaz / @PhilippeDeRyck
SECURING OAUTH 2.0FLOWS
Labsession
@baaz / @PhilippeDeRyck
PRACTICAL INFO FOR THE LAB SESSIONS
§ Forthislabsession,weneedaworkingimplementationofOAuth2.0flows− Youcancontinueonyourownimplementation−Alternatively,youcancheckoutthefacebook-authentication-code branch
§Wearegoingtoinvestigatethesecuritypropertiesofthedifferentflows− Seewhatyoucandowithanaccesstokenandauthorizationcode−WearegoingtouseBurpandFirefoxformostofthis− Ifyourunintoproblems,don’thesitatetocallusover!
§WecanusethesamesharedbackendrunningonHeroku− Therelevantsourcecodeisincludedintheguidesascodesnippets
@baaz / @PhilippeDeRyck
PRACTICAL INFO FOR THE LAB SESSIONS
Guidesforthelabsessionshttp://bit.ly/2nEAdRj
Slideshttp://bit.ly/2n9NzC5
TokenInspectorhttp://bit.ly/2nsybU7
Slackteamandchannelhttps://balinterdi.slack.com/,#emberconf17-workshop
@baaz / @PhilippeDeRyck
WHAT YOU SHOULD TAKE AWAY FROM THIS LAB SESSION
§ Theimplicitgrant flowisinherentlyinsecure,butoftenused− Themainreasonpeopleadvisethisflowisbecauseofease-of-use−Butwehaveseenthatifyoudoitright,therequiredeffortisverysimilar
§ SecureOAuth2.0flowsareallaboutthedetails− Subtledifferencesbetweentheimplicitgrant andauthorizationcode flow− Settingthescope,redirectURIandstateparametersrequiresknowledge
§ Limitingtheexposureoftheaccesstokenisabsolutelycrucial−Donotsenditviathebrowser−Deleteitfromthebackendafterauthentication
@baaz / @PhilippeDeRyck
OAUTH 2.0AND OPENIDCONNECT
@baaz / @PhilippeDeRyck
AUTHENTICATION WITH OAUTH 2.0IS MESSY
§ FetchinguserinformationwithOAuth2.0highlydependsontheprovider− Everyproviderhasdifferentendpointsforallkindsofdata− Someprovidershavecustomsettings(e.g.theemailaddressonGithub)
§ Supportingmultipleprovidersisnotreallyeasy−Requiresalotofmaintenance,especiallywhenAPIsevolve
§ Thingsbecomeevenworsewhenyouneedtorelyonthirdpartyservices− Inthisworkshop,wehadourownindependentsessionmanagement− Thisisnotalwaysthecase,andpropagatingthatinfoacrossthebackendisdifficult
@baaz / @PhilippeDeRyck
OPENIDCONNECT TO THE RESCUE
§OpenIDConnect(OIDC)aimstosolvetheseissues−Astandardizedwaytoexchangeidentityinformationbetweenservices−HeavilybasedonJSONWebTokens(JWT)
§OIDCisactuallybuiltontopofOAuth2.0−OAuth2.0isaveryflexibleandopenframework−OIDCmakesveryexplicitchoices,andlocksOAuth2.0downintoaspecificscenario
§OIDCstillusestheOAuth2.0flowswecoveredheretoday− First,theclientusesanauthorizationcode flowtogetanauthorizationcode−Next,theauthorizationcodeisexchangedforanidentitytoken
@baaz / @PhilippeDeRyck
FLOW 3:AUTHORIZATION CODE
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo
server
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7
12
CanIhaveanaccesstokenplease?8
9 Hereyougo
10
11
@baaz / @PhilippeDeRyck
OPENIDCONNECT WITH THE AUTHORIZATION CODE FLOW
UserAgent(resourceowner)
Client Tokenendpoint
LoginwithGoogle1
GotoGoogle2
IwanttogiveR&Raccess3
CredentialsforGoogle5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7
10
Idtokenandaccesstokenplease?8
9 Hereyougo
@baaz / @PhilippeDeRyck
OPENIDCONNECT RETURNS AN IDENTITY TOKEN
@baaz / @PhilippeDeRyck 74http://jwt.io/
@baaz / @PhilippeDeRyck
AJWTIS A BASE64-ENCODED DATA OBJECT
{"alg": "HS256","typ": "JWT"
}
{"iss": ”distrinet.cs
.kuleuven.be","exp": 1425078000000,"name": "philippe","admin": true
}
HMACSHA256(base64UrlEncode(header)+ "." +base64UrlEncode(payload),“secret”
)
Header Payload Signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkaXN0cmluZXQuY3Mua3VsZXV2ZW4uYmUiLCJleHAiOjI0MjUwNzgwMDAwMDAsIm5hbWUiOiJwaGlsaXBwZSIsImFkbWluIjp0c
nVlfQ.dIi1OguZ7K3ADFnPOsmX2nEpF2Asq89g7GTuyQuN3so
75
@baaz / @PhilippeDeRyck
JWTIS AN OPEN STANDARD TO EXCHANGE INFORMATION
§ JWTtokensrepresenteasy-to-exchangedataobjects−Contentissignedtoensureintegrity−Contentisbase64-encoded,toensuresafehandlingacrosstheweb
§ JWTsupportsvariouskindsofalgorithms− E.g.signaturewithonesharedkeyontheserver-side,forusewithinoneapplication− E.g.signaturewithapublic/privatekeypair,foruseacrossapplications
§ ThismakesJWTtokenssousefulinanOIDCenvironment− IdentityinformationisencodedasaJWTtoken,signedwithaprivatekey−Anypartyrelyingonthisinfocanverifythesignaturebeforeusingtheclaims
76
@baaz / @PhilippeDeRyck
OPENIDCONNECT WITH THE AUTHORIZATION CODE FLOW
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithGoogle1 GotoGoogle2
IwanttogiveR&Raccess3
Moar userinfo
ClaimsabouttheuserUserInfoendpoint
CredentialsforGoogle5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7 10
Idtokenandaccesstokenplease?8
9 Hereyougo
11
12
@baaz / @PhilippeDeRyck
ADDITIONAL CLAIMS ARE ALSO REPRESENTED AS A JWT
@baaz / @PhilippeDeRyck
THE DETAILS BEHIND AN OPENIDCONNECT FLOW
§ ThescopeoftheOAuth2.0flowshouldbeopenid− Thistellstheproviderthatthegoalistogetanidentitytoken−Additionalscopescanbeaddedalongsideopenid (e.g.email,…)
@baaz / @PhilippeDeRyck
OPENIDCONNECT WITH THE AUTHORIZATION CODE FLOW
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithGoogle1 GotoGoogle2
IwanttogiveR&Raccess3
Moar userinfo
ClaimsabouttheuserUserInfoendpoint
CredentialsforGoogle5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7 10
Idtokenandaccesstokenplease?8
9 Hereyougo
11
12
Scopeshouldbeopenidbutcanalsoincludeothers
(e.g.openid email)
2
@baaz / @PhilippeDeRyck
THE DETAILS BEHIND AN OPENIDCONNECT FLOW
§ ThescopeoftheOAuth2.0flowshouldbeopenid− Thistellstheproviderthatthegoalistogetanidentitytoken−Additionalscopescanbeaddedalongsideopenid (e.g.email,…)
§ TheendpointsinanOIDCflowarefixed− The/token endpointexchangesanauthorizationcodeforanidentity+accesstoken− The/UserInfo endpointrequiresanaccesstokenandgivesclaimsabouttheuser
§ ClaimsreturnedbyanOIDCserviceusetheJSONWebToken(JWT)format−AstandardizedJSONformatwhichsupportsintegrityvalidationthroughsignatures
@baaz / @PhilippeDeRyck
SUPPORTING OPENIDCONNECT IN TORII
§ Bydefault,ToriidoesnotcomewithprovidersforOIDC−OnlyOAuth2.0implicitgrant andauthorizationcode flowsaresupported−However,implementingsupportcanbedonewithacustomprovider
§ AnOIDCproviderinToriineedstoperformthefollowingsteps−Runtheauthorizationcode flowwiththeopenid scope−Configurethecorrectproviderandendpointtolaunchthatflow
§ Thebackendwilltakecareofalltheothersteps− Exchangingtheauthorizationcode foranidentitytoken−Requestingadditionaluserinformationfromthe/UserInfo endpoint
@baaz / @PhilippeDeRyck
WRAPPING THINGS UP
@baaz / @PhilippeDeRyck
AUTHENTICATION WITH OAUTH 2.0
§WehavecoveredhowtouseOAuth2.0flowsforauthentication− ThereisalotmoretoOAuth2.0,thatwehavenotcovered−WhenyouneedtocontinuouslyaccessAPIs,thingsbecomeevenmoretricky
§ Specificallyforauthentication,takethefollowingintoaccount−Donotusetheimplicitgrant flowunlessthereisabsolutelynowayaroundit−Makesurethebackendimplementsproperchecks(e.g.tokenvalidity,…)
§ AlwaysrememberthatOAuth2.0isadelegationprotocol− Itdoesnotperformauthenticationorauthorization,that’salluptoyou
@baaz / @PhilippeDeRyck
IMPLEMENTING OAUTH 2.0FLOWS IN EMBER
§ ToriiandESAareawinningcombination− TheyintegratenicelyintoyourEmberapplication− ToriihandlestheOAuth2.0flows,andESAhandlesthesessionmanagement
§ Toriioffersplentyofauthenticatorsoutofthebox− Toriitakescareofsecuritybestpractices(e.g.usingandcheckingthestate parameter)−Makesuretofollowthiswhenyoubuildacustomprovider
§ Rememberthatthefrontendisonlyonepartofthestory− Thebackendisresponsibleforprocessingthetokens/codes−Additionalsecuritychecksshouldbeperformedinthebackendaswell
@baaz / @PhilippeDeRyck
SECURITY BEST PRACTICES
§Usetheauthorizationcode flow−Byknowyoushouldknowwhy−RunitoverHTTPS,noexcuses
§ Limittheexposureofyouraccesstokens− Forauthentication,throwthemawayafteruse− ForcontinuousAPIaccess,considerencryptingthembeforestoring
§ TakecareofthelittledetailswhenimplementinganOAuth2.0flow−Verifyalldatacomingfromtheclientbeforeusingit− Limitthescopetowhatyouneed
@baaz / @PhilippeDeRyck
NOW IT’S UP TO YOU …
Secure ShareFollow
https://balinterdi.com/@baaz @PhilippeDeRyck
https://[email protected]/in/philippederyck
[email protected]/in/balinterdi