![Page 1: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/1.jpg)
@baaz / @PhilippeDeRyck
SECURE AUTHENTICATION
WITH OAUTH 2.0IN
Balint Erdi - PhilippeDeRyckEmberconf 2017
https://balinterdi.com/@baaz @PhilippeDeRyck
https://www.websec.be
![Page 2: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/2.jpg)
@baaz / @PhilippeDeRyck
WHO HERE FULLY UNDERSTANDS OAUTH 2.0?
![Page 3: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/3.jpg)
@baaz / @PhilippeDeRyck
OAUTH 2.0IS A MESS
![Page 4: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/4.jpg)
@baaz / @PhilippeDeRyck
ABOUT US – BALINT ERDI
§ Balint isatotalEmberenthusiast−RegularlyconsultswithlargecompaniesonbuildingEmberapps−NumerousscreencastsandblogpostsaboutEmberconcepts−OrganizesworkshopsonvariousEmbertopics,includingauthentication−GivesanothertalkhereatEmberConf!−Moreinfoonhttps://balinterdi.com/
§ AuthorofthepopularbookRockandRollwithEmber.js−Keptup-to-datewiththelatestevolutionsinEmber−Pinpointsthecoreconceptsandexplainsthemindetail
![Page 5: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/5.jpg)
@baaz / @PhilippeDeRyck
ABOUT US – PHILIPPE DE RYCK
§Mygoalistohelpyoubuildsecurewebapplications−Hostedandcustomizedin-housetraining− Specializedsecurityassessmentsofcriticalsystems− Threatlandscapeanalysisandprioritizationofsecurityefforts−Moreinformationandresourcesonhttps://www.websec.be
§Mysecurityexpertiseisbroad,withafocusonWebSecurity−PhDinclient-sidewebsecurity−MainauthorofthePrimeronclient-sidewebsecurity
5
![Page 6: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/6.jpg)
@baaz / @PhilippeDeRyck
WE WILL FOCUS ON AUTHENTICATION WITH OAUTH 2.0
§OAuth2.0isaveryversatileframework,usedforvariouspurposes− Inthisworkshop,weexplicitlylimitthescopetoauthentication− Theadvicegivenherethereforeappliestoauthenticationscenarios
§ Inthecominghours,wewilldivedeepintoOAuth2.0−Acoupleoflecturesexplainimportantconceptsandsecurityproperties− Thehands-onlabsessionsputyouinthedriver’sseat
§ Ifyouhaveanyquestions,don’twaittoaskthem!−Duringthelabsessions,thereshouldbesometimeforbroaderquestionsaswell
![Page 7: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/7.jpg)
@baaz / @PhilippeDeRyck
WHAT YOU WILL LEARN IN THIS WORKSHOP
§ In-depthunderstandingofthesubtletiesofOAuth2.0− ThedifferencebetweenthefourmainOAuth2.0flows−Practicaladvicewhichflowyoushouldbeusing,andwhy− TherelationofOpenIDConnectwithOAuth2.0andauthentication
§Hands-onexperiencewithimplementingOAuth2.0authenticationinEmber−UsingacombinationofEmber-Simple-Auth andTorii−AlookunderthehoodofaToriiprovider
§ DetailedoverviewofcommonthreatsagainstOAuth2.0flows−Hands-onexperiencewithinvestigatingthestepsinanOAuth2.0flow−Practicalattackscenariosandimportantcountermeasures
![Page 8: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/8.jpg)
@baaz / @PhilippeDeRyck
![Page 9: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/9.jpg)
@baaz / @PhilippeDeRyck
OAUTH 2.0AND AUTHENTICATION
![Page 10: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/10.jpg)
@baaz / @PhilippeDeRyck
WHAT IS OAUTH 2.0ALL ABOUT?
Delegation
![Page 11: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/11.jpg)
@baaz / @PhilippeDeRyck
WHAT DELEGATION IS ALL ABOUT …
accountantCTO bank
accountX
IwanttoaccessaccountX1
Sure,here’smypermission
2
IwanttoaccessaccountX3
Sure,here’sanaccesscard
4
ShowmethebalanceofaccountX
5 $50 6
![Page 12: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/12.jpg)
@baaz / @PhilippeDeRyck
APRACTICAL EXAMPLE OF DELEGATION
![Page 13: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/13.jpg)
@baaz / @PhilippeDeRyck
SO WE CAN USE THIS FOR AUTHENTICATION?
No
![Page 14: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/14.jpg)
@baaz / @PhilippeDeRyck
BUT AUTHENTICATION WITH OAUTH 2.0SEEMS SIMPLE …
user
Rock&Roll
IwanttologinwithFacebook1
Welcome“PhilDR”4
Whoisthisguy?2 [email protected]
3
![Page 15: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/15.jpg)
@baaz / @PhilippeDeRyck
WHY AUTHENTICATION WITH OAUTH 2.0IS NOT SIMPLE
§ Authenticatingauserisaboutgettingverifiableuserinformation−Butweneedtoknowwhowearegettingthatinformationfor− Theauthenticationproviderprobablydoesnotjustshareanybody’sinformation
§ RememberthatOAuth2.0isallaboutdelegation− Theusercandelegateaccesstohisinformationtoourapplication−Wecanusethataccesstofetchuserinformation,andauthenticatetheuser
§WhatmakesOAuth2.0(andauthentication)complexisthisdelegation−We’reusingtheentireOAuth2.0frameworktoonlydelegateatinybitofaccess−Andbecauseweonlyneedabit,wewillalsobeabletosimplifythingsabit
![Page 16: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/16.jpg)
@baaz / @PhilippeDeRyck
IN PRACTICE,IT’S A BIT MORE COMPLICATED …
user
Rock&Roll
IwanttologinwithFacebook1
GivemeaccesstoyourFBuserinfo2
FacebookIwanttogiveR&RaccesstomyFBuserinfo3
OK,here’satokenthatgrantsaccess4
Here’satokentogetmyinfo5
Showmetheuserinfo6 [email protected]
7Welcome“PhilDR”8
![Page 17: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/17.jpg)
@baaz / @PhilippeDeRyck
MAKING SENSE OF OAUTH 2.0FLOWS
§ TheOAuth2.0specoffers4distinctflows,eachwiththeirownpurpose−Choosingtherightflowishard− Terminologycanalsobefairlyconfusing
§ PuttingOAuth2.0rolesincontextforauthentication−Client:theRock&Rollapplication−Useragent:thebrowser−Resourceowner:theuserthatownstheaccount−Resourceserver:theserverhostingtheaccountinformation(e.g.Facebook)−Authorizationserver:theserverthatauthenticatestheclient(e.g.Facebook)
![Page 18: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/18.jpg)
@baaz / @PhilippeDeRyck
FLOW 1:RESOURCE OWNER PASSWORD CREDENTIALS
Client AuthorizationServer
LoginwithFBuser:philippe
pass:qwerty12345
1 Hello“PhilDR”6
Iwantaccessasuserphilippe withpass…2
OK,here’satokenthatgrantsaccess
3
Iwanttoaccesstheuserinfo4
Resourceserver
UserAgent(resourceowner)
![Page 19: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/19.jpg)
@baaz / @PhilippeDeRyck
FLOW 2:IMPLICIT GRANT
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo8
Resourceserver
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’satoken6
Here’stheFBtoken7
10
![Page 20: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/20.jpg)
@baaz / @PhilippeDeRyck
FLOW 3:AUTHORIZATION CODE
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo
server
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7
12
CanIhaveanaccesstokenplease?8
9 Hereyougo
10
11
![Page 21: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/21.jpg)
@baaz / @PhilippeDeRyck
FLOW 4:CLIENT CREDENTIALS
Client AuthorizationServer
Iwantaccessasmyself1
OK,here’satokenforthat2
AccessAPI3
info4Resourceserver
![Page 22: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/22.jpg)
@baaz / @PhilippeDeRyck
MAKING SENSE OF OAUTH 2.0FLOWS
§ Resourceownerpasswordcredentials− Onlyrelevantiftheclientandtheresourceownertrusteachother100%
• E.g.whenFacebookbuildsaFacebookclient
§ ImplicitGrant− Directlyexposestheaccesstokentothefrontendapplication
• MainlyusefulfordirectAPIaccessfromwithinJavaScript
§ Authorizationcode− Preferredflowtoensurethesecurityoftheaccesstoken
• TheflowtouseforwhenthebackendneedstoaccessanAPI
§ Clientcredentials− UsefulforwhentheapplicationneedsaccesstoanAPI
![Page 23: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/23.jpg)
@baaz / @PhilippeDeRyck
WHICH FLOW CAN WE USE TO SUPPORT AUTHENTICATION?
§ Thereisalotofconflictingadviceoutthere−Manyapplicationsusetheresourceownerpasswordcredentialsflow−Mosttutorialsrecommendtheuseoftheimplicitgrant flow
§ Inthiscase,theonlyrightansweristheauthorizationcode flow− Thisflowoffersthestrongestsecuritybenefits− Itlooksmorecomplexthantheimplicitgrant flow,butinpracticeitisnot
§ Thisworkshopwillfocusontheimplicitgrant andauthorizationcode flow−Wewillshowyouthedifferencesandsecuritybenefits− Thelabsessionscoverbothimplementationandsecurityaspects
![Page 24: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/24.jpg)
@baaz / @PhilippeDeRyck
SUPPORTING OAUTH 2.0IN EMBER
![Page 25: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/25.jpg)
@baaz / @PhilippeDeRyck
AUTHENTICATION IN EMBER
§ EmberSimpleAuth (ESA) isapopularauthenticationlibraryforEmber− Itoffersabstractionsforauthenticationandauthorization− Itofferssessionmanagementfeaturestokeeptrackofauthenticationstate
§ Tosupportdifferentauthenticationstrategies,authenticatorsareused− Theauthenticationprocessisdelegatedtothespecifiedauthenticator
§ Tosupportauthorization,variousmixins areprovided−Addanauthorizationchecktoroutes−Addasessiontokentooutgoingrequests−…
![Page 26: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/26.jpg)
@baaz / @PhilippeDeRyck
EMBER SIMPLE AUTH CODE EXAMPLE
![Page 27: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/27.jpg)
@baaz / @PhilippeDeRyck
RUNNING OAUTH 2.0FLOWS WITH TORII
§ ToriiisanotherpopularEmberlibrarytointegrateauthentication− ItmainlyfocusesoncomplexOAuth2.0flows−Butalsoofferssupportforauthorizationandsessionmanagement
§ Toriimakespowerfulabstractionsfromcomplexflows−AnOAuth2.0providerrunstheentireflowinapopup,andsimplyreturnstheresults−Allthecomplexconfigurationishiddenintheprovider
§ ToriialreadysupportsnumerousOAuth2.0flowsoutofthebox− SupportforGoogle,Facebook,Github,…− Supportforbothimplicitgrant andauthorizationcode flows
![Page 28: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/28.jpg)
@baaz / @PhilippeDeRyck
TORII CODE EXAMPLE
![Page 29: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/29.jpg)
@baaz / @PhilippeDeRyck
INTEGRATING TORII WITH EMBER SIMPLE AUTH
§ ThepowerofToriiisthatiteasilyintegrateswithexistingapplications− ExistingauthenticationmechanismscaneasilycallaToriiprovider
§ CustomESAauthenticatorsdelegatetheflowtoaToriiprovider− ToriitakescareofrunningtheOAuth2.0flow− ESAtakescareofstoringtheauthenticationinformationafterasuccessfulflow− Thisintegratesdirectlywiththealreadyexistingauthorizationmixins
§ Thisisexactlywhatyouwilldointhisworkshop
![Page 30: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/30.jpg)
@baaz / @PhilippeDeRyck
BACKEND SUPPORT FOR TORII AND ESA
§ ThebackendisresponsibleforprocessingtheOAuth2.0results− Thiscaneitherbeanaccesstoken orauthorizationcode−Withthisinformation,thebackendfetchesassociatedidentityinformation
§ Contactingthebackendcaneasilybedonefromwithintheauthenticator−AftertheOAuth2.0flowhascompleted,theresultissenttotheserverwithAJAX− Theserverreturnsasessiontokenafterasuccessfulauthentication− ThisisthetokenthatESAstoresinlocalStorage
§ Forthisworkshop,wehavealreadyimplementedthebackendendpoints
![Page 31: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/31.jpg)
@baaz / @PhilippeDeRyck
AUTHENTICATION WITH OAUTH 2.0Labsession
![Page 32: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/32.jpg)
@baaz / @PhilippeDeRyck
PRACTICAL INFO FOR THE LAB SESSIONS
§ YouwillbeworkingonthefrontendoftheRock&Roll application− Youshouldhaveclonedtherepobynow
• Ifnot,checkyouremailforinstructions,orcalloneoftheusinaminute−WewilladdauthenticationwithOAuth2.0byusingGoogle,FacebookandGithub
§ Allofthelabsessionsarefullydocumented− Theguidesthattellyouwhatyouneedtodo,withdetailedinstructionsifnecessary− Therepositoryhasbranchesforeachstep,soyoucanalwaysstartwithacleanslate
§ ThebackendisrunningonHeroku,andissharedforeveryone− Therelevantsourcecodeisincludedintheguidesascodesnippets
![Page 33: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/33.jpg)
@baaz / @PhilippeDeRyck
PRACTICAL INFO FOR THE LAB SESSIONS
Guidesforthelabsessionshttp://bit.ly/2nEAdRj
Slideshttp://bit.ly/2n9NzC5
SlackChannelhttps://balinterdi.slack.com/,#emberconf17-workshop
![Page 34: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/34.jpg)
@baaz / @PhilippeDeRyck
WHAT YOU SHOULD TAKE AWAY FROM THIS LAB SESSION
§ ToriiandESAprovideacleansetofabstractionsforauthentication− TiesinrealnicewithexistingconceptsinyourEmberapplication−DoseparateyoursessionmanagementfromtheOAuth2.0authentication
§OAuth2.0caneffectivelybeusedforauthentication−Boththeimplicitgrant andauthorizationcodeflowsarewellsupported− ThankstoTorii,frontendimplementationisreallylimitedforbothflows
§ Thebackendalsoplaysanimportantroleintheauthenticationprocess−Wehaveshieldedyoufromthebackend,butwilltakealookatitnow
![Page 35: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/35.jpg)
@baaz / @PhilippeDeRyck
SECURITY IN OAUTH 2.0
![Page 36: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/36.jpg)
@baaz / @PhilippeDeRyck
OAUTH 2.0FLOWS ARE ALL ABOUT ACCESS TOKENS
§ Ineveryflow,theclientgetsanaccesstoken toaccessprotectedresources− Theaccesstokenisabearertoken,sowhoeverpossessesitcanuseit
§ Forauthentication,theaccesstoken isonlyneededonce−Withtheaccesstoken,theclientcanfetchuseridentityinformation−Withthisinformation,anewsessionfortheusercanbeestablished−Afterthat,theaccesstokenshouldbediscarded,asaccessisnolongerneeded
§ Duringtheflows,theaccesstokensneedtobeadequatelyprotectedaswell−AlltrafficshouldhappenoverasecureHTTPSchannel− Exposureoftheaccesstokenshouldbelimited− TheintegrityoftheOAuth2.0flowshouldbeensured
![Page 37: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/37.jpg)
@baaz / @PhilippeDeRyck
NETWORK ATTACKS ARE EASIER THAN EVER TO EXECUTE
![Page 38: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/38.jpg)
@baaz / @PhilippeDeRyck
ACCESS TOKENS TRAVEL ACROSS THE NETWORK
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo8
Resourceserver
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’satoken6
Here’stheFBtoken7
10
![Page 39: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/39.jpg)
@baaz / @PhilippeDeRyck
LIMITING THE EXPOSURE OF THE ACCESS TOKEN IS CRUCIAL
![Page 40: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/40.jpg)
@baaz / @PhilippeDeRyck
ACCESS TOKENS TRAVEL THROUGHOUT THE APPLICATION
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo8
Resourceserver
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’satoken6
Here’stheFBtoken7
10
![Page 41: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/41.jpg)
@baaz / @PhilippeDeRyck
ACCESS TOKENS TRAVEL THROUGHOUT THE APPLICATION
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo
server
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7
12
CanIhaveanaccesstokenplease?8
9 Hereyougo
10
11
![Page 42: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/42.jpg)
@baaz / @PhilippeDeRyck
LIMITING THE EXPOSURE OF THE ACCESS TOKEN IN THE BACKEND
§Manybackendsystemsneedcontinuousaccesstotheprotectedresource− Thisrequirespossessionoftheaccesstoken−Butifthesetokensgetstolen,theuser’sareinserioustrouble
§ Forauthenticationpurposes,theaccesstoken canbediscardedafteruse−Atthatpoint,thebackendhasfetchedtheuser’sidentityinformation−Discardingthetokenlimitstheriskoftheftinadatabreach
§ Theriskoftheftisevengreaterwithrefreshtokens− Thesetokensarelonglivedandallowaclienttogetanewaccesstoken−Wedon’tneedthoseatall,soifyougetthem,discardthemimmediately
![Page 43: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/43.jpg)
@baaz / @PhilippeDeRyck
THE HIDDEN PARTS OF SETTING UP OAUTH 2.0
§ Theresourceownerneedstogranttheclientaccesstotheresources− Thisrequirestheregistrationofaclientapplicationwiththeresourceprovider− Youneedtoprovideclientinformation,includingspecificredirectURIs−Duringregistration,yougetaclientIDandaclientsecret
![Page 44: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/44.jpg)
@baaz / @PhilippeDeRyck
THE HIDDEN PARTS OF SETTING UP OAUTH 2.0
§ Theresourceownerneedstogranttheclientaccesstotheresources− Thisrequirestheregistrationofaclientapplicationwiththeresourceprovider− Youneedtoprovideclientinformation,includingspecificredirectURIs−Duringregistration,yougetaclientIDandaclientsecret
§ TheclientIDisusedtoidentifytheclient− Thisisnon-sensitiveinformationanddoesnotneedtobekeptsecret
§ Theclientsecretisusedtoauthenticatetheclient− Thisisessentiallyapassword,andshouldbekeptconfidential− Itcanbeusedinthebackend,butshouldneverbesharedwiththefrontend
![Page 45: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/45.jpg)
@baaz / @PhilippeDeRyck
IDENTIFYING THE CLIENT IN THE IMPLICIT GRANT FLOW
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo8
Resourceserver
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’satoken6
Here’stheFBtoken7
10
RedirectthebrowsertoFacebookwiththeclientID2
![Page 46: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/46.jpg)
@baaz / @PhilippeDeRyck
THE IMPORTANCE OF PROPER CLIENT IDENTIFICATION
§ Clientidentificationintheimplicitgrantflowisdifficult− Theflowrunsentirelyinthebrowser,whichisconsideredtobeuntrusted− Theclientsecretcannotbesharedwiththebrowser
§Mostimplicitgrant flowseasilyacceptfraudulenttokens−HappenswhenapplicationhappilyacceptstokensthatareissuedforapplicationA
![Page 47: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/47.jpg)
@baaz / @PhilippeDeRyck
THE IMPORTANCE OF PROPER CLIENT IDENTIFICATION
UserAgent(attacker)
Goodclient
AccessAPI
Resourceserver
Hello“PhilDR”
Token15
Userinfo
Badclient
UserAgent(resourceowner)
AuthorizationServer
LoginwithFB1
GotoFB2
Authorizebadclient3
CredentialsforFB5
Pleaselogin4
OK,here’satoken6
FBtoken7
Resourceserver
AccessAPI8
Userinfo9
Hello“PhilDR”10
11
12
13
14
![Page 48: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/48.jpg)
@baaz / @PhilippeDeRyck
THE IMPORTANCE OF PROPER CLIENT IDENTIFICATION
§ Clientidentificationintheimplicitgrantflowisdifficult− Theflowrunsentirelyinthebrowser,whichisconsideredtobeuntrusted− Theclientsecretcannotbesharedwiththebrowser
§Mostimplicitgrant flowseasilyacceptfraudulenttokens−HappenswhenapplicationhappilyacceptstokensthatareissuedforapplicationA− Toavoidthis,theclientmustexplicitlyvalidatethetokenbeforeuse
![Page 49: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/49.jpg)
@baaz / @PhilippeDeRyck
THE IMPORTANCE OF PROPER CLIENT IDENTIFICATION
§ Clientidentificationintheimplicitgrantflowisdifficult− Theflowrunsentirelyinthebrowser,whichisconsideredtobeuntrusted− Theclientsecretcannotbesharedwiththebrowser
§Mostimplicitgrantflowseasilyacceptfraudulenttokens−HappenswhenapplicationhappilyacceptstokensthatareissuedforapplicationA− Toavoidthis,theclientmustexplicitlyvalidatethetokenbeforeuse
§ AsimilarproblemexistsiftheredirectURIcanbetamperedwith− Thiswillcausethetokentobesentdirectlytotheattacker,allowingreuse
![Page 50: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/50.jpg)
@baaz / @PhilippeDeRyck
REDIRECT URIS HELP ENSURE THE INTEGRITY OF A FLOW
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo8
Resourceserver
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’satoken6
Here’stheFBtoken7
10
RedirectthebrowsertoFacebook,andincludetheURItoredirecttoinstep6
https://accounts.google.com/o/oauth2/auth?client_id=…&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Foauth2callback
2
TheredirectURIwillbepropagatedalongsteps3,
4and5
![Page 51: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/51.jpg)
@baaz / @PhilippeDeRyck
REDIRECT URIS HELP ENSURE THE INTEGRITY OF A FLOW
§ Amaliciousredirectcanresultinleakingtheaccesstoken− Topreventthis,theauthorizationserverneedstoverifythevalidityoftheURI− That’salsowhyyouneedtospecifytheredirectURIupfront
![Page 52: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/52.jpg)
@baaz / @PhilippeDeRyck
REDIRECT URIS HELP ENSURE THE INTEGRITY OF A FLOW
§ Amaliciousredirectcanresultinleakingtheaccesstoken− Topreventthis,theauthorizationserverneedstoverifythevalidityoftheURI− That’salsowhyyouneedtospecifytheredirectURIupfront
§Openredirectscanbeabusedtostealtokensaswell−AnopenredirectisaURIwithinyourdomainthatwilltriggeracontrollableredirect− Thiswillenablethestealingoftheaccesstoken
§MakesureyourbackenddoesnothavearedirectwithacontrollableURI
http://example.com/login?src=http://www.example.com/secretCats
![Page 53: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/53.jpg)
@baaz / @PhilippeDeRyck
WHY THE AUTHORIZATION CODE FLOW IS BETTER
§ Bynow,youprobablyrealizethattheimplicitgrant flowisnotverysecure− Thereisnoclientauthentication,onlyidentificationwithapublicidentifier− Itrequiresadditionalefforttoensurethevalidityofthetokens− Tokenspassthroughthebrowser,makingthemmorevulnerabletoexposure
§ Theauthorizationcode flowhandlestheseproblemsalotbetter−Accesstokensareneverseenbythebrowser−ClientauthenticationisdonebytheauthorizationserverusingclientIDandsecret
§ Evenifanauthorizationcodeisstolen,theimpactislimitedtonone− Exchangingastolenauthorizationcodeforanaccesstokenrequirestheclientsecret−Authorizationcodesareone-timeuseonly
![Page 54: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/54.jpg)
@baaz / @PhilippeDeRyck
IDENTIFYING THE CLIENT IN THE AUTHORIZATION CODE FLOW
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo
server
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7
12
CanIhaveanaccesstokenplease?8
9 Hereyougo
10
11
RedirectthebrowsertoFacebookwiththeclientID2
ExchangetheauthorizationcodeforanaccesstokenusingclientIDandclientsecret
8
![Page 55: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/55.jpg)
@baaz / @PhilippeDeRyck
THE HIDDEN PARTS OF USING AN OAUTH 2.0FLOW
§ AnOAuth2.0flowstartswitharedirecttotheauthorizationserver− Thisfirstrequestcontainsparameterstosetthepropertiesoftheflow−WealreadycoveredtheclientIDandredirectURI,buttherearemore
§ Commonparameterstoconfiguretheflow−Responsetype:whattheresponseshouldinclude(codeortoken)− Scope:thepermissionstheclientisrequestingfromtheresourceowner− State:arandom,uniquestringtoprotectagainstCross-SiteRequestForgery
§ Theseparametershavebeenhiddensofar,becauseToriitookcareofthis− Thisbecomesextremelyrelevantifyouhavetowriteyourownprovidersomeday
![Page 56: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/56.jpg)
@baaz / @PhilippeDeRyck
SCOPE AND PERMISSIONS
![Page 57: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/57.jpg)
@baaz / @PhilippeDeRyck
SCOPE AND PERMISSIONS
§ Thescope parameterallowstheclienttorequestspecificpermissions− Thesepermissionsareshowntotheuserduringauthorizationoftheapplication− Thelistofavailablepermissionsisspecifictoeachprovider
§ Thesepermissionsareassociatedwiththeaccesstoken−Accesstokensarebearertokens,sotheycanbere-usedwhenstolen−Donotoverreachonthescope,andlimitthescopetotheaccessyouneed− Forauthenticationpurposes,accesstotheemailaddressisgenerallysufficient
§Notethatthegrantedpermissionscandifferfromtherequestedpermissions−Checkthegrantedpermissionstoseeifyouhaveallyouneed
![Page 58: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/58.jpg)
@baaz / @PhilippeDeRyck
VIOLATING FLOW INTEGRITY THROUGH CSRF
§ Cross-SiteRequestForgeryallowsanattackertodisrupttheOAuth2.0flow− Theattackistostoptheflowinonebrowserandresumingitintheotherbrowser− Thisresultsinthesuccessfulauthenticationasadifferentuser
![Page 59: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/59.jpg)
@baaz / @PhilippeDeRyck
VIOLATING FLOW INTEGRITY THROUGH CSRF
AuthorizationServer
UserAgent(attacker)
Client
Iwanttoaccesstheuserinfo8
Resourceserver
Hello“Balint”
Here’stheFBtoken7
10
9
LoginwithFB1
OK,gotoFBplease2
UserAgent(resourceowner)
Authorizate R&R3
Pleaselogin4
Token6
Credentials5
![Page 60: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/60.jpg)
@baaz / @PhilippeDeRyck
VIOLATING FLOW INTEGRITY THROUGH CSRF
§ Cross-SiteRequestForgeryallowsanattackertodisrupttheOAuth2.0flow− Theattackistostoptheflowinonebrowserandresumingitintheotherbrowser− Thisresultsinthesuccessfulauthenticationasadifferentuser
§ Theconsequenceofthisattackisverysubtle−Allactionstheuserperformswillbedoneinthenameoftheattacker− E.g.iftheapplicationstoressensitiveuserdata,suchassearchqueries− E.g.iftheattackerputmaliciouscodeinhisaccount,itwillbeexecutedbytheuser
§ Therootcauseistheseparationbetweeninitializationandfinalization− Thesolutionistotiebothstepstogetherwiththestateparameter
![Page 61: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/61.jpg)
@baaz / @PhilippeDeRyck
LINKING INITIALIZATION AND FINALIZATION WITH STATE
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo8
Resourceserver
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’satoken6
Here’stheFBtoken7
10
TheclientincludesarandomstateparameterintheURI
2
Clientcomparesstateparameterwiththestoredvalue7
Stateparameterispropagatedthroughsteps3,4,5,6and7
![Page 62: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/62.jpg)
@baaz / @PhilippeDeRyck
VIOLATING FLOW INTEGRITY THROUGH CSRF
AuthorizationServer
UserAgent(attacker)
Client
Iwanttoaccesstheuserinfo8
Resourceserver
Hello“Balint”
Here’stheFBtoken7
10
9
LoginwithFB1
OK,gotoFBplease2
UserAgent(resourceowner)
Authorizate R&R3
Pleaselogin4
Token6
Credentials5
Stateinstep7doesnotmatchanystoredstate
7
![Page 63: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/63.jpg)
@baaz / @PhilippeDeRyck
RECAPPING SECURITY BEST PRACTICES
§ Limittheexposureoftheaccesstoken−RunalltrafficoverasecureHTTPSchannel−Choosetheauthorizationcode flowovertheimplicitgrant flow−Removetheaccesstokenafteruse
§ Limitthescopeoftheaccesstoken
§ EnsuretheintegrityofanOAuth2.0flow− SpecifyconcreteredirectURIsandvoidthepresenceofopenredirects−Verifythevalidityofaccesstokens comingfromtheclient−Usethestate parametertopreventCSRFattacks(includedinTorii’sdefaultproviders)
![Page 64: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/64.jpg)
@baaz / @PhilippeDeRyck
SECURING OAUTH 2.0FLOWS
Labsession
![Page 65: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/65.jpg)
@baaz / @PhilippeDeRyck
PRACTICAL INFO FOR THE LAB SESSIONS
§ Forthislabsession,weneedaworkingimplementationofOAuth2.0flows− Youcancontinueonyourownimplementation−Alternatively,youcancheckoutthefacebook-authentication-code branch
§Wearegoingtoinvestigatethesecuritypropertiesofthedifferentflows− Seewhatyoucandowithanaccesstokenandauthorizationcode−WearegoingtouseBurpandFirefoxformostofthis− Ifyourunintoproblems,don’thesitatetocallusover!
§WecanusethesamesharedbackendrunningonHeroku− Therelevantsourcecodeisincludedintheguidesascodesnippets
![Page 66: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/66.jpg)
@baaz / @PhilippeDeRyck
PRACTICAL INFO FOR THE LAB SESSIONS
Guidesforthelabsessionshttp://bit.ly/2nEAdRj
Slideshttp://bit.ly/2n9NzC5
TokenInspectorhttp://bit.ly/2nsybU7
Slackteamandchannelhttps://balinterdi.slack.com/,#emberconf17-workshop
![Page 67: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/67.jpg)
@baaz / @PhilippeDeRyck
WHAT YOU SHOULD TAKE AWAY FROM THIS LAB SESSION
§ Theimplicitgrant flowisinherentlyinsecure,butoftenused− Themainreasonpeopleadvisethisflowisbecauseofease-of-use−Butwehaveseenthatifyoudoitright,therequiredeffortisverysimilar
§ SecureOAuth2.0flowsareallaboutthedetails− Subtledifferencesbetweentheimplicitgrant andauthorizationcode flow− Settingthescope,redirectURIandstateparametersrequiresknowledge
§ Limitingtheexposureoftheaccesstokenisabsolutelycrucial−Donotsenditviathebrowser−Deleteitfromthebackendafterauthentication
![Page 68: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/68.jpg)
@baaz / @PhilippeDeRyck
OAUTH 2.0AND OPENIDCONNECT
![Page 69: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/69.jpg)
@baaz / @PhilippeDeRyck
AUTHENTICATION WITH OAUTH 2.0IS MESSY
§ FetchinguserinformationwithOAuth2.0highlydependsontheprovider− Everyproviderhasdifferentendpointsforallkindsofdata− Someprovidershavecustomsettings(e.g.theemailaddressonGithub)
§ Supportingmultipleprovidersisnotreallyeasy−Requiresalotofmaintenance,especiallywhenAPIsevolve
§ Thingsbecomeevenworsewhenyouneedtorelyonthirdpartyservices− Inthisworkshop,wehadourownindependentsessionmanagement− Thisisnotalwaysthecase,andpropagatingthatinfoacrossthebackendisdifficult
![Page 70: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/70.jpg)
@baaz / @PhilippeDeRyck
OPENIDCONNECT TO THE RESCUE
§OpenIDConnect(OIDC)aimstosolvetheseissues−Astandardizedwaytoexchangeidentityinformationbetweenservices−HeavilybasedonJSONWebTokens(JWT)
§OIDCisactuallybuiltontopofOAuth2.0−OAuth2.0isaveryflexibleandopenframework−OIDCmakesveryexplicitchoices,andlocksOAuth2.0downintoaspecificscenario
§OIDCstillusestheOAuth2.0flowswecoveredheretoday− First,theclientusesanauthorizationcode flowtogetanauthorizationcode−Next,theauthorizationcodeisexchangedforanidentitytoken
![Page 71: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/71.jpg)
@baaz / @PhilippeDeRyck
FLOW 3:AUTHORIZATION CODE
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithFB1
OK,gotoFBplease2
IwanttogiveR&Raccess3
Iwanttoaccesstheuserinfo
server
CredentialsforFB5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7
12
CanIhaveanaccesstokenplease?8
9 Hereyougo
10
11
![Page 72: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/72.jpg)
@baaz / @PhilippeDeRyck
OPENIDCONNECT WITH THE AUTHORIZATION CODE FLOW
UserAgent(resourceowner)
Client Tokenendpoint
LoginwithGoogle1
GotoGoogle2
IwanttogiveR&Raccess3
CredentialsforGoogle5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7
10
Idtokenandaccesstokenplease?8
9 Hereyougo
![Page 73: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/73.jpg)
@baaz / @PhilippeDeRyck
OPENIDCONNECT RETURNS AN IDENTITY TOKEN
![Page 74: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/74.jpg)
@baaz / @PhilippeDeRyck 74http://jwt.io/
![Page 75: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/75.jpg)
@baaz / @PhilippeDeRyck
AJWTIS A BASE64-ENCODED DATA OBJECT
{"alg": "HS256","typ": "JWT"
}
{"iss": ”distrinet.cs
.kuleuven.be","exp": 1425078000000,"name": "philippe","admin": true
}
HMACSHA256(base64UrlEncode(header)+ "." +base64UrlEncode(payload),“secret”
)
Header Payload Signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkaXN0cmluZXQuY3Mua3VsZXV2ZW4uYmUiLCJleHAiOjI0MjUwNzgwMDAwMDAsIm5hbWUiOiJwaGlsaXBwZSIsImFkbWluIjp0c
nVlfQ.dIi1OguZ7K3ADFnPOsmX2nEpF2Asq89g7GTuyQuN3so
75
![Page 76: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/76.jpg)
@baaz / @PhilippeDeRyck
JWTIS AN OPEN STANDARD TO EXCHANGE INFORMATION
§ JWTtokensrepresenteasy-to-exchangedataobjects−Contentissignedtoensureintegrity−Contentisbase64-encoded,toensuresafehandlingacrosstheweb
§ JWTsupportsvariouskindsofalgorithms− E.g.signaturewithonesharedkeyontheserver-side,forusewithinoneapplication− E.g.signaturewithapublic/privatekeypair,foruseacrossapplications
§ ThismakesJWTtokenssousefulinanOIDCenvironment− IdentityinformationisencodedasaJWTtoken,signedwithaprivatekey−Anypartyrelyingonthisinfocanverifythesignaturebeforeusingtheclaims
76
![Page 77: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/77.jpg)
@baaz / @PhilippeDeRyck
OPENIDCONNECT WITH THE AUTHORIZATION CODE FLOW
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithGoogle1 GotoGoogle2
IwanttogiveR&Raccess3
Moar userinfo
ClaimsabouttheuserUserInfoendpoint
CredentialsforGoogle5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7 10
Idtokenandaccesstokenplease?8
9 Hereyougo
11
12
![Page 78: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/78.jpg)
@baaz / @PhilippeDeRyck
ADDITIONAL CLAIMS ARE ALSO REPRESENTED AS A JWT
![Page 79: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/79.jpg)
@baaz / @PhilippeDeRyck
THE DETAILS BEHIND AN OPENIDCONNECT FLOW
§ ThescopeoftheOAuth2.0flowshouldbeopenid− Thistellstheproviderthatthegoalistogetanidentitytoken−Additionalscopescanbeaddedalongsideopenid (e.g.email,…)
![Page 80: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/80.jpg)
@baaz / @PhilippeDeRyck
OPENIDCONNECT WITH THE AUTHORIZATION CODE FLOW
UserAgent(resourceowner)
Client AuthorizationServer
LoginwithGoogle1 GotoGoogle2
IwanttogiveR&Raccess3
Moar userinfo
ClaimsabouttheuserUserInfoendpoint
CredentialsforGoogle5
Hello“PhilDR”
Pleaselogin4
OK,here’sanauthorizationcode
6
Here’sthecode7 10
Idtokenandaccesstokenplease?8
9 Hereyougo
11
12
Scopeshouldbeopenidbutcanalsoincludeothers
(e.g.openid email)
2
![Page 81: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/81.jpg)
@baaz / @PhilippeDeRyck
THE DETAILS BEHIND AN OPENIDCONNECT FLOW
§ ThescopeoftheOAuth2.0flowshouldbeopenid− Thistellstheproviderthatthegoalistogetanidentitytoken−Additionalscopescanbeaddedalongsideopenid (e.g.email,…)
§ TheendpointsinanOIDCflowarefixed− The/token endpointexchangesanauthorizationcodeforanidentity+accesstoken− The/UserInfo endpointrequiresanaccesstokenandgivesclaimsabouttheuser
§ ClaimsreturnedbyanOIDCserviceusetheJSONWebToken(JWT)format−AstandardizedJSONformatwhichsupportsintegrityvalidationthroughsignatures
![Page 82: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/82.jpg)
@baaz / @PhilippeDeRyck
SUPPORTING OPENIDCONNECT IN TORII
§ Bydefault,ToriidoesnotcomewithprovidersforOIDC−OnlyOAuth2.0implicitgrant andauthorizationcode flowsaresupported−However,implementingsupportcanbedonewithacustomprovider
§ AnOIDCproviderinToriineedstoperformthefollowingsteps−Runtheauthorizationcode flowwiththeopenid scope−Configurethecorrectproviderandendpointtolaunchthatflow
§ Thebackendwilltakecareofalltheothersteps− Exchangingtheauthorizationcode foranidentitytoken−Requestingadditionaluserinformationfromthe/UserInfo endpoint
![Page 83: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/83.jpg)
@baaz / @PhilippeDeRyck
WRAPPING THINGS UP
![Page 84: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/84.jpg)
@baaz / @PhilippeDeRyck
AUTHENTICATION WITH OAUTH 2.0
§WehavecoveredhowtouseOAuth2.0flowsforauthentication− ThereisalotmoretoOAuth2.0,thatwehavenotcovered−WhenyouneedtocontinuouslyaccessAPIs,thingsbecomeevenmoretricky
§ Specificallyforauthentication,takethefollowingintoaccount−Donotusetheimplicitgrant flowunlessthereisabsolutelynowayaroundit−Makesurethebackendimplementsproperchecks(e.g.tokenvalidity,…)
§ AlwaysrememberthatOAuth2.0isadelegationprotocol− Itdoesnotperformauthenticationorauthorization,that’salluptoyou
![Page 85: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/85.jpg)
@baaz / @PhilippeDeRyck
IMPLEMENTING OAUTH 2.0FLOWS IN EMBER
§ ToriiandESAareawinningcombination− TheyintegratenicelyintoyourEmberapplication− ToriihandlestheOAuth2.0flows,andESAhandlesthesessionmanagement
§ Toriioffersplentyofauthenticatorsoutofthebox− Toriitakescareofsecuritybestpractices(e.g.usingandcheckingthestate parameter)−Makesuretofollowthiswhenyoubuildacustomprovider
§ Rememberthatthefrontendisonlyonepartofthestory− Thebackendisresponsibleforprocessingthetokens/codes−Additionalsecuritychecksshouldbeperformedinthebackendaswell
![Page 86: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/86.jpg)
@baaz / @PhilippeDeRyck
SECURITY BEST PRACTICES
§Usetheauthorizationcode flow−Byknowyoushouldknowwhy−RunitoverHTTPS,noexcuses
§ Limittheexposureofyouraccesstokens− Forauthentication,throwthemawayafteruse− ForcontinuousAPIaccess,considerencryptingthembeforestoring
§ TakecareofthelittledetailswhenimplementinganOAuth2.0flow−Verifyalldatacomingfromtheclientbeforeusingit− Limitthescopetowhatyouneed
![Page 87: WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between the four main OAuth 2.0 flows −Practical advice which flow you should be using,](https://reader035.vdocument.in/reader035/viewer/2022071116/5fffb523b395e5778f113c11/html5/thumbnails/87.jpg)
@baaz / @PhilippeDeRyck
NOW IT’S UP TO YOU …
Secure ShareFollow
https://balinterdi.com/@baaz @PhilippeDeRyck
https://[email protected]/in/philippederyck
[email protected]/in/balinterdi