Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intro to OAuth - IETF 110

Intro to OAuth - IETF 110

My presentation at the SAAG meeting at IETF 110

Aaron Parecki

March 11, 2021
Tweet

More Decks by Aaron Parecki

Other Decks in Technology

Transcript

  1. RFC6749 RFC6750 CLIENT TYPE AUTH METHOD GRANT TYPE RFC6819 RFC7009

    RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 RFC8252 OIDC RFC8414 STATE PARAM TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN BINDING POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN EXCHANGE DPOP
  2. The Password Anti-Pattern • How do you revoke this app’s

    access? • Do you trust the app to not store your password? • Do you trust the app to access only the things it says it needs? • Do you trust the app to not do things like change your password or delete your account?
  3. Goal of the Client: Get an access token Use the

    access token to make API requests
  4. Authorization Code OAuth Flows Device Flow Client Credentials Implicit Password

    web mobile SPA browserless devices server-to-server CLI CLI >_ >_
  5. ROLES IN OAUTH OAuth Server (Authorization Server) aka the token

    factory API (Resource Server) The Application (Client) The User (Resource Owner) Device (User Agent)
  6. ROLES IN OAUTH OAuth Server (Authorization Server) aka the token

    factory API (Resource Server) The Application (Client) The User (Resource Owner) Device (User Agent) Travis-CI.org GitHub
  7. ROLES IN OAUTH OAuth Server (Authorization Server) aka the token

    factory API (Resource Server) The Application (Client) The User (Resource Owner) Device (User Agent) iPhone App Okta Your API
  8. Front Channel Back Channel https://accounts.google.com/?... Passing data via the browser's

    address bar The user, or malicious software, can modify the requests and responses Sent from client to server HTTPS request from client to server, so requests cannot be tampered with
  9. User: I’d like to use this great app App: Please

    go to the authorization server to grant me access, take this hash with you User: I’d like to log in to this app, here's the hash it gave me AS: Here is a temporary code the app can use App: Here's the code, and the temporary secret, please give me a token User: Here is the temporary code, please use this to get a token AS: Let me verify the hash of that secret... ok here is an access token! App: Please let me access this user’s data with this access token! App: Hang on while I generate a temporary secret and hash it User 
 Agent App OAuth Server API ?
  10. PKCE Ensures the app that receives the access token is

    the same one that started the exchange
  11. Exchange the Refresh Token for an Access Token POST https://authorization-server.com/token

    grant_type=refresh_token& refresh_token=REFRESH_TOKEN& client_id=CLIENT_ID& client_secret=CLIENT_SECRET
  12. New Access Token in the Response { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "expires_in":

    3600, "refresh_token": "64d049f8b21191e12522d5d96d5641af5e8" }
  13. SIGN IN user authenticates access token & refresh token authorization

    request store refresh token in secure storage
  14. SIGN IN biometrics unlock refresh token new access token &

    refresh token already has refresh token use refresh token to get new access token
  15. The app requests certain scopes, and is confirmed by the

    user 
 and the authorization server
  16. Access Token Validation The Fast Way The Strong Way Local

    Validation Remote Introspection eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZS I6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImp0aSI6ImI5ZDRhNzViLTA2MDMtNDgxYy1hM jgyLTY3YTk0NDJiNGRkNiIsImlhdCI6MTUzMjQwMDkyMiwiZXhwIjoxNTMyNDA0NTIyfQ.S jYROEt8lZpEOq1eKh3OxRmRk3xttOXZeD5yW8aW2k8 { "sub": "1234567890", "name": "John Doe", "admin": true, "jti": "b9d4a75b-0603-481c-a282-67a9442b4dd6", "iat": 1532400922, "exp": 1532404522 } POST https://authorization-server.com/introspect token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3OD &client_id={CLIENT_ID} &client_secret={CLIENT_SECRET}
  17. Rejecting Revoked Tokens 1:00 2:00 3:00 4:00 5:00 6:00 7:00

    expired 0:00 Local Validation Remote Introspection User revokes application
  18. OAuth 2.1 Consolidate the OAuth 2.0 specs,
 adding best practices,

    
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name
  19. OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client

    Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for con fi dential clients Security BCP
  20. JWT Pro fi le for Access Tokens Describes a standard

    set of JWT claims to use in a JWT access token. This enables resource servers to be built with standard libraries to validate tokens.
  21. Pushed Authorization Requests (PAR) • Currently, the authorization request is

    sent in the front-channel • Front-channel is susceptible to inspection and modi fi cation • PAR initiates the OAuth fl ow from the back-channel oauth.net/2/pushed-authorization-requests
  22. Specs Built on OAuth • OpenID Connect (openid.net) • FAPI

    (Financial-Grade API) • UMA (User-Managed Access) • IndieAuth (indieauth.net)