Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Protecting Single-Page Apps using OAuth

Aaron Parecki
July 22, 2020
Technology
0
440

Protecting Single-Page Apps using OAuth

https://aaronparecki.com/2020/07/22/7/

Aaron Parecki

July 22, 2020
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
IIW 39 - OAuth 101
aaronpk
0
2
Targeted Logout - OAuth Security Workshop 2023
aaronpk
0
130
Enterprise-Ready: Going Beyond MVP
aaronpk
0
740
App Integrity Attestations for OAuth - OAuth Security Workshop 2022
aaronpk
1
950
Intro to OAuth - IETF 110
aaronpk
0
190
OAuth 101 - Internet Identity Workshop XXXI
aaronpk
0
740
What's New with OAuth and OpenID Connect - API Days Australia
aaronpk
2
480
How to Think about OAuth Security - Disclosure 2020
aaronpk
1
250
OAuth 2.1 - OAuth Security Workshop
aaronpk
0
1k

Other Decks in Technology

See All in Technology
最速最小からはじめるデータプロダクト / Data Product MVP
amaotone
5
740
Fargateを使った研修の話
takesection
0
120
AIを駆使したゲーム開発戦略: 新設AI組織の取り組み / sge-ai-strategy
cyberagentdevelopers
PRO
1
130
10分でわかるfreee エンジニア向け会社説明資料
freee
18
520k
生成AIの強みと弱みを理解して、生成AIがもたらすパワーをプロダクトの価値へ繋げるために実践したこと / advance-ai-generating
cyberagentdevelopers
PRO
1
180
来年もre:Invent2024 に行きたいあなたへ - “集中”と“つながり”で楽しむ -
ny7760
0
480
「 SharePoint 難しい」ってよく聞くけど、そんなに言うなら8歳の息子に試してもらった
taichinakamura
1
630
pandasはPolarsに性能面で追いつき追い越せるのか
vaaaaanquish
4
4.7k
スプリントゴールにチームの状態も設定する背景とその効果 / Team state in sprint goals why and impact
kakehashi
2
100
プロダクトエンジニアが活躍する環境を作りたくて 事業責任者になった話 ~プロダクトエンジニアの行き着く先~
gimupop
1
480
AWS CDKでデータリストアの運用、どのように設計する?~Aurora・EFSの実践事例を紹介~/aws-cdk-data-restore-aurora-efs
mhrtech
4
660
30万人が利用するチャットをFirebase Realtime DatabaseからActionCableへ移行する方法
ryosk7
5
350

Featured

See All Featured
Ruby is Unlike a Banana
tanoku
96
11k
How GitHub (no longer) Works
holman
311
140k
YesSQL, Process and Tooling at Scale
rocio
167
14k
Intergalactic Javascript Robots from Outer Space
tanoku
268
27k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
4 Signs Your Business is Dying
shpigford
180
21k
Speed Design
sergeychernyshev
24
570
Designing for humans not robots
tammielis
249
25k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
167
49k
The Art of Programming - Codeland 2020
erikaheidi
51
13k
Adopting Sorbet at Scale
ufuk
73
9k
Making Projects Easy
brettharned
115
5.9k

Transcript

  1. OAuth 2.0 for Browser-Based Apps draft-ietf-oauth-browser-based-apps-06 Aaron Parecki OAuth Security

    Workshop July 22, 2020

  2. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Native Apps https://tools.ietf.org/html/rfc8252

  3. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps

  4. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020

  5. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps • Includes recommendations for implementors building 
 browser-based apps using OAuth 2.0 • "Browser-based apps" are defined as applications running in a browser, aka "SPA" or "single-page apps"

  6. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps Build off the Security BCP, adding specifics that are unique to the browser environment GOAL

  7. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Recommendations • MUST NOT return access tokens in the front channel 
 (e.g. no Implicit flow) • MUST use only exact registered redirect URIs • The AS MUST require an exact match of the redirect URI • The AS MUST issue one-time-use refresh tokens • The AS MUST either set a max lifetime on refresh tokens or expire if they are not used after some time

  8. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Architecture Options • Same-domain apps • JS apps with a dynamic app server backend • JS apps without a backend (e.g. static file hosting)

  9. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Same-Domain Applications • Details of this section still TBD • There are still benefits of OAuth such as easier MFA, 
 avoiding passwords in apps, etc • Thoughts and opinions welcome

  10. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App with a Backend

  11. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App without a Backend

  12. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Another architectural option? • Performing the OAuth flow within a Web Worker to isolate the tokens from the main JavaScript global scope • https://gitlab.com/jimdigriz/oauth2-worker

  13. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Outstanding Work • Collect feedback on the architectural recommendations from people who have deployment experience • Remove details and reference sections that duplicate the Security BCP

  14. Thank you! @aaronpk aaronpk.com oauth.wtf