Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Protecting Single-Page Apps using OAuth

Aaron Parecki
July 22, 2020
Technology
0
440

Protecting Single-Page Apps using OAuth

https://aaronparecki.com/2020/07/22/7/

Aaron Parecki

July 22, 2020
Tweet

More Decks by Aaron Parecki

See All by Aaron Parecki
IIW 39 - OAuth 101
aaronpk
0
2
Targeted Logout - OAuth Security Workshop 2023
aaronpk
0
130
Enterprise-Ready: Going Beyond MVP
aaronpk
0
750
App Integrity Attestations for OAuth - OAuth Security Workshop 2022
aaronpk
1
950
Intro to OAuth - IETF 110
aaronpk
0
190
OAuth 101 - Internet Identity Workshop XXXI
aaronpk
0
750
What's New with OAuth and OpenID Connect - API Days Australia
aaronpk
2
480
How to Think about OAuth Security - Disclosure 2020
aaronpk
1
250
OAuth 2.1 - OAuth Security Workshop
aaronpk
0
1.1k

Other Decks in Technology

See All in Technology
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
600
CDCL による厳密解法を採用した MILP ソルバー
imai448
3
120
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
180
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
1
110
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
220
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.5k
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
160
SSMRunbook作成の勘所_20241120
koichiotomo
3
160
組織成長を加速させるオンボーディングの取り組み
sudoakiy
2
200
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430

Featured

See All Featured
How STYLIGHT went responsive
nonsquared
95
5.2k
Facilitating Awesome Meetings
lara
50
6.1k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Unsuck your backbone
ammeep
668
57k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Automating Front-end Workflow
addyosmani
1366
200k
Optimizing for Happiness
mojombo
376
70k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Code Review Best Practice
trishagee
64
17k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Embracing the Ebb and Flow
colly
84
4.5k

Transcript

  1. OAuth 2.0 for Browser-Based Apps draft-ietf-oauth-browser-based-apps-06 Aaron Parecki OAuth Security

    Workshop July 22, 2020

  2. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Native Apps https://tools.ietf.org/html/rfc8252

  3. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps

  4. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020

  5. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps • Includes recommendations for implementors building 
 browser-based apps using OAuth 2.0 • "Browser-based apps" are defined as applications running in a browser, aka "SPA" or "single-page apps"

  6. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 OAuth 2.0 for Browser-Based Apps Build off the Security BCP, adding specifics that are unique to the browser environment GOAL

  7. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Recommendations • MUST NOT return access tokens in the front channel 
 (e.g. no Implicit flow) • MUST use only exact registered redirect URIs • The AS MUST require an exact match of the redirect URI • The AS MUST issue one-time-use refresh tokens • The AS MUST either set a max lifetime on refresh tokens or expire if they are not used after some time

  8. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Architecture Options • Same-domain apps • JS apps with a dynamic app server backend • JS apps without a backend (e.g. static file hosting)

  9. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Same-Domain Applications • Details of this section still TBD • There are still benefits of OAuth such as easier MFA, 
 avoiding passwords in apps, etc • Thoughts and opinions welcome

  10. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App with a Backend

  11. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 JavaScript App without a Backend

  12. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Another architectural option? • Performing the OAuth flow within a Web Worker to isolate the tokens from the main JavaScript global scope • https://gitlab.com/jimdigriz/oauth2-worker

  13. OAuth 2.0 for Browser-Based Apps • Aaron Parecki • OAuth

    Security Workshop 2020 Outstanding Work • Collect feedback on the architectural recommendations from people who have deployment experience • Remove details and reference sections that duplicate the Security BCP

  14. Thank you! @aaronpk aaronpk.com oauth.wtf