Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Targeted Logout - OAuth Security Workshop 2023

Targeted Logout - OAuth Security Workshop 2023

Aaron Parecki

August 24, 2023
Tweet

More Decks by Aaron Parecki

Other Decks in Technology

Transcript

  1. EXISTING LOGOUT-RELATED SPECS Spec Limitation OIDC Backchannel Logout "Refresh tokens

    issued with o ff line_access SHOULD NOT be revoked" Token Revocation Requires a token as input CAEP "Session Revoked" Signal Is only a signal, not a command, 
 does not guarantee any outcome
  2. WHAT SESSIONS + TOKENS ARE CREATED? Web login session on

    accounts.google.com Google ID Token
  3. ENTERPRISE APP ECOSYSTEM Enterprise IdP Chat App Video Conferencing App

    OpenID Connect OpenID Connect Wiki App SAML Payroll App SAML
  4. ENTERPRISE APP ECOSYSTEM Enterprise IdP Chat App Web Server ID

    Token iPhone iPad Laptop Access Tokens + Refresh Tokens Video Conferencing App Web Server ID Token Access Tokens + Refresh Tokens Native Chat App Native Video App Native Chat App Native Chat App Native Video App
  5. FROM THE SAAS DEVELOPER POV ENTERPRISE IDPS Enterprise IdP Chat

    App OpenID Connect OpenID Connect SAML SAML Enterprise IdP Enterprise IdP Enterprise IdP Google Login OpenID Connect
  6. FROM THE SAAS DEVELOPER POV ENTERPRISE IDPS Enterprise IdP Chat

    App Backend API OpenID Connect OpenID Connect SAML SAML Enterprise IdP Enterprise IdP Enterprise IdP Google Login OpenID Connect Chat App iOS Chat App Desktop Chat App Web
  7. END-USER USE CASE GAPS • User lost a device •

    User wants to revoke all sessions and tokens issued to every application on only that device, while retaining sessions and tokens on other devices
  8. END-USER USE CASE GAPS • User discovers suspicious activity from

    an app • User wants to revoke all tokens issued to that application across all their devices
  9. ENTERPRISE ADMIN USE CASE GAPS • User is removed from

    a group or is terminated • Given a subject (user) identi f ier, revoke all sessions and tokens for that user, at the IdP and across all apps • Optionally distinguish between revoking sessions and revoking o ff line_access tokens
  10. ENTERPRISE ADMIN USE CASE GAPS • Application is deprovisioned •

    Given a client (application) identi f ier, revoke all sessions and tokens for all users of the application
  11. ENTERPRISE ADMIN USE CASE GAPS • User lost a device

    • Given a device identi f ier, revoke all sessions and tokens for only that device, across all applications that are logged in on that device
  12. WHY CAN'T WE DO THIS TODAY? iPhone Chat App Backend/API

    Enterprise IdP Video App Backend/API
  13. OpenID Connect OpenID Connect OpenID Connect/SAML Chat App App Backend/API

    Enterprise IdP /authorize?client_id=iphone&client_instance=123456 OpenID Connect/SAML /authorize?client_id=chat_app&client_instance=123456
  14. OpenID Connect Access Token + Refresh Token ID Token Chat

    App App Backend/API Enterprise IdP Token Exchange
  15. OpenID Connect Access Token + Refresh Token ID Token (

    + optional Refresh Token) Chat App App Backend/API Enterprise IdP Token Exchange Con f iguration Query [email protected] IDP Con f ig issuer, client_id, redirect_uri
  16. USE CASE GAPS • User lost a device • Revoke

    all sessions and tokens issued to every application on only that device, while retaining sessions and tokens on other devices • POST /revoke 
 client_instance=123456
  17. USE CASE GAPS • Application is deprovisioned • Revoke all

    sessions and tokens for all users of a speci f ic application • POST authorization-server.com/revoke 
 client_id=chat_app 
 
 POST example-app.com/revoke 
 client_id=ios
  18. NEEDS Client Instance 
 Identi f ier Management API (provides

    con f irmation 
 of revocation) ID Token 
 Exchange