The State of OAuth 2025 - Identiverse

Transcript

1. The State of OAuth Aaron Parecki Director of Identity Standards,

   Okta

2. Aaron Director of Identity Standards Parecki Okta

3. None
4. None
5. None
6. None

7. Application OAuth Server

8. OAuth 2.0

9. User Agent (Browser) Authorization Server Resource Server (API) Client (App)

10. None
11. None
12. None
13. None

14. OAuth 2.1 oauth.net/2.1

15. OAuth 2.1 Goals • Consolidate the OAuth 2.0 specs, adding

    best practices, removing deprecated features • Capture current best practices in OAuth 2.0 under a single name • Add references to extensions that didn't exist when OAuth 2.0 was published

16. Recent OAuth Extensions

17. Best Current Practice for OAuth 2.0 Security • Collects best

    practices for OAuth 2.0 • Finally published in January 2025! • Document was started in November 2016 • RFC 9700 is a dependency and significant input to OAuth 2.1 oauth.net/2/oauth-best-practice

18. User Agent (Browser) Authorization Server Resource Server (API) Client (App)

    JWT Response for Token Introspection

19. JWT Response for Token Introspection • Response to a token

    introspection request is a full signed JWT • Provides a JWT that can be logged and later used to prove that the AS returned the given introspection response datatracker.ietf.org/doc/rfc9701/

20. Protected Resource Metadata User Agent (Browser) Authorization Server Resource Server

    (API) Client (App)

21. Protected Resource Metadata • A Resource Server can publish metadata

    about itself similar to Authorization Server Metadata • The Resource Server can indicate which Authorization Server can issue access tokens usable at the server • Enables configuring an OAuth client knowing only the Resource Server URL datatracker.ietf.org/doc/rfc9728/ Adopted by

22. Nearly Final Specifications

23. User Agent (Browser) Authorization Server Resource Server (API) Client (App)

    OAuth for Browser- Based Applications (Best Current Practice) https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/

24. Ecosystems

25. Draft RFC 9728 OAuth 2.1 Protected Resource Metadata Draft Client

    ID Metadata RFC 9449 DPoP RFC 7523 Client Authentication JWT RFC 9126 Pushed Authorization Requests Preregistration of apps is not possible, anyone can write an app and use it with anyone's server https://docs.bsky.app/docs/advanced-guides/oauth-client

26. Draft RFC 9728 OAuth 2.1 Protected Resource Metadata RFC 8414

    Authorization Server Metadata RFC 7591 Dynamic Client Registration Configure a client with only the URL of the resource server https://modelcontextprotocol.io/specification/draft/basic/authorization

27. Attack Vectors

28. User Agent (Browser) Authorization Server Resource Server (API) Client (App)

    DPoP PKCE
29. None
30. None
31. None
32. None
33. None

34. Cross-App Access https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/ Extend the SSO relationship with the enterprise

    IdP to include API access between enterprise apps

35. Enterprise IdP AI Chat Bot Wiki Calendar https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/

36. https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/

37. Cross-App Access https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/ Puts the IdP in between the OAuth

    exchange between two apps • Better user experience • Improved security and admin control

38. Enterprise-Ready MCP aaronpk.com/mcp

39. None
40. None