Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's New with OAuth and OpenID Connect - API ...

Aaron Parecki
September 15, 2020

What's New with OAuth and OpenID Connect - API Days Australia

Aaron Parecki

September 15, 2020
Tweet

More Decks by Aaron Parecki

Other Decks in Technology

Transcript

  1. What's New in OAuth 2.1 Aaron Parecki Senior Security Architect,

    Okta API Days Australia • September 2020
  2. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials Grant Types
  3. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials Grant Types RFC6750 Bearer Tokens Token Usage Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  4. @aaronpk September 2020 OAuth Server OAuth Client Passing Data via

    the Front Channel Did they catch 
 it? Did someone else 
 steal it? Is this really 
 from the real 
 OAuth server?
  5. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  6. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  7. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  8. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  9. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  10. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP
  11. @aaronpk September 2020 Password oauth.net/2/oauth-best-practice • Added to OAuth to

    enable migrating applications from HTTP Basic Auth or using a stored password to OAuth
  12. @aaronpk September 2020 OAuth 2.0 Security BCP • All OAuth

    clients MUST use PKCE with the authorization code flow • Password grant MUST NOT be used • Use exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens for public clients must be 
 sender-constrained or one-time use oauth.net/2/oauth-best-practice
  13. @aaronpk September 2020 RFC6749 RFC6750 CLIENT TYPE AUTH GRANT TYPE

    RFC6819 RFC7009 RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 BUILDING YOUR APPLICATION RFC8252 OIDC RFC8414 STATE TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN DPOP PAR
  14. @aaronpk September 2020 OAuth 2.0 RFC6749 OAuth Core Authorization Code

    Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP
  15. @aaronpk September 2020 OAuth 2.1 Consolidate the OAuth 2.0 specs,


    adding best practices, 
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name Add references to extensions that didn't exist when OAuth 2.0 was published
  16. @aaronpk September 2020 OAuth 2.1 No new behavior defined by

    OAuth 2.1 Non-Goals: Don't include anything experimental, 
 in progress or not widely implemented
  17. @aaronpk September 2020 OAuth 2.1 Authors: Dick Hardt, Aaron Parecki,

    Torsten Lodderstedt • OAuth 2.1 is a consolidation of: 
 OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps BCP (draft), Security BCP (draft), 
 Bearer Tokens (RFC6750) • Grant types defined: Authorization Code with PKCE, Client Credentials • Exact redirect URI matching • No Bearer tokens in query strings • Refresh tokens for SPAs must be sender-constrained or one-time use • Implicit and password grants are omitted
  18. @aaronpk September 2020 Credentialed Client This distinction already exists in

    OAuth 2.0! OAuth 2.0: If the client type is confidential or the client was issued client credentials, the client MUST authenticate... OAuth 2.1: Confidential or credentialed clients MUST authenticate...
  19. @aaronpk September 2020 Credentialed Client • A client that has

    credentials, but whose identity is not confirmed • e.g. a client that obtains a client secret via dynamic client registration