Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GNAP: The future of OAuth

Robin Chalas
November 27, 2022

GNAP: The future of OAuth

OAuth 2 is an industry-standard for authorization that every developer probably heard about. As hinted by its name, it is the evolution of OAuth 1 and as such; it aims to address most of its known issues. But, just like OAuth 1, OAuth 2 now has a lot of known issues. Fortunately, a lot of these issues have been already fixed by extending the specification. The drawback of this is that today, in order to get OAuth2 right, one needs to read a dozen of RFCs and make sure they are relevant to the use case. This hurts developer experience as it increases the complexity of the protocol, which goes against its main focus: simplicity for client developers. Here comes GNAP (Grant Negotiation and Authorization Protocol): an in-progress effort to develop the next-generation authorization protocol by learning from the past. In this talk, we'll have a deep look into the GNAP protocol, passing by a review of the known OAuth2 flaws that it aims to fix, how it plays with authentication protocols such as Open ID Connect or WebAuthN, what is its current state and more.

Robin Chalas

November 27, 2022
Tweet

More Decks by Robin Chalas

Other Decks in Programming

Transcript

  1. A BIT OF HISTORY OAUTH 1.0? For browser-based clients only

    Based on Flickr’s authorization API & Google’s AuthSub Security concerns on the clients' shoulders @chalas_r
  2. A BIT OF HISTORY OAUTH 2.0? Complete rewrite of OAuth

    1 For anything that builds on HTTP(S) Relies on TLS (& eventually JOSE) @chalas_r
  3. OAUTH 2.0 BUILT-IN GRANT TYPES Resource Owner Password Credentials Implicit

    Client Credentials Authorization Code @chalas_r
  4. OAUTH 2.1 BUILT-IN GRANT TYPES Resource Owner Password Credentials Implicit

    Client Credentials Authorization Code + Proof Key for Code exchange (PKCE) @chalas_r
  5. OAUTH 2.1 OTHER MAJOR CHANGES No more Bearer tokens in

    the query string (URL) Refresh tokens must either be one-time use or sender-constrained Simplified "Public VS Confidential clients" concept Identification/authentication concept is mentioned oauth2.net/2.1 @chalas_r
  6. OAUTH2 FLAWS OVERLY COMPLEX 28 RFC + 10 ACTIVE DRAFTS

    SaaS solutions exist e.g. Keycloak @chalas_r
  7. OAUTH2 FLAWS AUTHENTICATION LEFT ASIDE 🎁 You've got 10+ more

    specifications to read! Welcome OpenID Connect openid.net/developers/specs/ @chalas_r
  8. OAUTH GRANT TYPES EQUIVALENTS Auth Code Grant => redirect interaction

    mode (with automatic PKCE) Device Grant => user_code interaction mode Client Credentials Grant => Just a Grant request with no interaction @chalas_r
  9. RELATIONSHIP TO OTHER SPECS OpenID Connect (OIDC) => Identity is

    part of GNAP Core & Resource Server. User-Managed Access (UMA) => Same can be achieved with only GNAP Core. Proof Of Posssesion (PoP, M-TLS & DPOP) => All tokens are key-bound by default in GNAP @chalas_r
  10. CURRENT STATE WG STARTED IN OCTOBER 2020, LED BY .

    JUSTIN RICHER PROTOCOL IMPROVED A LOT SINCE THEN. @chalas_r
  11. IT'S MOSTLY GETTING STABLE LAST WG MEETING HAPPENED IN NOVEMBER

    2022 NO PROTOCOL CHANGES. datatracker.ietf.org/meeting/114/materials/slides-114-gnap-protocol-slides-00 @chalas_r
  12. GET INVOLVED Read the specification Subscribe to the mailing list

    Implement it in your favorite language (existing implementations available on ) ietf.org/mailman/listinfo/txauth oauth.xyz @chalas_r