Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Status Quo of OAuth 2

Status Quo of OAuth 2

Niko Köbler

April 23, 2024
Tweet

More Decks by Niko Köbler

Other Decks in Programming

Transcript

  1. Niko Köbler | keycloak-experte.de Keycloak IAM & SSO ABOUT ME

    ▸ Independent Consultant/Architect/Developer/Trainer ▸ Doing stuff with & without Computers, Software, > 25 yrs ▸ "Mr. Keycloak" since 2015 (v1.x) ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Author of „Serverless Computing in AWS Cloud“ serverlessbuch.de ▸ Web: www.n-k.de / Social: @dasniko ▸ YouTube: youtube.com/@dasniko
  2. STATUS QUO OF OAUTH2 OAuth 2.0 IETF, RFC 6749: The

    OAuth 2.0 authorization framework enables a 3rd-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
  3. How many RFC’s does it take to change a lightbulb!?

    Unkown Developer STATUS QUO OF OAUTH2
  4. STATUS QUO OF OAUTH2 2010 / 2012 iPhone 5 Internet

    Explorer 9 AJAX Apps (SPA) HTTP POST Form-Request instead of JSON CORS not yet established W3C-Standard The world was much simpler, less choices!
  5. STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS

    RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626
  6. STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS

    RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626 PKCE FOR SPAS Browser App BCP
  7. STATUS QUO OF OAUTH2 AUTHORIZATION CODE IMPLICIT PASSWORD CLIENT CREDENTIALS

    RFC6749 PKCE RFC7636 PKCE FOR MOBILE RFC8252 DEVICE CODE RFC8626 SECURITY BCP PKCE FOR SPAS Browser App BCP PKCE for confidential clients RFCs about tokens (Bearer, JWT) not even mentioned here…!
  8. STATUS QUO OF OAUTH2 OAuth 2.1 ➡ PKCE is required

    for all OAuth clients using the authorization code flow ➡ Implicit grant is omitted from the specification ➡ Resource Owner Password Credentials grant is omitted from the specification https://oauth.net/2.1/
  9. STATUS QUO OF OAUTH2 OAuth 2.1 ➡ Redirect URIs must

    be compared using exact string matching ➡ Bearer token usage omits the use of bearer tokens in the query string of URIs ➡ Refresh tokens for public clients must either be sender- constrained or one-time use https://oauth.net/2.1/
  10. STATUS QUO OF OAUTH2 OAuth 2.1 ➡ No new behavior

    is defined in OAuth 2.1! ➡ Nothing experimental, in-progress or not widely implemented! https://oauth.net/2.1/
  11. STATUS QUO OF OAUTH2 OAuth 2.1 When will it be

    released? " Well, nobody knows #
  12. It’s difficult to make predictions, especially about the future. Niels

    Bohr, Nobel Laureate in Quantum-Physics & Father of the Atomic model STATUS QUO OF OAUTH2
  13. STATUS QUO OF OAUTH2 OAuth 2.1 When will it be

    released? " Well, nobody knows # …but there’s nothing what stops you from JUST USING it! $
  14. STATUS QUO OF OAUTH2 GNAP Grant Negotiation and Authorization Protocol

    An in-progress effort to develop a next-generation authorization protocol. Early drafts of the spec were called "XYZ", "TxAuth", and "Transactional Authorization". https://oauth.net/gnap/
  15. STATUS QUO OF OAUTH2 Links OAuth 2.0 ▸ OAuth 2.0

    Overview: https://oauth.net/2/ ▸ OAuth Core, RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749 ▸ OAuth 2.0 Threat Model and Security Considerations, RFC 6819: https://datatracker.ietf.org/doc/html/rfc6819 ▸ OAuth 2.0 Token Revocation, RFC 7009: https://datatracker.ietf.org/doc/html/rfc7009 ▸ Proof Key for Code Exchange, RFC 7636: https://datatracker.ietf.org/doc/html/rfc7636 ▸ OAuth 2.0 for Native Apps, RFC 8252: https://datatracker.ietf.org/doc/html/rfc8252 ▸ OAuth 2.0 Device Authorization Grant, RFC 8628: https://datatracker.ietf.org/doc/html/rfc8628 ▸ OAuth 2.0 for Browser-Based Apps: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps ▸ OAuth 2.0 Security Best Current Practice: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
  16. STATUS QUO OF OAUTH2 Links OAuth 2.1+ ▸ OAuth 2.1

    Overview: https://oauth.net/2.1/ ▸ OAuth 2.1 Draft: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1 ▸ GNAP Overview: https://oauth.net/gnap/
  17. STATUS QUO OF OAUTH2 Links Token ▸ OAuth 2.0 Bearer

    Token Usage, RFC 6750: https://datatracker.ietf.org/doc/html/rfc6750 ▸ OAuth 2.0 Token Binding, Draft: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-binding-08 ▸ OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens, RFC 8705: https://datatracker.ietf.org/doc/html/rfc8705 ▸ JSON Web Token, RFC 7519: https://datatracker.ietf.org/doc/html/rfc7519 ▸ JSON Web Token (JWT) Best Current Practice: RFC 8725: https://datatracker.ietf.org/doc/html/rfc8725 ▸ JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens, RFC 9068: https://datatracker.ietf.org/doc/html/rfc9068