Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Client-side OAuth with PKCE (Indy.code() 2022)

Scott McAllister
May 24, 2023
Programming
1
56

Client-side OAuth with PKCE (Indy.code() 2022)

The OAuth standard has been around for a while, but traditionally it has required a back-end server to hold a client secret, well, secret. Managing secrets can be a very hard problem to solve. Until now! By supporting Proof Key for Code Exchange, or PKCE, OAuth flows can now be accomplished entirely in the client--and still be secure. In this talk we begin the standard three-legged flow and then introduce PKCE. By the time you leave, you will understand how to implement it in your client applications and the benefits for doing so.

This version was presented at Indy.Code() 2022.

Scott McAllister

May 24, 2023
Tweet

More Decks by Scott McAllister

See All by Scott McAllister
Simple Ways to Make Webhook Security Better
stmcallister
0
56
What the Heck is HTTP?
stmcallister
1
92
Modules, Loops and More: How to Scale with Terraform
stmcallister
0
59
Building Ingress: From Concept to Connection (#JOTB23)
stmcallister
0
70
Node and OAuth on the Command Line -- Twin Cities Code Camp 2018
stmcallister
0
74

Other Decks in Programming

See All in Programming
GCCのプラグインを作る / I Made a GCC Plugin
shouth
1
150
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
9
1k
gopls を改造したら開発生産性が高まった
satorunooshie
8
250
VR HMDとしてのVision Pro+ゲーム開発について
yasei_no_otoko
0
110
Boost Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
900
Honoの来た道とこれから
yusukebe
19
3.1k
Kubernetes for Data Engineers: Building Scalable, Reliable Data Pipelines
sucitw
1
200
Hotwire or React? ~Reactの録画機能をHotwireに置き換えて得られた知見~ / hotwire_or_react
harunatsujita
9
4.1k
Vue SFCのtemplateでTypeScriptの型を活用しよう
tsukkee
3
1.5k
Outline View in SwiftUI
1024jp
1
190
役立つログに取り組もう
irof
27
8.7k
開発効率向上のためのリファクタリングの一歩目の選択肢 ~コード分割~ / JJUG CCC 2024 Fall
ryounasso
0
370

Featured

See All Featured
A designer walks into a library…
pauljervisheath
202
24k
What's new in Ruby 2.0
geeforr
342
31k
YesSQL, Process and Tooling at Scale
rocio
167
14k
The Power of CSS Pseudo Elements
geoffreycrofte
72
5.3k
Navigating Team Friction
lara
183
14k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
27
1.9k
Rails Girls Zürich Keynote
gr2m
93
13k
The Cost Of JavaScript in 2023
addyosmani
45
6.6k
Designing Experiences People Love
moore
138
23k
Automating Front-end Workflow
addyosmani
1365
200k
A Tale of Four Properties
chriscoyier
156
23k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k

Transcript

  1. Client-side OAuth with PKCE Scott McAllister @stmcallister

  2. A long time ago in a galaxy far, far away....

    @stmcallister

  3. @stmcallister Your App Google Calendar

  4. @stmcallister Your App Google Calendar Google Username and Password Calendar

    Data

  5. @stmcallister Your App Google Calendar Google Username and Password Calendar

    Data Password Anti-Pattern

  6. No easy way to revoke access from the client App

    @stmcallister

  7. Once they’re in they’re hard to stop @stmcallister

  8. Access: All or Nothing @stmcallister

  9. User can’t remove credentials from third-party apps @stmcallister

  10. OAuth @stmcallister

  11. @stmcallister OAuth ❏ Open standard for authorizing secure access on

    HTTP service ❏ Uses tokens rather than password data to prove identity ❏ Provides “secure delegated access” to client applications ❏ Limits user’s scope of access

  12. OAuth with Client Secret @stmcallister

  13. @stmcallister Keep it Secret. Keep it safe.

  14. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI

  15. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI User Allows or Denies Access

  16. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI User Allows or Denies Access Auth code returned

  17. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI Request Access Token with Auth Code, Client ID and Client Secret User Allows or Denies Access Auth code returned

  18. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI Request Access Token with Auth Code, Client ID and Client Secret User Allows or Denies Access Auth code returned Access Token Returned

  19. Implicit OAuth @stmcallister

  20. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI User Allows or Denies Access Access Token Returned

  21. OAuth with Proof Key for Code Exchange (PKCE) @stmcallister

  22. @stmcallister PKCE Terms ❏ Code_verifier ❏ Random 128byte, base64 urlEncoded

    value ❏ Code_challenge ❏ Hashed, base64 urlEncoded (no padding) value of Code_verifier ❏ Challenge_method ❏ Method of hash used

  23. @stmcallister Client App PagerDuty

  24. @stmcallister Client App PagerDuty Generate & Save code verifier Create

    code challenge

  25. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Generate & Save code verifier Create code challenge

  26. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Auth code returned Generate & Save code verifier Create code challenge

  27. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI Request Access Token with Auth Code, Client ID and Code Verifier User Allows or Denies Access Auth code returned Generate & Save code verifier Create code challenge Validates Code & Code Verifier

  28. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI Request Access Token with Auth Code, Client ID and Code Verifier User Allows or Denies Access Auth code returned Access Token Returned Generate & Save code verifier Create code challenge Validates Code & Code Verifier

  29. @stmcallister

  30. @stmcallister

  31. Layers of Security 1. Redirect URI must be registered 1.

    Prevents App Mocking @stmcallister

  32. Layers of Security 1. Redirect URI must be registered 2.

    Code Exchange for token 1. Prevents App Mocking 2. Prevents Man in the Middle @stmcallister

  33. Layers of Security 1. Redirect URI must be registered 2.

    Code Exchange for token 3. PKCE 1. Prevents App Mocking 2. Prevents Man in the Middle 3. Proves layers 1 and 2 are unified @stmcallister

  34. Further Reading Sample Code https://github.com/PagerDuty-Samples/pagerduty-bulk-user-mgr-sample Implement the OAuth 2.0 Auth

    Code with PKCE Flow https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce @stmcallister

  35. Scott McAllister Speaker, Writer, Coder PagerDuty @stmcallister stmcallister.github.io