Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Client-side OAuth with PKCE (Indy.code() 2022)

Scott McAllister
May 24, 2023
Programming
1
57

Client-side OAuth with PKCE (Indy.code() 2022)

The OAuth standard has been around for a while, but traditionally it has required a back-end server to hold a client secret, well, secret. Managing secrets can be a very hard problem to solve. Until now! By supporting Proof Key for Code Exchange, or PKCE, OAuth flows can now be accomplished entirely in the client--and still be secure. In this talk we begin the standard three-legged flow and then introduce PKCE. By the time you leave, you will understand how to implement it in your client applications and the benefits for doing so.

This version was presented at Indy.Code() 2022.

Scott McAllister

May 24, 2023
Tweet

More Decks by Scott McAllister

See All by Scott McAllister
Simple Ways to Make Webhook Security Better
stmcallister
0
56
What the Heck is HTTP?
stmcallister
1
92
Modules, Loops and More: How to Scale with Terraform
stmcallister
0
59
Building Ingress: From Concept to Connection (#JOTB23)
stmcallister
0
70
Node and OAuth on the Command Line -- Twin Cities Code Camp 2018
stmcallister
0
74

Other Decks in Programming

See All in Programming
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
100
よくできたテンプレート言語として TypeScript + JSX を利用する試み / Using TypeScript + JSX outside of Web Frontend #TSKaigiKansai
izumin5210
6
1.8k
Enabling DevOps and Team Topologies Through Architecture: Architecting for Fast Flow
cer
PRO
0
350
Contemporary Test Cases
maaretp
0
140
ActiveSupport::Notifications supporting instrumentation of Rails apps with OpenTelemetry
ymtdzzz
1
250
Arm移行タイムアタック
qnighy
0
340
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
1k
CSC509 Lecture 09
javiergs
PRO
0
140
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
520
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
3
1.2k
Jakarta EE meets AI
ivargrimstad
0
270
macOS でできる リアルタイム動画像処理
biacco42
9
2.4k

Featured

See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Statistics for Hackers
jakevdp
796
220k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
110
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
380
Into the Great Unknown - MozCon
thekraken
32
1.5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
BBQ
matthewcrist
85
9.3k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
130

Transcript

  1. Client-side OAuth with PKCE Scott McAllister @stmcallister

  2. A long time ago in a galaxy far, far away....

    @stmcallister

  3. @stmcallister Your App Google Calendar

  4. @stmcallister Your App Google Calendar Google Username and Password Calendar

    Data

  5. @stmcallister Your App Google Calendar Google Username and Password Calendar

    Data Password Anti-Pattern

  6. No easy way to revoke access from the client App

    @stmcallister

  7. Once they’re in they’re hard to stop @stmcallister

  8. Access: All or Nothing @stmcallister

  9. User can’t remove credentials from third-party apps @stmcallister

  10. OAuth @stmcallister

  11. @stmcallister OAuth ❏ Open standard for authorizing secure access on

    HTTP service ❏ Uses tokens rather than password data to prove identity ❏ Provides “secure delegated access” to client applications ❏ Limits user’s scope of access

  12. OAuth with Client Secret @stmcallister

  13. @stmcallister Keep it Secret. Keep it safe.

  14. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI

  15. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI User Allows or Denies Access

  16. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI User Allows or Denies Access Auth code returned

  17. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI Request Access Token with Auth Code, Client ID and Client Secret User Allows or Denies Access Auth code returned

  18. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI Request Access Token with Auth Code, Client ID and Client Secret User Allows or Denies Access Auth code returned Access Token Returned

  19. Implicit OAuth @stmcallister

  20. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI User Allows or Denies Access Access Token Returned

  21. OAuth with Proof Key for Code Exchange (PKCE) @stmcallister

  22. @stmcallister PKCE Terms ❏ Code_verifier ❏ Random 128byte, base64 urlEncoded

    value ❏ Code_challenge ❏ Hashed, base64 urlEncoded (no padding) value of Code_verifier ❏ Challenge_method ❏ Method of hash used

  23. @stmcallister Client App PagerDuty

  24. @stmcallister Client App PagerDuty Generate & Save code verifier Create

    code challenge

  25. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Generate & Save code verifier Create code challenge

  26. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Auth code returned Generate & Save code verifier Create code challenge

  27. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI Request Access Token with Auth Code, Client ID and Code Verifier User Allows or Denies Access Auth code returned Generate & Save code verifier Create code challenge Validates Code & Code Verifier

  28. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI Request Access Token with Auth Code, Client ID and Code Verifier User Allows or Denies Access Auth code returned Access Token Returned Generate & Save code verifier Create code challenge Validates Code & Code Verifier

  29. @stmcallister

  30. @stmcallister

  31. Layers of Security 1. Redirect URI must be registered 1.

    Prevents App Mocking @stmcallister

  32. Layers of Security 1. Redirect URI must be registered 2.

    Code Exchange for token 1. Prevents App Mocking 2. Prevents Man in the Middle @stmcallister

  33. Layers of Security 1. Redirect URI must be registered 2.

    Code Exchange for token 3. PKCE 1. Prevents App Mocking 2. Prevents Man in the Middle 3. Proves layers 1 and 2 are unified @stmcallister

  34. Further Reading Sample Code https://github.com/PagerDuty-Samples/pagerduty-bulk-user-mgr-sample Implement the OAuth 2.0 Auth

    Code with PKCE Flow https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce @stmcallister

  35. Scott McAllister Speaker, Writer, Coder PagerDuty @stmcallister stmcallister.github.io