Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Client-side OAuth with PKCE (Indy.code() 2022)

Client-side OAuth with PKCE (Indy.code() 2022)

The OAuth standard has been around for a while, but traditionally it has required a back-end server to hold a client secret, well, secret. Managing secrets can be a very hard problem to solve. Until now! By supporting Proof Key for Code Exchange, or PKCE, OAuth flows can now be accomplished entirely in the client--and still be secure. In this talk we begin the standard three-legged flow and then introduce PKCE. By the time you leave, you will understand how to implement it in your client applications and the benefits for doing so.

This version was presented at Indy.Code() 2022.

Scott McAllister

May 24, 2023
Tweet

More Decks by Scott McAllister

Other Decks in Programming

Transcript

  1. @stmcallister OAuth ❏ Open standard for authorizing secure access on

    HTTP service ❏ Uses tokens rather than password data to prove identity ❏ Provides “secure delegated access” to client applications ❏ Limits user’s scope of access
  2. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI User Allows or Denies Access Auth code returned
  3. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI Request Access Token with Auth Code, Client ID and Client Secret User Allows or Denies Access Auth code returned
  4. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI Request Access Token with Auth Code, Client ID and Client Secret User Allows or Denies Access Auth code returned Access Token Returned
  5. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI User Allows or Denies Access Access Token Returned
  6. @stmcallister PKCE Terms ❏ Code_verifier ❏ Random 128byte, base64 urlEncoded

    value ❏ Code_challenge ❏ Hashed, base64 urlEncoded (no padding) value of Code_verifier ❏ Challenge_method ❏ Method of hash used
  7. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Generate & Save code verifier Create code challenge
  8. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Auth code returned Generate & Save code verifier Create code challenge
  9. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI Request Access Token with Auth Code, Client ID and Code Verifier User Allows or Denies Access Auth code returned Generate & Save code verifier Create code challenge Validates Code & Code Verifier
  10. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI Request Access Token with Auth Code, Client ID and Code Verifier User Allows or Denies Access Auth code returned Access Token Returned Generate & Save code verifier Create code challenge Validates Code & Code Verifier
  11. Layers of Security 1. Redirect URI must be registered 2.

    Code Exchange for token 1. Prevents App Mocking 2. Prevents Man in the Middle @stmcallister
  12. Layers of Security 1. Redirect URI must be registered 2.

    Code Exchange for token 3. PKCE 1. Prevents App Mocking 2. Prevents Man in the Middle 3. Proves layers 1 and 2 are unified @stmcallister
  13. Further Reading Sample Code https://github.com/PagerDuty-Samples/pagerduty-bulk-user-mgr-sample Implement the OAuth 2.0 Auth

    Code with PKCE Flow https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce @stmcallister