OAuth2 Ready or not? Dominick Baier

Size: px

Start display at page:

Download "OAuth2 Ready or not? Dominick Baier h.p://leastprivilege.com @leastprivilege"

Gabriella George
8 years ago
Views:

1 OAuth2 Ready or not? Dominick Baier h.p://leastprivilege.com

2 Dominick Baier Security consultant at thinktecture Focus on security in distributed applica9ons iden9ty management access control Windows/.NET security cloud compu9ng MicrosoE MVP for Developer Security h.p://leastprivilege.com think mobile! 2

3 Agenda Overview & use cases Concerns & controversies 3

4 What is OAuth2? 4

5 History OAuth started circa IETF normalizauon started in RFC 5849 defines OAuth WRAP (Web Resource AuthorizaUon Profiles) proposed by MicrosoE, Yahoo! And Google OAuth 2.0 work begins in IETF Working deployments of various draes & versions at Google, MicrosoE, Facebook, Github, Twi.er, Flickr, Dropbox Mid 2012 Lead author and editor resigned & withdraws his name from all specs October 2012 RFC 6749, RFC

0 work begins in IETF Working deployments of various draes & versions at Google, MicrosoE, Facebook, Github, Twi.

6 High level overview Resource Server Client Resource Owner 6

7 7

8 8

9 9

10 10

11 High level overview Resource Server Client Resource Owner 11

12 OAuth2: The Players Confiden9al/Public is registered with Trusted/Untrusted uses Client authorizes accesses AuthorizaUon Server trusts "owns" a resource Resource Owner Resource Server 12

13 OAuth2 Flows AuthorizaUon Code Flow Web applica9on clients 1. Request authoriza9on 2. Request token 3. Access resource Implicit Flow Na9ve / local clients 1. Request authoriza9on & token 2. Access resource Resource Owner Password CredenUal Flow Trusted clients 1. Request token 2. Access resource "3- legged OAuth" "2- legged OAuth" 13

Access resource Implicit Flow Na9ve / local clients 1.

14 Authoriza9on Code Flow (Web Applica9on Clients) Web Applica9on (Client) Resource Server Resource Owner 14

15 Step 1a: Authoriza9on Request Web Applica9on (Client) Authoriza9on Server GET /authorize? client_id=webapp& redirect_uri= scope=resource& response_type=code& state=123 Resource Owner 15

client_id=webapp& redirect_uri=https://webapp/cb&

16 Consent h.p://zachholman.com/2011/01/oauth_will_murder_your_children/ 16

17 Step 1b: Authoriza9on Response Web Applica9on (Client) Authoriza9on Server GET /cb? code=xyz& state=123 Resource Owner 17

18 Step 2a: Token Request Web Applica9on (Client) Authoriza9on Server POST /token Authorization: Basic (client_id:secret) grant_type=authorization_code& authorization_code=xyz Resource Owner 18

19 Step 2b: Token Response Web Applica9on (Client) Authoriza9on Server { "access_token" : "abc", "expires_in" : "360", "token_type" : "Bearer", "refresh_token" : "xyz" } Resource Owner 19

20 Step 3: Resource Access Web Applica9on (Client) Resource Server GET /resource Authorization: Bearer access_token Resource Owner 20

21 JSON Web Token (JWT) Header Claims { "typ": "JWT", "alg": "HS256" } { "iss": " "exp": " ", "aud": " "name": "alice", "role": "foo,bar", } eyjhbgcioijub25lin0.eyjpc3mioijqb2uila0kicjlehaiojezmd.4mtkzodasdqogimh0dha6ly9legft Header Claims Signature 21

22 (Step 4: Refreshing the Token) Web Applica9on (Client) Authoriza9on Server POST /token Authorization: Basic (client_id:secret) grant_type=refresh_token& refresh_token=xyz Resource Owner 22

23 Client Management (e.g. Flickr) 23

24 Client Management (e.g. Dropbox) 24

25 Implicit Flow (Na9ve / Local Clients) Resource Owner Client 25

26 Step 1a: Authoriza9on Request Resource Server Authoriza9on Server GET /authorize? client_id=nativeapp& redirect_uri= scope=resource& response_type=token& state=123 Resource Owner Client 26

27 Step 1b: Token Response Resource Server Authoriza9on Server GET /cb# access_token=abc& expires_in=3600& state=123 Resource Owner Client 27

28 Step 2: Resource Access Resource Server GET /resource Authorization: Bearer access_token Resource Owner Client 28

29 Resource Owner Password Creden9al Flow (Trusted Applica9on) Resource Server Resource Owner Client 29

30 Step 1a: Token Request Resource Server Authoriza9on Server POST /token Authorization: Basic (client_id:secret) grant_type=password& scope=resource& user_name=owner& password=password& Resource Owner Client 30

31 Step 1b: Token Response Resource Server Authoriza9on Server { "access_token" : "abc", "expires_in" : "360", "token_type" : "Bearer", "refresh_token" : "xyz" } Resource Owner Client 31

32 Step 2: Resource Access Resource Server GET /resource Authorization: Bearer access_token Resource Owner Client 32

33 Concerns & Controversies artwork 33

34 Eran Hammer h.p://hueniverse.com/2010/09/oauth- bearer- tokens- are- a- terrible- idea/ h.p://hueniverse.com/2010/09/oauth without- signatures- is- bad- for- the- web/ h.p://hueniverse.com/2012/07/oauth and- the- road- to- hell/ OAuth2: Looking back and moving on hdps://vimeo.com/

35 35

36 JSON Web Token (JWT) JSON Web Encryp9on (JWE) JSON Web Signatures (JWS) JSON Web Algorithms (JWA) Asser9on Framework for OAuth2 JWT Bearer Token Profiles SAML 2.0 Bearer Token Profiles Token Revoca9on MAC Tokens The OAuth2 AuthorizaUon Framework (RFC 6749) OAuth2 Bearer Token Usage (RFC 6750) Threat Model and Security ConsideraUons (RFC 6819) Core (proposed standards) Informa9onal OAuth2 Resource Set Registra9on Dynamic Client Registra9on User- Managed Access Chaining and Redelega9on Metadata & Introspec9on hdp://datatracker.ief.org/wg/oauth/ hdp://openid.net/specs/openid- connect basic- 1_0-23.html implicit- 1_0-06.html messages- 1_0-15.html standard- 1_0-16.html discovery- 1_0-12.html registra9on- 1_0-14.html session- 1_0-11.html 36

37 Bearer Token!!A security token with the property that any party!in possession of the token (a "bearer") can use the!token in any way that any other party in possession!of it can. Using a bearer token does not!require a bearer to prove possession of!cryptographic key material (proof-of-possession).! 37

38 Developers & SSL 38

39 Infrastructure & SSL hdp://gigaom.com/2013/01/10/nokia- yes- we- decrypt- your- hdps- data- but- dont- worry- about- it/ 39

40 Security Theater hdps://wellsoffice.wellsfargo.com/ceoportal/signon/loader.jsp 40

41 OAuth2 for Authen9ca9on OAuth2 is for authorizauon authen9ca9on is a pre- requisite for that What many people really want is: let's use OAuth2 for authen9ca9on "Sign- in with social provider X" à especially mobile apps h.p:// safe.com/2012/01/problem- with- oauth- for- authenucauon.html 41

42 OAuth2 for Authen9ca9on: Request UserInfo RS Authoriza9on Server GET /authorize? client_id=nativeapp& redirect_uri= scope=userinfo& response_type=token& state=123 Resource Owner Client 42

43 OAuth2 for Authen9ca9on: Response UserInfo RS Authoriza9on Server GET /cb? access_token=abc& userid=123& expires_in=3600& state=123 Resource Owner Client 43

44 OAuth2 for Authen9ca9on: Accessing User Data UserInfo RS GET /userinfo Authorization: Bearer access_token Firstname, Lastname, Resource Owner Client 44

45 The Problem userid, access token Impersonated! access token 1. User logs into malicious app (app steals token) 2. Malicious developer uses stolen access token in legiumate app 45

46 (Other recent) Facebook Hacks h.p:// the- road- to- hell- is- authenucated- by- facebook.html h.p://homakov.blogspot.no/2013/02/hacking- facebook- with- oauth2- and- chrome.html how- i- hacked- any- facebook- accountagain.html 46

47 Conclusion OAuth2 is already widely used on the internet It will find its way into your scenarios Current implementauons are lacking even by the big guys let alone the myriad of DIY implementa9ons Spec needs some refinement "basic profile" MAC tokens Very good & balanced view hdps:// 47

Securing ASP.NET Web APIs Dominick Baier h;p://leastprivilege.com @leastprivilege

Securing ASP.NET Web APIs Dominick Baier h;p://leastprivilege.com think mobile! Dominick Baier Security consultant at thinktecture Focus on security in distributed applica9ons iden9ty management access