OAuth2 Ready or not? Dominick Baier h.p://leastprivilege.com @leastprivilege

OAuth2 Ready or not? Dominick Baier h.p://leastprivilege.com

Dominick Baier Security consultant at thinktecture Focus on security in distributed applica9ons iden9ty management access control Windows/.NET security cloud compu9ng MicrosoE MVP for Developer Security dominick.baier@thinktecture.com h.p://leastprivilege.com think mobile! 2

Agenda Overview & use cases Concerns & controversies 3

What is OAuth2? 4

History OAuth started circa 2007 2008 - IETF normalizauon started in 2008 2010 - RFC 5849 defines OAuth 1.0 2010 - WRAP (Web Resource AuthorizaUon Profiles) proposed by MicrosoE, Yahoo! And Google 2010 - OAuth 2.0 work begins in IETF Working deployments of various draes & versions at Google, MicrosoE, Facebook, Github, Twi.er, Flickr, Dropbox Mid 2012 Lead author and editor resigned & withdraws his name from all specs October 2012 RFC 6749, RFC 6750 5

High level overview Resource Server Client Resource Owner 6

7

8

9

10

High level overview Resource Server Client Resource Owner 11

OAuth2: The Players Confiden9al/Public is registered with Trusted/Untrusted uses Client authorizes accesses AuthorizaUon Server trusts "owns" a resource Resource Owner Resource Server 12

OAuth2 Flows AuthorizaUon Code Flow Web applica9on clients 1. Request authoriza9on 2. Request token 3. Access resource Implicit Flow Na9ve / local clients 1. Request authoriza9on & token 2. Access resource Resource Owner Password CredenUal Flow Trusted clients 1. Request token 2. Access resource "3- legged OAuth" "2- legged OAuth" 13

Authoriza9on Code Flow (Web Applica9on Clients) Web Applica9on (Client) Resource Server Resource Owner 14

Step 1a: Authoriza9on Request Web Applica9on (Client) Authoriza9on Server GET /authorize? client_id=webapp& redirect_uri=https://webapp/cb& scope=resource& response_type=code& state=123 Resource Owner 15

Consent h.p://zachholman.com/2011/01/oauth_will_murder_your_children/ 16

Step 1b: Authoriza9on Response Web Applica9on (Client) Authoriza9on Server GET /cb? code=xyz& state=123 Resource Owner 17

Step 2a: Token Request Web Applica9on (Client) Authoriza9on Server POST /token Authorization: Basic (client_id:secret) grant_type=authorization_code& authorization_code=xyz Resource Owner 18

Step 2b: Token Response Web Applica9on (Client) Authoriza9on Server { "access_token" : "abc", "expires_in" : "360", "token_type" : "Bearer", "refresh_token" : "xyz" } Resource Owner 19

Step 3: Resource Access Web Applica9on (Client) Resource Server GET /resource Authorization: Bearer access_token Resource Owner 20

JSON Web Token (JWT) Header Claims { "typ": "JWT", "alg": "HS256" } { "iss": "http://myissuer", "exp": "1340819380", "aud": "http://myresource", "name": "alice", "role": "foo,bar", } eyjhbgcioijub25lin0.eyjpc3mioijqb2uila0kicjlehaiojezmd.4mtkzodasdqogimh0dha6ly9legft Header Claims Signature 21

(Step 4: Refreshing the Token) Web Applica9on (Client) Authoriza9on Server POST /token Authorization: Basic (client_id:secret) grant_type=refresh_token& refresh_token=xyz Resource Owner 22

Client Management (e.g. Flickr) 23

Client Management (e.g. Dropbox) 24

Implicit Flow (Na9ve / Local Clients) Resource Owner Client 25

Step 1a: Authoriza9on Request Resource Server Authoriza9on Server GET /authorize? client_id=nativeapp& redirect_uri=http://localhost/cb& scope=resource& response_type=token& state=123 Resource Owner Client 26

Step 1b: Token Response Resource Server Authoriza9on Server GET /cb# access_token=abc& expires_in=3600& state=123 Resource Owner Client 27

Step 2: Resource Access Resource Server GET /resource Authorization: Bearer access_token Resource Owner Client 28

Resource Owner Password Creden9al Flow (Trusted Applica9on) Resource Server Resource Owner Client 29

Step 1a: Token Request Resource Server Authoriza9on Server POST /token Authorization: Basic (client_id:secret) grant_type=password& scope=resource& user_name=owner& password=password& Resource Owner Client 30

Step 1b: Token Response Resource Server Authoriza9on Server { "access_token" : "abc", "expires_in" : "360", "token_type" : "Bearer", "refresh_token" : "xyz" } Resource Owner Client 31

Step 2: Resource Access Resource Server GET /resource Authorization: Bearer access_token Resource Owner Client 32

Concerns & Controversies artwork by @ChrisMCarrasco 33

Eran Hammer h.p://hueniverse.com/2010/09/oauth- bearer- tokens- are- a- terrible- idea/ h.p://hueniverse.com/2010/09/oauth- 2-0- without- signatures- is- bad- for- the- web/ h.p://hueniverse.com/2012/07/oauth- 2-0- and- the- road- to- hell/ OAuth2: Looking back and moving on hdps://vimeo.com/52882780 34

35

JSON Web Token (JWT) JSON Web Encryp9on (JWE) JSON Web Signatures (JWS) JSON Web Algorithms (JWA) Asser9on Framework for OAuth2 JWT Bearer Token Profiles SAML 2.0 Bearer Token Profiles Token Revoca9on MAC Tokens The OAuth2 AuthorizaUon Framework (RFC 6749) OAuth2 Bearer Token Usage (RFC 6750) Threat Model and Security ConsideraUons (RFC 6819) Core (proposed standards) Informa9onal OAuth2 Resource Set Registra9on Dynamic Client Registra9on User- Managed Access Chaining and Redelega9on Metadata & Introspec9on hdp://datatracker.ief.org/wg/oauth/ hdp://openid.net/specs/openid- connect basic- 1_0-23.html implicit- 1_0-06.html messages- 1_0-15.html standard- 1_0-16.html discovery- 1_0-12.html registra9on- 1_0-14.html session- 1_0-11.html 36

Bearer Token!!A security token with the property that any party!in possession of the token (a "bearer") can use the!token in any way that any other party in possession!of it can. Using a bearer token does not!require a bearer to prove possession of!cryptographic key material (proof-of-possession).! 37

Developers & SSL 38

Infrastructure & SSL hdp://gigaom.com/2013/01/10/nokia- yes- we- decrypt- your- hdps- data- but- dont- worry- about- it/ 39

Security Theater hdps://wellsoffice.wellsfargo.com/ceoportal/signon/loader.jsp 40

OAuth2 for Authen9ca9on OAuth2 is for authorizauon authen9ca9on is a pre- requisite for that What many people really want is: let's use OAuth2 for authen9ca9on "Sign- in with social provider X" à especially mobile apps h.p://www.thread- safe.com/2012/01/problem- with- oauth- for- authenucauon.html 41

OAuth2 for Authen9ca9on: Request UserInfo RS Authoriza9on Server GET /authorize? client_id=nativeapp& redirect_uri=http://localhost/cb& scope=userinfo& response_type=token& state=123 Resource Owner Client 42

OAuth2 for Authen9ca9on: Response UserInfo RS Authoriza9on Server GET /cb? access_token=abc& userid=123& expires_in=3600& state=123 Resource Owner Client 43

OAuth2 for Authen9ca9on: Accessing User Data UserInfo RS GET /userinfo Authorization: Bearer access_token Firstname, Lastname, Email Resource Owner Client 44

The Problem userid, access token Impersonated! access token 1. User logs into malicious app (app steals token) 2. Malicious developer uses stolen access token in legiumate app 45

(Other recent) Facebook Hacks h.p://www.darkreading.com/blog/240148995/ the- road- to- hell- is- authenucated- by- facebook.html h.p://homakov.blogspot.no/2013/02/hacking- facebook- with- oauth2- and- chrome.html www.nirgoldshlager.com/2013/03/ how- i- hacked- any- facebook- accountagain.html 46

Conclusion OAuth2 is already widely used on the internet It will find its way into your scenarios Current implementauons are lacking even by the big guys let alone the myriad of DIY implementa9ons Spec needs some refinement "basic profile" MAC tokens Very good & balanced view hdps://www.tbray.org/ongoing/when/201x/2013/01/23/oauth 47