WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between...

@baaz / @PhilippeDeRyck

SECURE AUTHENTICATION

WITH OAUTH 2.0IN

Balint Erdi - PhilippeDeRyckEmberconf 2017

https://balinterdi.com/@baaz @PhilippeDeRyck

https://www.websec.be


WHO HERE FULLY UNDERSTANDS OAUTH 2.0?


OAUTH 2.0IS A MESS


ABOUT US – BALINT ERDI

§ Balint isatotalEmberenthusiast−RegularlyconsultswithlargecompaniesonbuildingEmberapps−NumerousscreencastsandblogpostsaboutEmberconcepts−OrganizesworkshopsonvariousEmbertopics,includingauthentication−GivesanothertalkhereatEmberConf!−Moreinfoonhttps://balinterdi.com/

§ AuthorofthepopularbookRockandRollwithEmber.js−Keptup-to-datewiththelatestevolutionsinEmber−Pinpointsthecoreconceptsandexplainsthemindetail


ABOUT US – PHILIPPE DE RYCK

§Mygoalistohelpyoubuildsecurewebapplications−Hostedandcustomizedin-housetraining− Specializedsecurityassessmentsofcriticalsystems− Threatlandscapeanalysisandprioritizationofsecurityefforts−Moreinformationandresourcesonhttps://www.websec.be

§Mysecurityexpertiseisbroad,withafocusonWebSecurity−PhDinclient-sidewebsecurity−MainauthorofthePrimeronclient-sidewebsecurity

5


WE WILL FOCUS ON AUTHENTICATION WITH OAUTH 2.0

§OAuth2.0isaveryversatileframework,usedforvariouspurposes− Inthisworkshop,weexplicitlylimitthescopetoauthentication− Theadvicegivenherethereforeappliestoauthenticationscenarios

§ Inthecominghours,wewilldivedeepintoOAuth2.0−Acoupleoflecturesexplainimportantconceptsandsecurityproperties− Thehands-onlabsessionsputyouinthedriver’sseat

§ Ifyouhaveanyquestions,don’twaittoaskthem!−Duringthelabsessions,thereshouldbesometimeforbroaderquestionsaswell


WHAT YOU WILL LEARN IN THIS WORKSHOP

§ In-depthunderstandingofthesubtletiesofOAuth2.0− ThedifferencebetweenthefourmainOAuth2.0flows−Practicaladvicewhichflowyoushouldbeusing,andwhy− TherelationofOpenIDConnectwithOAuth2.0andauthentication

§Hands-onexperiencewithimplementingOAuth2.0authenticationinEmber−UsingacombinationofEmber-Simple-Auth andTorii−AlookunderthehoodofaToriiprovider

§ DetailedoverviewofcommonthreatsagainstOAuth2.0flows−Hands-onexperiencewithinvestigatingthestepsinanOAuth2.0flow−Practicalattackscenariosandimportantcountermeasures


OAUTH 2.0AND AUTHENTICATION


WHAT IS OAUTH 2.0ALL ABOUT?

Delegation


WHAT DELEGATION IS ALL ABOUT …

accountantCTO bank

accountX

IwanttoaccessaccountX1

Sure,here’smypermission

2

IwanttoaccessaccountX3

Sure,here’sanaccesscard

4

ShowmethebalanceofaccountX

5 $50 6


APRACTICAL EXAMPLE OF DELEGATION


SO WE CAN USE THIS FOR AUTHENTICATION?

No


BUT AUTHENTICATION WITH OAUTH 2.0SEEMS SIMPLE …

user

Rock&Roll

IwanttologinwithFacebook1

Welcome“PhilDR”4

Facebook

Whoisthisguy?2 [email protected]

3


WHY AUTHENTICATION WITH OAUTH 2.0IS NOT SIMPLE

§ Authenticatingauserisaboutgettingverifiableuserinformation−Butweneedtoknowwhowearegettingthatinformationfor− Theauthenticationproviderprobablydoesnotjustshareanybody’sinformation

§ RememberthatOAuth2.0isallaboutdelegation− Theusercandelegateaccesstohisinformationtoourapplication−Wecanusethataccesstofetchuserinformation,andauthenticatetheuser

§WhatmakesOAuth2.0(andauthentication)complexisthisdelegation−We’reusingtheentireOAuth2.0frameworktoonlydelegateatinybitofaccess−Andbecauseweonlyneedabit,wewillalsobeabletosimplifythingsabit


IN PRACTICE,IT’S A BIT MORE COMPLICATED …

user

Rock&Roll

IwanttologinwithFacebook1

GivemeaccesstoyourFBuserinfo2

FacebookIwanttogiveR&RaccesstomyFBuserinfo3

OK,here’satokenthatgrantsaccess4

Here’satokentogetmyinfo5

Showmetheuserinfo6 [email protected]

7Welcome“PhilDR”8


MAKING SENSE OF OAUTH 2.0FLOWS

§ TheOAuth2.0specoffers4distinctflows,eachwiththeirownpurpose−Choosingtherightflowishard− Terminologycanalsobefairlyconfusing

§ PuttingOAuth2.0rolesincontextforauthentication−Client:theRock&Rollapplication−Useragent:thebrowser−Resourceowner:theuserthatownstheaccount−Resourceserver:theserverhostingtheaccountinformation(e.g.Facebook)−Authorizationserver:theserverthatauthenticatestheclient(e.g.Facebook)


FLOW 1:RESOURCE OWNER PASSWORD CREDENTIALS

Client AuthorizationServer

LoginwithFBuser:philippe

pass:qwerty12345

1 Hello“PhilDR”6

Iwantaccessasuserphilippe withpass…2

OK,here’satokenthatgrantsaccess

3

Iwanttoaccesstheuserinfo4

[email protected]

Resourceserver

UserAgent(resourceowner)


FLOW 2:IMPLICIT GRANT



LoginwithFB1

OK,gotoFBplease2

IwanttogiveR&Raccess3


Resourceserver

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’satoken6

Here’stheFBtoken7

10

[email protected]


FLOW 3:AUTHORIZATION CODE



LoginwithFB1

OK,gotoFBplease2


Iwanttoaccesstheuserinfo

[email protected]

server

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’sanauthorizationcode

6

Here’sthecode7

12

CanIhaveanaccesstokenplease?8

9 Hereyougo

10

11


FLOW 4:CLIENT CREDENTIALS


Iwantaccessasmyself1

OK,here’satokenforthat2

AccessAPI3

info4Resourceserver


MAKING SENSE OF OAUTH 2.0FLOWS

§ Resourceownerpasswordcredentials− Onlyrelevantiftheclientandtheresourceownertrusteachother100%

• E.g.whenFacebookbuildsaFacebookclient

§ ImplicitGrant− Directlyexposestheaccesstokentothefrontendapplication

• MainlyusefulfordirectAPIaccessfromwithinJavaScript

§ Authorizationcode− Preferredflowtoensurethesecurityoftheaccesstoken

• TheflowtouseforwhenthebackendneedstoaccessanAPI

§ Clientcredentials− UsefulforwhentheapplicationneedsaccesstoanAPI


WHICH FLOW CAN WE USE TO SUPPORT AUTHENTICATION?

§ Thereisalotofconflictingadviceoutthere−Manyapplicationsusetheresourceownerpasswordcredentialsflow−Mosttutorialsrecommendtheuseoftheimplicitgrant flow

§ Inthiscase,theonlyrightansweristheauthorizationcode flow− Thisflowoffersthestrongestsecuritybenefits− Itlooksmorecomplexthantheimplicitgrant flow,butinpracticeitisnot

§ Thisworkshopwillfocusontheimplicitgrant andauthorizationcode flow−Wewillshowyouthedifferencesandsecuritybenefits− Thelabsessionscoverbothimplementationandsecurityaspects


SUPPORTING OAUTH 2.0IN EMBER


AUTHENTICATION IN EMBER

§ EmberSimpleAuth (ESA) isapopularauthenticationlibraryforEmber− Itoffersabstractionsforauthenticationandauthorization− Itofferssessionmanagementfeaturestokeeptrackofauthenticationstate

§ Tosupportdifferentauthenticationstrategies,authenticatorsareused− Theauthenticationprocessisdelegatedtothespecifiedauthenticator

§ Tosupportauthorization,variousmixins areprovided−Addanauthorizationchecktoroutes−Addasessiontokentooutgoingrequests−…


EMBER SIMPLE AUTH CODE EXAMPLE


RUNNING OAUTH 2.0FLOWS WITH TORII

§ ToriiisanotherpopularEmberlibrarytointegrateauthentication− ItmainlyfocusesoncomplexOAuth2.0flows−Butalsoofferssupportforauthorizationandsessionmanagement

§ Toriimakespowerfulabstractionsfromcomplexflows−AnOAuth2.0providerrunstheentireflowinapopup,andsimplyreturnstheresults−Allthecomplexconfigurationishiddenintheprovider

§ ToriialreadysupportsnumerousOAuth2.0flowsoutofthebox− SupportforGoogle,Facebook,Github,…− Supportforbothimplicitgrant andauthorizationcode flows


TORII CODE EXAMPLE


INTEGRATING TORII WITH EMBER SIMPLE AUTH

§ ThepowerofToriiisthatiteasilyintegrateswithexistingapplications− ExistingauthenticationmechanismscaneasilycallaToriiprovider

§ CustomESAauthenticatorsdelegatetheflowtoaToriiprovider− ToriitakescareofrunningtheOAuth2.0flow− ESAtakescareofstoringtheauthenticationinformationafterasuccessfulflow− Thisintegratesdirectlywiththealreadyexistingauthorizationmixins

§ Thisisexactlywhatyouwilldointhisworkshop


BACKEND SUPPORT FOR TORII AND ESA

§ ThebackendisresponsibleforprocessingtheOAuth2.0results− Thiscaneitherbeanaccesstoken orauthorizationcode−Withthisinformation,thebackendfetchesassociatedidentityinformation

§ Contactingthebackendcaneasilybedonefromwithintheauthenticator−AftertheOAuth2.0flowhascompleted,theresultissenttotheserverwithAJAX− Theserverreturnsasessiontokenafterasuccessfulauthentication− ThisisthetokenthatESAstoresinlocalStorage

§ Forthisworkshop,wehavealreadyimplementedthebackendendpoints


AUTHENTICATION WITH OAUTH 2.0Labsession


PRACTICAL INFO FOR THE LAB SESSIONS

§ YouwillbeworkingonthefrontendoftheRock&Roll application− Youshouldhaveclonedtherepobynow

• Ifnot,checkyouremailforinstructions,orcalloneoftheusinaminute−WewilladdauthenticationwithOAuth2.0byusingGoogle,FacebookandGithub

§ Allofthelabsessionsarefullydocumented− Theguidesthattellyouwhatyouneedtodo,withdetailedinstructionsifnecessary− Therepositoryhasbranchesforeachstep,soyoucanalwaysstartwithacleanslate

§ ThebackendisrunningonHeroku,andissharedforeveryone− Therelevantsourcecodeisincludedintheguidesascodesnippets



Guidesforthelabsessionshttp://bit.ly/2nEAdRj

Slideshttp://bit.ly/2n9NzC5

SlackChannelhttps://balinterdi.slack.com/,#emberconf17-workshop


WHAT YOU SHOULD TAKE AWAY FROM THIS LAB SESSION

§ ToriiandESAprovideacleansetofabstractionsforauthentication− TiesinrealnicewithexistingconceptsinyourEmberapplication−DoseparateyoursessionmanagementfromtheOAuth2.0authentication

§OAuth2.0caneffectivelybeusedforauthentication−Boththeimplicitgrant andauthorizationcodeflowsarewellsupported− ThankstoTorii,frontendimplementationisreallylimitedforbothflows

§ Thebackendalsoplaysanimportantroleintheauthenticationprocess−Wehaveshieldedyoufromthebackend,butwilltakealookatitnow


SECURITY IN OAUTH 2.0


OAUTH 2.0FLOWS ARE ALL ABOUT ACCESS TOKENS

§ Ineveryflow,theclientgetsanaccesstoken toaccessprotectedresources− Theaccesstokenisabearertoken,sowhoeverpossessesitcanuseit

§ Forauthentication,theaccesstoken isonlyneededonce−Withtheaccesstoken,theclientcanfetchuseridentityinformation−Withthisinformation,anewsessionfortheusercanbeestablished−Afterthat,theaccesstokenshouldbediscarded,asaccessisnolongerneeded

§ Duringtheflows,theaccesstokensneedtobeadequatelyprotectedaswell−AlltrafficshouldhappenoverasecureHTTPSchannel− Exposureoftheaccesstokenshouldbelimited− TheintegrityoftheOAuth2.0flowshouldbeensured


NETWORK ATTACKS ARE EASIER THAN EVER TO EXECUTE


ACCESS TOKENS TRAVEL ACROSS THE NETWORK



LoginwithFB1

OK,gotoFBplease2



Resourceserver

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’satoken6

Here’stheFBtoken7

10

[email protected]


LIMITING THE EXPOSURE OF THE ACCESS TOKEN IS CRUCIAL


ACCESS TOKENS TRAVEL THROUGHOUT THE APPLICATION



LoginwithFB1

OK,gotoFBplease2



Resourceserver

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’satoken6

Here’stheFBtoken7

10

[email protected]


ACCESS TOKENS TRAVEL THROUGHOUT THE APPLICATION



LoginwithFB1

OK,gotoFBplease2



[email protected]

server

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4


6

Here’sthecode7

12


9 Hereyougo

10

11


LIMITING THE EXPOSURE OF THE ACCESS TOKEN IN THE BACKEND

§Manybackendsystemsneedcontinuousaccesstotheprotectedresource− Thisrequirespossessionoftheaccesstoken−Butifthesetokensgetstolen,theuser’sareinserioustrouble

§ Forauthenticationpurposes,theaccesstoken canbediscardedafteruse−Atthatpoint,thebackendhasfetchedtheuser’sidentityinformation−Discardingthetokenlimitstheriskoftheftinadatabreach

§ Theriskoftheftisevengreaterwithrefreshtokens− Thesetokensarelonglivedandallowaclienttogetanewaccesstoken−Wedon’tneedthoseatall,soifyougetthem,discardthemimmediately


THE HIDDEN PARTS OF SETTING UP OAUTH 2.0

§ Theresourceownerneedstogranttheclientaccesstotheresources− Thisrequirestheregistrationofaclientapplicationwiththeresourceprovider− Youneedtoprovideclientinformation,includingspecificredirectURIs−Duringregistration,yougetaclientIDandaclientsecret


THE HIDDEN PARTS OF SETTING UP OAUTH 2.0

§ Theresourceownerneedstogranttheclientaccesstotheresources− Thisrequirestheregistrationofaclientapplicationwiththeresourceprovider− Youneedtoprovideclientinformation,includingspecificredirectURIs−Duringregistration,yougetaclientIDandaclientsecret

§ TheclientIDisusedtoidentifytheclient− Thisisnon-sensitiveinformationanddoesnotneedtobekeptsecret

§ Theclientsecretisusedtoauthenticatetheclient− Thisisessentiallyapassword,andshouldbekeptconfidential− Itcanbeusedinthebackend,butshouldneverbesharedwiththefrontend


IDENTIFYING THE CLIENT IN THE IMPLICIT GRANT FLOW



LoginwithFB1

OK,gotoFBplease2



Resourceserver

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’satoken6

Here’stheFBtoken7

10

[email protected]

RedirectthebrowsertoFacebookwiththeclientID2


THE IMPORTANCE OF PROPER CLIENT IDENTIFICATION

§ Clientidentificationintheimplicitgrantflowisdifficult− Theflowrunsentirelyinthebrowser,whichisconsideredtobeuntrusted− Theclientsecretcannotbesharedwiththebrowser

§Mostimplicitgrant flowseasilyacceptfraudulenttokens−HappenswhenapplicationhappilyacceptstokensthatareissuedforapplicationA



UserAgent(attacker)

Goodclient

AccessAPI

Resourceserver

Hello“PhilDR”

Token15

Userinfo

Badclient


AuthorizationServer

LoginwithFB1

GotoFB2

Authorizebadclient3

CredentialsforFB5

Pleaselogin4

OK,here’satoken6

FBtoken7

Resourceserver

AccessAPI8

Userinfo9

Hello“PhilDR”10

11

12

13

14




§Mostimplicitgrant flowseasilyacceptfraudulenttokens−HappenswhenapplicationhappilyacceptstokensthatareissuedforapplicationA− Toavoidthis,theclientmustexplicitlyvalidatethetokenbeforeuse




§Mostimplicitgrantflowseasilyacceptfraudulenttokens−HappenswhenapplicationhappilyacceptstokensthatareissuedforapplicationA− Toavoidthis,theclientmustexplicitlyvalidatethetokenbeforeuse

§ AsimilarproblemexistsiftheredirectURIcanbetamperedwith− Thiswillcausethetokentobesentdirectlytotheattacker,allowingreuse


REDIRECT URIS HELP ENSURE THE INTEGRITY OF A FLOW



LoginwithFB1

OK,gotoFBplease2



Resourceserver

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’satoken6

Here’stheFBtoken7

10

[email protected]

RedirectthebrowsertoFacebook,andincludetheURItoredirecttoinstep6

https://accounts.google.com/o/oauth2/auth?client_id=…&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Foauth2callback

2

TheredirectURIwillbepropagatedalongsteps3,

4and5



§ Amaliciousredirectcanresultinleakingtheaccesstoken− Topreventthis,theauthorizationserverneedstoverifythevalidityoftheURI− That’salsowhyyouneedtospecifytheredirectURIupfront



§ Amaliciousredirectcanresultinleakingtheaccesstoken− Topreventthis,theauthorizationserverneedstoverifythevalidityoftheURI− That’salsowhyyouneedtospecifytheredirectURIupfront

§Openredirectscanbeabusedtostealtokensaswell−AnopenredirectisaURIwithinyourdomainthatwilltriggeracontrollableredirect− Thiswillenablethestealingoftheaccesstoken

§MakesureyourbackenddoesnothavearedirectwithacontrollableURI

http://example.com/login?src=http://www.example.com/secretCats


WHY THE AUTHORIZATION CODE FLOW IS BETTER

§ Bynow,youprobablyrealizethattheimplicitgrant flowisnotverysecure− Thereisnoclientauthentication,onlyidentificationwithapublicidentifier− Itrequiresadditionalefforttoensurethevalidityofthetokens− Tokenspassthroughthebrowser,makingthemmorevulnerabletoexposure

§ Theauthorizationcode flowhandlestheseproblemsalotbetter−Accesstokensareneverseenbythebrowser−ClientauthenticationisdonebytheauthorizationserverusingclientIDandsecret

§ Evenifanauthorizationcodeisstolen,theimpactislimitedtonone− Exchangingastolenauthorizationcodeforanaccesstokenrequirestheclientsecret−Authorizationcodesareone-timeuseonly


IDENTIFYING THE CLIENT IN THE AUTHORIZATION CODE FLOW



LoginwithFB1

OK,gotoFBplease2



[email protected]

server

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4


6

Here’sthecode7

12


9 Hereyougo

10

11

RedirectthebrowsertoFacebookwiththeclientID2

ExchangetheauthorizationcodeforanaccesstokenusingclientIDandclientsecret

8


THE HIDDEN PARTS OF USING AN OAUTH 2.0FLOW

§ AnOAuth2.0flowstartswitharedirecttotheauthorizationserver− Thisfirstrequestcontainsparameterstosetthepropertiesoftheflow−WealreadycoveredtheclientIDandredirectURI,buttherearemore

§ Commonparameterstoconfiguretheflow−Responsetype:whattheresponseshouldinclude(codeortoken)− Scope:thepermissionstheclientisrequestingfromtheresourceowner− State:arandom,uniquestringtoprotectagainstCross-SiteRequestForgery

§ Theseparametershavebeenhiddensofar,becauseToriitookcareofthis− Thisbecomesextremelyrelevantifyouhavetowriteyourownprovidersomeday


SCOPE AND PERMISSIONS


SCOPE AND PERMISSIONS

§ Thescope parameterallowstheclienttorequestspecificpermissions− Thesepermissionsareshowntotheuserduringauthorizationoftheapplication− Thelistofavailablepermissionsisspecifictoeachprovider

§ Thesepermissionsareassociatedwiththeaccesstoken−Accesstokensarebearertokens,sotheycanbere-usedwhenstolen−Donotoverreachonthescope,andlimitthescopetotheaccessyouneed− Forauthenticationpurposes,accesstotheemailaddressisgenerallysufficient

§Notethatthegrantedpermissionscandifferfromtherequestedpermissions−Checkthegrantedpermissionstoseeifyouhaveallyouneed


VIOLATING FLOW INTEGRITY THROUGH CSRF

§ Cross-SiteRequestForgeryallowsanattackertodisrupttheOAuth2.0flow− Theattackistostoptheflowinonebrowserandresumingitintheotherbrowser− Thisresultsinthesuccessfulauthenticationasadifferentuser



AuthorizationServer

UserAgent(attacker)

Client


Resourceserver

Hello“Balint”

Here’stheFBtoken7

10

[email protected]

9

LoginwithFB1

OK,gotoFBplease2


Authorizate R&R3

Pleaselogin4

Token6

Credentials5



§ Cross-SiteRequestForgeryallowsanattackertodisrupttheOAuth2.0flow− Theattackistostoptheflowinonebrowserandresumingitintheotherbrowser− Thisresultsinthesuccessfulauthenticationasadifferentuser

§ Theconsequenceofthisattackisverysubtle−Allactionstheuserperformswillbedoneinthenameoftheattacker− E.g.iftheapplicationstoressensitiveuserdata,suchassearchqueries− E.g.iftheattackerputmaliciouscodeinhisaccount,itwillbeexecutedbytheuser

§ Therootcauseistheseparationbetweeninitializationandfinalization− Thesolutionistotiebothstepstogetherwiththestateparameter


LINKING INITIALIZATION AND FINALIZATION WITH STATE



LoginwithFB1

OK,gotoFBplease2



Resourceserver

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4

OK,here’satoken6

Here’stheFBtoken7

10

[email protected]

TheclientincludesarandomstateparameterintheURI

2

Clientcomparesstateparameterwiththestoredvalue7

Stateparameterispropagatedthroughsteps3,4,5,6and7



AuthorizationServer

UserAgent(attacker)

Client


Resourceserver

Hello“Balint”

Here’stheFBtoken7

10

[email protected]

9

LoginwithFB1

OK,gotoFBplease2


Authorizate R&R3

Pleaselogin4

Token6

Credentials5

Stateinstep7doesnotmatchanystoredstate

7


RECAPPING SECURITY BEST PRACTICES

§ Limittheexposureoftheaccesstoken−RunalltrafficoverasecureHTTPSchannel−Choosetheauthorizationcode flowovertheimplicitgrant flow−Removetheaccesstokenafteruse

§ Limitthescopeoftheaccesstoken

§ EnsuretheintegrityofanOAuth2.0flow− SpecifyconcreteredirectURIsandvoidthepresenceofopenredirects−Verifythevalidityofaccesstokens comingfromtheclient−Usethestate parametertopreventCSRFattacks(includedinTorii’sdefaultproviders)


SECURING OAUTH 2.0FLOWS

Labsession



§ Forthislabsession,weneedaworkingimplementationofOAuth2.0flows− Youcancontinueonyourownimplementation−Alternatively,youcancheckoutthefacebook-authentication-code branch

§Wearegoingtoinvestigatethesecuritypropertiesofthedifferentflows− Seewhatyoucandowithanaccesstokenandauthorizationcode−WearegoingtouseBurpandFirefoxformostofthis− Ifyourunintoproblems,don’thesitatetocallusover!

§WecanusethesamesharedbackendrunningonHeroku− Therelevantsourcecodeisincludedintheguidesascodesnippets



Guidesforthelabsessionshttp://bit.ly/2nEAdRj

Slideshttp://bit.ly/2n9NzC5

TokenInspectorhttp://bit.ly/2nsybU7

Slackteamandchannelhttps://balinterdi.slack.com/,#emberconf17-workshop


WHAT YOU SHOULD TAKE AWAY FROM THIS LAB SESSION

§ Theimplicitgrant flowisinherentlyinsecure,butoftenused− Themainreasonpeopleadvisethisflowisbecauseofease-of-use−Butwehaveseenthatifyoudoitright,therequiredeffortisverysimilar

§ SecureOAuth2.0flowsareallaboutthedetails− Subtledifferencesbetweentheimplicitgrant andauthorizationcode flow− Settingthescope,redirectURIandstateparametersrequiresknowledge

§ Limitingtheexposureoftheaccesstokenisabsolutelycrucial−Donotsenditviathebrowser−Deleteitfromthebackendafterauthentication


OAUTH 2.0AND OPENIDCONNECT


AUTHENTICATION WITH OAUTH 2.0IS MESSY

§ FetchinguserinformationwithOAuth2.0highlydependsontheprovider− Everyproviderhasdifferentendpointsforallkindsofdata− Someprovidershavecustomsettings(e.g.theemailaddressonGithub)

§ Supportingmultipleprovidersisnotreallyeasy−Requiresalotofmaintenance,especiallywhenAPIsevolve

§ Thingsbecomeevenworsewhenyouneedtorelyonthirdpartyservices− Inthisworkshop,wehadourownindependentsessionmanagement− Thisisnotalwaysthecase,andpropagatingthatinfoacrossthebackendisdifficult


OPENIDCONNECT TO THE RESCUE

§OpenIDConnect(OIDC)aimstosolvetheseissues−Astandardizedwaytoexchangeidentityinformationbetweenservices−HeavilybasedonJSONWebTokens(JWT)

§OIDCisactuallybuiltontopofOAuth2.0−OAuth2.0isaveryflexibleandopenframework−OIDCmakesveryexplicitchoices,andlocksOAuth2.0downintoaspecificscenario

§OIDCstillusestheOAuth2.0flowswecoveredheretoday− First,theclientusesanauthorizationcode flowtogetanauthorizationcode−Next,theauthorizationcodeisexchangedforanidentitytoken


FLOW 3:AUTHORIZATION CODE



LoginwithFB1

OK,gotoFBplease2



[email protected]

server

CredentialsforFB5

Hello“PhilDR”

Pleaselogin4


6

Here’sthecode7

12


9 Hereyougo

10

11


OPENIDCONNECT WITH THE AUTHORIZATION CODE FLOW


Client Tokenendpoint

LoginwithGoogle1

GotoGoogle2


CredentialsforGoogle5

Hello“PhilDR”

Pleaselogin4


6

Here’sthecode7

10

Idtokenandaccesstokenplease?8

9 Hereyougo


OPENIDCONNECT RETURNS AN IDENTITY TOKEN

@baaz / @PhilippeDeRyck 74http://jwt.io/


AJWTIS A BASE64-ENCODED DATA OBJECT

{"alg": "HS256","typ": "JWT"

}

{"iss": ”distrinet.cs

.kuleuven.be","exp": 1425078000000,"name": "philippe","admin": true

}

HMACSHA256(base64UrlEncode(header)+ "." +base64UrlEncode(payload),“secret”

)

Header Payload Signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkaXN0cmluZXQuY3Mua3VsZXV2ZW4uYmUiLCJleHAiOjI0MjUwNzgwMDAwMDAsIm5hbWUiOiJwaGlsaXBwZSIsImFkbWluIjp0c

nVlfQ.dIi1OguZ7K3ADFnPOsmX2nEpF2Asq89g7GTuyQuN3so

75


JWTIS AN OPEN STANDARD TO EXCHANGE INFORMATION

§ JWTtokensrepresenteasy-to-exchangedataobjects−Contentissignedtoensureintegrity−Contentisbase64-encoded,toensuresafehandlingacrosstheweb

§ JWTsupportsvariouskindsofalgorithms− E.g.signaturewithonesharedkeyontheserver-side,forusewithinoneapplication− E.g.signaturewithapublic/privatekeypair,foruseacrossapplications

§ ThismakesJWTtokenssousefulinanOIDCenvironment− IdentityinformationisencodedasaJWTtoken,signedwithaprivatekey−Anypartyrelyingonthisinfocanverifythesignaturebeforeusingtheclaims

76





LoginwithGoogle1 GotoGoogle2


Moar userinfo

ClaimsabouttheuserUserInfoendpoint


Hello“PhilDR”

Pleaselogin4


6

Here’sthecode7 10


9 Hereyougo

11

12


ADDITIONAL CLAIMS ARE ALSO REPRESENTED AS A JWT


THE DETAILS BEHIND AN OPENIDCONNECT FLOW

§ ThescopeoftheOAuth2.0flowshouldbeopenid− Thistellstheproviderthatthegoalistogetanidentitytoken−Additionalscopescanbeaddedalongsideopenid (e.g.email,…)





LoginwithGoogle1 GotoGoogle2


Moar userinfo

ClaimsabouttheuserUserInfoendpoint


Hello“PhilDR”

Pleaselogin4


6

Here’sthecode7 10


9 Hereyougo

11

12

Scopeshouldbeopenidbutcanalsoincludeothers

(e.g.openid email)

2


THE DETAILS BEHIND AN OPENIDCONNECT FLOW

§ ThescopeoftheOAuth2.0flowshouldbeopenid− Thistellstheproviderthatthegoalistogetanidentitytoken−Additionalscopescanbeaddedalongsideopenid (e.g.email,…)

§ TheendpointsinanOIDCflowarefixed− The/token endpointexchangesanauthorizationcodeforanidentity+accesstoken− The/UserInfo endpointrequiresanaccesstokenandgivesclaimsabouttheuser

§ ClaimsreturnedbyanOIDCserviceusetheJSONWebToken(JWT)format−AstandardizedJSONformatwhichsupportsintegrityvalidationthroughsignatures


SUPPORTING OPENIDCONNECT IN TORII

§ Bydefault,ToriidoesnotcomewithprovidersforOIDC−OnlyOAuth2.0implicitgrant andauthorizationcode flowsaresupported−However,implementingsupportcanbedonewithacustomprovider

§ AnOIDCproviderinToriineedstoperformthefollowingsteps−Runtheauthorizationcode flowwiththeopenid scope−Configurethecorrectproviderandendpointtolaunchthatflow

§ Thebackendwilltakecareofalltheothersteps− Exchangingtheauthorizationcode foranidentitytoken−Requestingadditionaluserinformationfromthe/UserInfo endpoint


WRAPPING THINGS UP


AUTHENTICATION WITH OAUTH 2.0

§WehavecoveredhowtouseOAuth2.0flowsforauthentication− ThereisalotmoretoOAuth2.0,thatwehavenotcovered−WhenyouneedtocontinuouslyaccessAPIs,thingsbecomeevenmoretricky

§ Specificallyforauthentication,takethefollowingintoaccount−Donotusetheimplicitgrant flowunlessthereisabsolutelynowayaroundit−Makesurethebackendimplementsproperchecks(e.g.tokenvalidity,…)

§ AlwaysrememberthatOAuth2.0isadelegationprotocol− Itdoesnotperformauthenticationorauthorization,that’salluptoyou


IMPLEMENTING OAUTH 2.0FLOWS IN EMBER

§ ToriiandESAareawinningcombination− TheyintegratenicelyintoyourEmberapplication− ToriihandlestheOAuth2.0flows,andESAhandlesthesessionmanagement

§ Toriioffersplentyofauthenticatorsoutofthebox− Toriitakescareofsecuritybestpractices(e.g.usingandcheckingthestate parameter)−Makesuretofollowthiswhenyoubuildacustomprovider

§ Rememberthatthefrontendisonlyonepartofthestory− Thebackendisresponsibleforprocessingthetokens/codes−Additionalsecuritychecksshouldbeperformedinthebackendaswell


SECURITY BEST PRACTICES

§Usetheauthorizationcode flow−Byknowyoushouldknowwhy−RunitoverHTTPS,noexcuses

§ Limittheexposureofyouraccesstokens− Forauthentication,throwthemawayafteruse− ForcontinuousAPIaccess,considerencryptingthembeforestoring

§ TakecareofthelittledetailswhenimplementinganOAuth2.0flow−Verifyalldatacomingfromtheclientbeforeusingit− Limitthescopetowhatyouneed


NOW IT’S UP TO YOU …

Secure ShareFollow

https://balinterdi.com/@baaz @PhilippeDeRyck

https://[email protected]/in/philippederyck

[email protected]/in/balinterdi

WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between...

Documents

Transcript of WITH OAUTH 2.0 IN§In-depth understanding of the subtleties of OAuth 2.0 −The difference between...