SlideShare une entreprise Scribd logo

OAuth 2.0 Misconceptions

Cory Forsyth
Cory Forsyth

Some common misconceptions and misunderstandings about OAuth 2.0

Internet
1  sur  33
Télécharger pour lire hors ligne
Misconceptions of OAuth 2.0
Cory Forsyth @bantic
201 Created Consultants in NewYork City
Logan, UT
“A set of clean abstractions for authentication in Ember.js”
OAuth a short intro
OAuth 1.0 & 2.0 • A delegated authorization protocol/framework • Canonical example: • User wants to print photos • Photos are stored at my-pix.com • User grants authorization to print-me.com to access photos at my-pix.com • Solves the “share my password” anti-pattern
OAuth • 1.0: • Uses cryptographic signatures, server-to-server communication • 2.0: • Includes “implicit grant” (front-end only) flow • Includes “authorization code grant” flow • No signatures (encrypted https communication only) • Both: • browser-centric redirection-based flows
OAuth • 1.0: • A protocol • 2.0: • “Simpler” • Less secure? • A framework
OAuth Love Triangle Resource Owner (user) Resource / Authorization Server (my-pix.com) Client (print-me.com) visits1 directs browser to2 consent screen 3 redirects to, with authz in url 4
OAuth Love Triangle User e.g. Google+ your ember app visits1 opens popup to2 consent screen 3 redirects to, with authz in url 4
OAuth 1 & 2 Terminology • Resource Owner / User • Human, likes taking and printing pictures • Client / Consumer • E.g., print-me.com • For most people in this room: You code OAuth clients • Server / Service Provider • E.g., my-pix.com (and Google+, Facebook, Github, etc.)
OAuth Clients • Can be confidential or public • Public clients include: • JavaScript that runs in the browser • Native Apps (could be decompiled) • Must be registered with a provider — provider issues client_id, client_secret
OAuth 2 Flows • Authorization Code Grant • Implicit Grant • 2 others, less important
OAuth 2 Flows • Client crafts URL pointing at provider, redirects browser to it • e.g. https://accounts.google.com/o/oauth2/auth?
 client_id=xyz&
 redirect_uri=my-pix.com/callback&
 response_type=code or token&
 scope=email&
 …=…
OAuth 2 Flows • Server / Provider authenticates user • Obtains authorization consent • Redirects back to redirect_uri with code, e.g.
 http://my-pix.com/callback?
 code=abc123
Authorization Code Grant • Client redirects to provider endpoint with client_id, redirect_uri, token_type=code, scope, etc, query params • Provider authenticates user, obtains authorization consent, redirects to redirect_uri with code=abc123 query param • Client POSTs to provider with client_id, grant_type=authorization_code, code=abc123, redirect_uri • Provider responds to client with access_token
Implicit Grant • Client redirects to provider endpoint with client_id, redirect_uri, token_type=token, scope, etc, query params • Provider authenticates user, obtains authorization consent, redirects to redirect_uri with access_token=abc123 hash fragment • e.g. print-me.com/callback#access_token=abc123
Misunderstanding #1 Access vs Bearer Tokens
• Clients use access tokens to make requests of providers for protected resources (on behalf of users) • Clients present “bearer” access tokens as query parameters, headers (“Authorization: Bearer xyz”), or form parameters Access vs Bearer Tokens
Access vs Bearer Tokens • Access Tokens are almost always Bearer Tokens • Providers include “token_type” when issuing tokens • “bearer” is a token_type (there is also “mac”) • Called “Bearer” because the Provider will allow any request with the token present (whoever holds/“bears” the token has access)
Misunderstanding #2 All Bearer Tokens are Created Equal Client X gets token via authorization code grant Client X gets token via implicit grant Client Y gets token via authorization code grant Client Y gets token via implicit grant Same user, provider, scope, token is not expired. Spot the difference:
Misunderstanding #2 All Bearer Tokens are Created Equal • Access tokens are opaque to client • Client cannot tell: • What client the token was issued for • When the token expires • If the token is valid
Misunderstanding #3 Refresh Tokens “refresh” nothing • What is a refresh token? • Optionally issued by OAuth provider in certain scenarios: • when requested with “scope” • in Authorization Code Grant (server-side) flow • Becaus: Clients cannot know when access token is invalid
Misunderstanding #3 Refresh Tokens “refresh” nothing • “You cannot refresh an implicit grant token” • “You can only refresh an access token from Authorization Code grant”
Misunderstanding #3 Refresh Tokens “refresh” nothing • “You cannot refresh an implicit grant token” • “You can only refresh an access token from Authorization Code grant”
Misunderstanding #3 Refresh Tokens “refresh” nothing
Misunderstanding #4 OAuth does not do authentication • authentication: Who are you? • authorization: What are you allowed to do? • OAuth 2.0: An Authorization Framework
Misunderstanding #4 OAuth does not do authentication Naive OAuth Authentication: • Get access token via implicit grant (request ‘email’ scope) • Use access token to read email from OAuth provider (i.e. `GET /me?access_token=XYZ`) • Use the email to find user in your database, log them in •After all, if the access token provides that email, that’s who they are, right?
Misunderstanding #4 OAuth does not do authentication • Remember, access token is opaque to client • Client cannot tell: • who that token was issued for • when that token was issued • Simple to intercept redirect, inject another access token
Misunderstanding #4 OAuth does not do authentication • What does work? • authorization code flow (server-side) with ‘state’ param: • ensures access token is “fresh”, for this client • OpenID Connect • Builds upon OAuth, uses JWT • Allow in-browser verification of token integrity, audience, identity
Misunderstanding #4 OAuth does not do authentication
Thanks Cory Forsyth @bantic Links • Torii: https://github.com/vestorly/torii • OAuth 2 explanation • More curated links Image Credits • https://twitter.com/old_sound/status/670412302135500803/photo/1

Recommandé

OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OAuth
OAuthOAuth
OAuthMohan Kumar Tadikimalla
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 

Recommandé

OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OAuth
OAuthOAuth
OAuthMohan Kumar Tadikimalla
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuthAndy March
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-idParisa Moosavinezhad
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Chrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSChrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSCory Forsyth
 
Making ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootMaking ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootCory Forsyth
 

Contenu connexe

Tendances

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 

Tendances (20)

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 

En vedette

Chrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSChrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSCory Forsyth
 
Making ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootMaking ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootCory Forsyth
 
APIs: Internet for Robots
APIs: Internet for RobotsAPIs: Internet for Robots
APIs: Internet for RobotsCory Forsyth
 
Stackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyStackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyCory Forsyth
 
Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Cory Forsyth
 
EmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning TalkEmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning TalkCory Forsyth
 
Torii: Ember.js Authentication Library
Torii: Ember.js Authentication LibraryTorii: Ember.js Authentication Library
Torii: Ember.js Authentication LibraryCory Forsyth
 
Ember testing internals with ember cli
Ember testing internals with ember cliEmber testing internals with ember cli
Ember testing internals with ember cliCory Forsyth
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2Ido Flatow
 
What HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouWhat HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouMark Nottingham
 

En vedette (11)

Chrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSChrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JS
 
Making ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootMaking ember-wormhole work with Fastboot
Making ember-wormhole work with Fastboot
 
APIs: Internet for Robots
APIs: Internet for RobotsAPIs: Internet for Robots
APIs: Internet for Robots
 
Stackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyStackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for Everybody
 
Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014
 
EmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning TalkEmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning Talk
 
Torii: Ember.js Authentication Library
Torii: Ember.js Authentication LibraryTorii: Ember.js Authentication Library
Torii: Ember.js Authentication Library
 
Ember testing internals with ember cli
Ember testing internals with ember cliEmber testing internals with ember cli
Ember testing internals with ember cli
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
 
What HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouWhat HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For You
 

Similaire à OAuth 2.0 Misconceptions

Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504Mattias Jidhage
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiCory Forsyth
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessidsecconf
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Ubisecure
 
Identity, authentication and authorization
Identity, authentication and authorizationIdentity, authentication and authorization
Identity, authentication and authorizationMithun Shanbhag
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellWSO2
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
Addressing Top API Security Risks
Addressing Top API Security RisksAddressing Top API Security Risks
Addressing Top API Security RisksNordic APIs
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonDavid Johansson
 

Similaire à OAuth 2.0 Misconceptions (20)

Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
 
Api security
Api security Api security
Api security
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
 
Identity, authentication and authorization
Identity, authentication and authorizationIdentity, authentication and authorization
Identity, authentication and authorization
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from Hell
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
 
Addressing Top API Security Risks
Addressing Top API Security RisksAddressing Top API Security Risks
Addressing Top API Security Risks
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
 

Dernier

Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 

Dernier (20)

Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 

OAuth 2.0 Misconceptions

  • 5. “A set of clean abstractions for authentication in Ember.js”
  • 7. OAuth 1.0 & 2.0 • A delegated authorization protocol/framework • Canonical example: • User wants to print photos • Photos are stored at my-pix.com • User grants authorization to print-me.com to access photos at my-pix.com • Solves the “share my password” anti-pattern
  • 8. OAuth • 1.0: • Uses cryptographic signatures, server-to-server communication • 2.0: • Includes “implicit grant” (front-end only) flow • Includes “authorization code grant” flow • No signatures (encrypted https communication only) • Both: • browser-centric redirection-based flows
  • 9. OAuth • 1.0: • A protocol • 2.0: • “Simpler” • Less secure? • A framework
  • 10. OAuth Love Triangle Resource Owner (user) Resource / Authorization Server (my-pix.com) Client (print-me.com) visits1 directs browser to2 consent screen 3 redirects to, with authz in url 4
  • 11. OAuth Love Triangle User e.g. Google+ your ember app visits1 opens popup to2 consent screen 3 redirects to, with authz in url 4
  • 12. OAuth 1 & 2 Terminology • Resource Owner / User • Human, likes taking and printing pictures • Client / Consumer • E.g., print-me.com • For most people in this room: You code OAuth clients • Server / Service Provider • E.g., my-pix.com (and Google+, Facebook, Github, etc.)
  • 13. OAuth Clients • Can be confidential or public • Public clients include: • JavaScript that runs in the browser • Native Apps (could be decompiled) • Must be registered with a provider — provider issues client_id, client_secret
  • 14. OAuth 2 Flows • Authorization Code Grant • Implicit Grant • 2 others, less important
  • 15. OAuth 2 Flows • Client crafts URL pointing at provider, redirects browser to it • e.g. https://accounts.google.com/o/oauth2/auth?
 client_id=xyz&
 redirect_uri=my-pix.com/callback&
 response_type=code or token&
 scope=email&
 …=…
  • 16. OAuth 2 Flows • Server / Provider authenticates user • Obtains authorization consent • Redirects back to redirect_uri with code, e.g.
 http://my-pix.com/callback?
 code=abc123
  • 17. Authorization Code Grant • Client redirects to provider endpoint with client_id, redirect_uri, token_type=code, scope, etc, query params • Provider authenticates user, obtains authorization consent, redirects to redirect_uri with code=abc123 query param • Client POSTs to provider with client_id, grant_type=authorization_code, code=abc123, redirect_uri • Provider responds to client with access_token
  • 18. Implicit Grant • Client redirects to provider endpoint with client_id, redirect_uri, token_type=token, scope, etc, query params • Provider authenticates user, obtains authorization consent, redirects to redirect_uri with access_token=abc123 hash fragment • e.g. print-me.com/callback#access_token=abc123
  • 20. • Clients use access tokens to make requests of providers for protected resources (on behalf of users) • Clients present “bearer” access tokens as query parameters, headers (“Authorization: Bearer xyz”), or form parameters Access vs Bearer Tokens
  • 21. Access vs Bearer Tokens • Access Tokens are almost always Bearer Tokens • Providers include “token_type” when issuing tokens • “bearer” is a token_type (there is also “mac”) • Called “Bearer” because the Provider will allow any request with the token present (whoever holds/“bears” the token has access)
  • 22. Misunderstanding #2 All Bearer Tokens are Created Equal Client X gets token via authorization code grant Client X gets token via implicit grant Client Y gets token via authorization code grant Client Y gets token via implicit grant Same user, provider, scope, token is not expired. Spot the difference:
  • 23. Misunderstanding #2 All Bearer Tokens are Created Equal • Access tokens are opaque to client • Client cannot tell: • What client the token was issued for • When the token expires • If the token is valid
  • 24. Misunderstanding #3 Refresh Tokens “refresh” nothing • What is a refresh token? • Optionally issued by OAuth provider in certain scenarios: • when requested with “scope” • in Authorization Code Grant (server-side) flow • Becaus: Clients cannot know when access token is invalid
  • 25. Misunderstanding #3 Refresh Tokens “refresh” nothing • “You cannot refresh an implicit grant token” • “You can only refresh an access token from Authorization Code grant”
  • 26. Misunderstanding #3 Refresh Tokens “refresh” nothing • “You cannot refresh an implicit grant token” • “You can only refresh an access token from Authorization Code grant”
  • 27. Misunderstanding #3 Refresh Tokens “refresh” nothing
  • 28. Misunderstanding #4 OAuth does not do authentication • authentication: Who are you? • authorization: What are you allowed to do? • OAuth 2.0: An Authorization Framework
  • 29. Misunderstanding #4 OAuth does not do authentication Naive OAuth Authentication: • Get access token via implicit grant (request ‘email’ scope) • Use access token to read email from OAuth provider (i.e. `GET /me?access_token=XYZ`) • Use the email to find user in your database, log them in •After all, if the access token provides that email, that’s who they are, right?
  • 30. Misunderstanding #4 OAuth does not do authentication • Remember, access token is opaque to client • Client cannot tell: • who that token was issued for • when that token was issued • Simple to intercept redirect, inject another access token
  • 31. Misunderstanding #4 OAuth does not do authentication • What does work? • authorization code flow (server-side) with ‘state’ param: • ensures access token is “fresh”, for this client • OpenID Connect • Builds upon OAuth, uses JWT • Allow in-browser verification of token integrity, audience, identity
  • 32. Misunderstanding #4 OAuth does not do authentication
  • 33. Thanks Cory Forsyth @bantic Links • Torii: https://github.com/vestorly/torii • OAuth 2 explanation • More curated links Image Credits • https://twitter.com/old_sound/status/670412302135500803/photo/1