OAuth 2.0 & Security Considerations

The OWASP Foundation

http://www.owasp.org

Vaibhav GuptaTwitter: @VaibhavGupta_1

Blog: exploits.workDelhi Chapter Meet – 30 July 2016

OWASP 2

Agenda

Agenda (recursion! #GeekHumour :-P)

Problem Statement: Why OAuth?

What is OAuth? Typical OAuth Dance Lets talk security!

Disclaimer!

OAuth has a lot of stuff to cover and given the time constraints, I will stick to the

important ones

Problem Statement: Why OAuth?

Password sharing anti-pattern

Resource owner (You!)

Client (Photo Printing Service)

Protected Resource(facebook.com)

Aim: To give client access to theprotected resource on behalf

of resource owner

What is OAuth

Authorization (not authentication!) framework Security delegation protocol Based on token How to “get token” and how to “use token”

OWASP 6

So you think I am understanding it !!

Typical OAuth 2.0 Dance Party!

Here are the invitees: Resource owner

Protected resource

Client

Authorization server

OWASP 8

Image: OAuth 2 in action

OWASP 9

OWASP 10

Let’s Talk Security!

CSRF – “state” parameter [Client Vuln]<img src=“

https://photoprinting.local/callback?code=Attacker_Auth_Code”>

“redirect_uri” mismatch [Auth Server Vuln.]

How about stealing auth code from referrer header?

A lot others!! Time constraint

References

OAuth 2.0 Specshttp://tools.ietf.org/html/rfc6749

OAuth 2.0 – Threat modelhttps://tools.ietf.org/html/rfc6819

Book: “OAuth 2 in Action” by Justin Richer and Antonio Sanso

OWASP 14

Questions?

OAuth 2.0 & Security Considerations

Engineering

[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for …...The OAuth 2.0 Protocol Extensions for Broker Clients specify extensions to [RFC6749] (The OAuth 2.0 Authorization Framework) that

OAUTH 2 UND OPENID CONNECT SECURING MICROSERVICES … · OAUTH 2.0 101 RFC 6749: The OAuth 2.0 A uthorization Frame work RFC 6750: OAuth 2.0 Bearer Token Usage RFC 6819: OAuth 2.0

OAuth 2.0 refresher Talk

CIS13: Introduction to OAuth 2.0

Oracle OAuth ServiceOAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0 Resource Server roles. OAM OAuth

OAuth 2.0 Misconceptions

RFC 6749 - The OAuth 2.0 Authorization Framework...The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a third-party application to obtain

Mastering OAuth 2 - Adobe Inc.€¦ · leveraging the OAuth 2.0 Authorization Framework Mastering OAuth 2.0 Charles Bihis Mastering OAuth 2.0 OAuth 2.0 is a powerful authorization

Understanding OAuth 2.0

ISSN: 2070-1721 IBM P. Hunt Oracle Corporation OAuth 2.0 … · 2013-01-07 · OAuth 2.0 Threat Model and Security Considerations Abstract This document gives additional security

OAuth 2.0 e OpenID Connect

OAuth 2.0 und OpenId Connect

Argonaut Steering Committee Meeting · • Use OAuth 2.0 Threat Model and Security Considerations (RFC 6819) as primary source, supplemented by OAuth 2.0 Framework (RFC 6749), Bearer

Securing APIs using OAuth 2.0

OAuth 2.0 #idit2012

OAuth 2.0 Security

OAuth 2.0 refresher

[MS-OAUTH2EX]: OAuth 2.0 Authentication Protocol Extensions · 2016-05-11 · OAuth 2.0 Authentication Protocol Extensions describes extensions to the OAuth 2.0 Authentication Protocol

OAuth 2.0 and OpenId Connect

Category: Standards Track The OAuth 2.0 Authorization Framework · 2012. 10. 12. · The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a