Dominick Baier h.p://leastprivilege.com @leastprivilege OAuth2 – Ready or not?
Dominick Baier h.p://leastprivilege.com @leastprivilege
OAuth2 – Ready or not?
2 @leastprivilege
Dominick Baier
• Security consultant at thinktecture • Focus on – security in distributed applica9ons – iden9ty management – access control – Windows/.NET security – cloud compu9ng
• MicrosoE MVP for Developer Security • [email protected] • h.p://leastprivilege.com
think mobile!
3 @leastprivilege
Agenda
• Overview & use cases • Concerns & controversies
4 @leastprivilege
What is OAuth2 ?
5 @leastprivilege
History • OAuth started circa 2007 • 2008 -‐ IETF normalizaUon started in 2008 • 2010 -‐ RFC 5849 defines OAuth 1.0 • 2010 -‐ WRAP (Web Resource AuthorizaUon Profiles) proposed by
MicrosoE, Yahoo! And Google • 2010 -‐ OAuth 2.0 work begins in IETF
• Working deployments of various draEs & versions at Google, MicrosoE, Facebook, Github, Twi.er, Flickr, Dropbox…
• Mid 2012 – Lead author and editor resigned & withdraws his name from all specs
• October 2012 – RFC 6749, RFC 6750
6 @leastprivilege
High level overview
Resource Owner
Client
Resource Server
7 @leastprivilege
8 @leastprivilege
9 @leastprivilege
10 @leastprivilege
11 @leastprivilege
High level overview
Resource Owner
Client
Resource Server
12 @leastprivilege
authorizes
Resource Owner Resource Server
AuthorizaUon Server Client
Confiden9al/Public
Trusted/Untrusted
OAuth2: The Players
"owns" a resource
uses trusts
is registered with
accesses
13 @leastprivilege
OAuth2 Flows • AuthorizaUon Code Flow
– Web applica9on clients 1. Request authoriza9on 2. Request token 3. Access resource
• Implicit Flow – Na9ve / local clients
1. Request authoriza9on & token 2. Access resource
• Resource Owner Password CredenUal Flow – Trusted clients
1. Request token 2. Access resource
"3-‐legged OAuth"
"2-‐legged OAuth"
14 @leastprivilege
Authoriza9on Code Flow (Web Applica9on Clients)
Web Applica9on (Client) Resource Server
Resource Owner
15 @leastprivilege
Step 1a: Authoriza9on Request
Web Applica9on (Client) Authoriza9on Server
Resource Owner
GET /authorize? client_id=webapp& redirect_uri=https://webapp/cb& scope=resource& response_type=code& state=123
16 @leastprivilege
Consent
h.p://zachholman.com/2011/01/oauth_will_murder_your_children/
17 @leastprivilege
Step 1b: Authoriza9on Response
Web Applica9on (Client) Authoriza9on Server
Resource Owner
GET /cb? code=xyz& state=123
18 @leastprivilege
Step 2a: Token Request
Web Applica9on (Client) Authoriza9on Server
Resource Owner
POST /token Authorization: Basic (client_id:secret) grant_type=authorization_code& authorization_code=xyz
19 @leastprivilege
Step 2b: Token Response
Web Applica9on (Client) Authoriza9on Server
Resource Owner
{ "access_token" : "abc", "expires_in" : "360", "token_type" : "Bearer", "refresh_token" : "xyz" }
20 @leastprivilege
Step 3: Resource Access
Web Applica9on (Client)
Resource Owner
GET /resource Authorization: Bearer access_token
Resource Server
21 @leastprivilege
JSON Web Token (JWT) { "typ": "JWT", "alg": "HS256" }
{ "iss": "http://myIssuer", "exp": "1340819380", "aud": "http://myResource", "name": "alice", "role": "foo,bar", }
Header
Claims
eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt
Header Claims Signature
22 @leastprivilege
(Step 4: Refreshing the Token)
Web Applica9on (Client)
Resource Owner
POST /token Authorization: Basic (client_id:secret) grant_type=refresh_token& refresh_token=xyz
Authoriza9on Server
23 @leastprivilege
Client Management (e.g. Flickr)
24 @leastprivilege
Client Management (e.g. Dropbox)
25 @leastprivilege
Implicit Flow (Na9ve / Local Clients)
Resource Owner Client
26 @leastprivilege
Step 1a: Authoriza9on Request
Resource Server
Resource Owner Client
GET /authorize? client_id=nativeapp& redirect_uri=http://localhost/cb& scope=resource& response_type=token& state=123
Authoriza9on Server
27 @leastprivilege
Step 1b: Token Response
Resource Owner Client
GET /cb# access_token=abc& expires_in=3600& state=123
Authoriza9on Server Resource Server
28 @leastprivilege
Step 2: Resource Access
Resource Owner Client
GET /resource Authorization: Bearer access_token
Resource Server
29 @leastprivilege
Resource Owner Password Creden9al Flow (Trusted Applica9on)
Resource Owner Client
Resource Server
30 @leastprivilege
Step 1a: Token Request
Resource Owner Client
Authoriza9on Server
POST /token Authorization: Basic (client_id:secret) grant_type=password& scope=resource& user_name=owner& password=password&
Resource Server
31 @leastprivilege
Step 1b: Token Response
Resource Owner Client
Authoriza9on Server
{ "access_token" : "abc", "expires_in" : "360", "token_type" : "Bearer", "refresh_token" : "xyz" }
Resource Server
32 @leastprivilege
Step 2: Resource Access
Resource Owner Client
GET /resource Authorization: Bearer access_token
Resource Server
33 @leastprivilege
Concerns & Controversies
artwork by @ChrisMCarrasco
34 @leastprivilege
Eran Hammer • h.p://hueniverse.com/2010/09/oauth-‐bearer-‐tokens-‐are-‐a-‐terrible-‐
idea/ • h.p://hueniverse.com/2010/09/oauth-‐2-‐0-‐without-‐signatures-‐is-‐bad-‐
for-‐the-‐web/
• h.p://hueniverse.com/2012/07/oauth-‐2-‐0-‐and-‐the-‐road-‐to-‐hell/
• OAuth2: Looking back and moving on – hdps://vimeo.com/52882780
35 @leastprivilege
36 @leastprivilege
JSON Web Token (JWT) JSON Web Encryp9on (JWE) JSON Web Signatures (JWS) JSON Web Algorithms (JWA)
OAuth2 Resource Set Registra9on Dynamic Client Registra9on User-‐Managed Access Chaining and Redelega9on Metadata & Introspec9on
hdp://openid.net/specs/openid-‐connect basic-‐1_0-‐23.html implicit-‐1_0-‐06.html messages-‐1_0-‐15.html standard-‐1_0-‐16.html discovery-‐1_0-‐12.html registra9on-‐1_0-‐14.html session-‐1_0-‐11.html
Asser9on Framework for OAuth2 JWT Bearer Token Profiles SAML 2.0 Bearer Token Profiles Token Revoca9on MAC Tokens
The OAuth2 AuthorizaUon Framework
(RFC 6749)
OAuth2 Bearer Token Usage
(RFC 6750)
Core (proposed standards)
Threat Model and Security ConsideraUons
(RFC 6819)
Informa9onal
hdp://datatracker.ief.org/wg/oauth/
37 @leastprivilege
Bearer Token!!A security token with the property that any party !in possession of the token (a "bearer") can use the !token in any way that any other party in possession !of it can. Using a bearer token does not !require a bearer to prove possession of !cryptographic key material (proof-of-possession).!
38 @leastprivilege
Developers & SSL
39 @leastprivilege
Infrastructure & SSL
hdp://gigaom.com/2013/01/10/nokia-‐yes-‐we-‐decrypt-‐your-‐hdps-‐data-‐but-‐dont-‐worry-‐about-‐it/
40 @leastprivilege
Security Theater
hdps://wellsoffice.wellsfargo.com/ceoportal/signon/loader.jsp
41 @leastprivilege
OAuth2 for Authen9ca9on
• OAuth2 is for authorizaUon – authen9ca9on is a pre-‐requisite for that
• What many people really want is: – let's use OAuth2 for authen9ca9on
• "Sign-‐in with social provider X" • à especially mobile apps
h.p://www.thread-‐safe.com/2012/01/problem-‐with-‐oauth-‐for-‐authenUcaUon.html
42 @leastprivilege
OAuth2 for Authen9ca9on: Request
UserInfo RS
Resource Owner Client
GET /authorize? client_id=nativeapp& redirect_uri=http://localhost/cb& scope=userinfo& response_type=token& state=123
Authoriza9on Server
43 @leastprivilege
OAuth2 for Authen9ca9on: Response
UserInfo RS
Resource Owner Client
GET /cb? access_token=abc& userid=123& expires_in=3600& state=123
Authoriza9on Server
44 @leastprivilege
OAuth2 for Authen9ca9on: Accessing User Data
UserInfo RS
Resource Owner Client
GET /userinfo Authorization: Bearer access_token
Firstname, Lastname, Email…
45 @leastprivilege
The Problem
1. User logs into malicious app (app steals token)
userid, access token
2. Malicious developer uses stolen access token in legiUmate app
access token
Impersonated!
46 @leastprivilege
(Other recent) Facebook Hacks
• h.p://www.darkreading.com/blog/240148995/ the-‐road-‐to-‐hell-‐is-‐authenUcated-‐by-‐facebook.html
• h.p://homakov.blogspot.no/2013/02/hacking-‐facebook-‐with-‐oauth2-‐and-‐chrome.html
• www.nirgoldshlager.com/2013/03/ how-‐i-‐hacked-‐any-‐facebook-‐accountagain.html
47 @leastprivilege
Conclusion • OAuth2 is already widely used on the internet • It will find its way into your scenarios
• Current implementaUons are lacking – even by the big guys – let alone the myriad of DIY implementa9ons
• Spec needs some refinement – "basic profile" – MAC tokens
• Very good & balanced view – hdps://www.tbray.org/ongoing/When/201x/2013/01/23/OAuth