Concepts of Open Authorization 2 - OWASP · 2020. 1. 17. · Presentation of Authentication...

The OWASP Foundation

OWASP

http://www.owasp.org

Presentation of Authentication Concepts of Open Authorization 2

Flows in OAuth 2

Timo Pagel

OWASPTimo PagelTimo Pagel

About Me

● DevSecOps Consultant● Lecturer for Security in Web Applications at

University of Applied Sciences Kiel/Wedel● Open Source / Open Knowledge Enthusiast


About Me

● DevSecOps Consultant● Lecturer for Security in Web Applications at

University of Applied Sciences Kiel/Wedel● Open Source / Open Knowledge Enthusiast

● OWASP Juice Shop● DevSecOps Maturity Model● OWASP Security Pins Project● Full University Module Security in Web App.● OWASP Software Assurance Maturity Model


Agenda

● Introduction● Flows● Conclusion

4


Agenda


5

OWASPTimo Pagel

Classic Username/Password

6

Username / Password

Login Successful / UnsuccessfulBlog A

OWASPTimo Pagel


7

Username / Password


Blog B

OWASPTimo Pagel


8

Username / Password


Blog B

Use

rnam

e / P

assw

ord

Logi

n S

ucce

ssfu

l /

Uns

ucce

ssfu

l

OWASPTimo Pagel


9

Username / Password


Blog B

Use

rnam

e / P

assw

ord

Logi

n S

ucce

ssfu

l /

Uns

ucce

ssfu

l

Username Role

Tux Publisher

Tuxine Writer

Username_Role

Role Permission

Publisher Write

Publisher Read

Publisher Publish

Writer Read

Writer Write

Role_Permission

OWASPTimo Pagel


10

Username / Password


Blog B

Use

rnam

e / P

assw

ord

Logi

n S

ucce

ssfu

l /

Uns

ucce

ssfu

l

Username_Role

Role_Permission

Username Role

Tux Publisher

Tuxine Writer

Role Permission

Publisher Write

Publisher Read

Publisher Publish

Writer Read

Writer Write

OWASPTimo Pagel


11

Username / Password


Blog B

Use

rnam

e / P

assw

ord

Logi

n S

ucce

ssfu

l /

Uns

ucce

ssfu

l

Username_Role

Role_Permission

Username Role

Tux Publisher

Tuxine Writer

Role Permission

Publisher Write

Publisher Read

Publisher Publish

Writer Read

Writer Write

OWASPTimo Pagel


12

Username / Password


Blog B

Use

rnam

e / P

assw

ord

Logi

n S

ucce

ssfu

l /

Uns

ucce

ssfu

l

Username_Role

Role_Permission

Username Role

Tux Publisher

Tuxine Writer

Role Permission

Publisher Write

Publisher Read

Publisher Publish

Writer Read

Writer Write

Usage of the UID/Password-Anti Pattern

OWASPTimo Pagel

How do we solve the UID-Password-Anti-Pattern?-> Tokens

13

OWASPTimo Pagel

OAuth Idea

14

Username / PasswordToken

Blog A(Client)

Blog B(Provider)

Client Permission

X… Read

Y... Write

Client_Permission

OWASPTimo Pagel

OAuth Idea

15

Username / PasswordToken

Blog A(Client)

Blog B(Provider)

Toke

n

Acc

epte

d

Token

Client Permission

X… Read

Y... Write

Client_Permission


Agenda


16

OWASPTimo Pagel

Client Credentials Flow

17

ResourceServer

AuthorizationServer

Client App(Server)

OWASPTimo Pagel

Client Credentials Flow

18

ResourceServer

AuthorizationServer

Client Credentials (client_id/client_secret)

Authenticate Client

Client App(Server)

Access token

Access protected resource with access tokenProtected resource response

OWASPTimo Pagel

Overview Client Credentials Flow

● No user-based AuthenticationScope/Permissions: Bound to clients

● Usage: Intranet

19

OWASPTimo Pagel

Resource Owner Password Credentials Flow

20

ResourceServer

AuthorizationServer

Client App

Resource Owner

OWASPTimo Pagel


21

ResourceServer

AuthorizationServer

Resource owner credentials

Authenticate resource owner

Client App

Access token

Authenticate client

Resource Owner

Resource owner

credentials

OWASPTimo Pagel

22

OWASPTimo Pagel


23

ResourceServer

AuthorizationServer



Client App

Access token


Authenticate client

Resource Owner

Resource owner

credentials

Usage of the UID/Password-Anti Pattern

OWASPTimo Pagel


24

ResourceServer

AuthorizationServer



Client App

Access token


Authenticate client

Resource Owner

Resource owner

credentials

What happens after the access token has expired?

OWASPTimo Pagel

Access token (optional refresh token)


25

ResourceServer

AuthorizationServer



Client App


Authenticate client

Resource Owner

Resource owner

credentials

Access token (refresh token)Refresh token

OWASPTimo Pagel

OAuth2 ROPC-Specification

[...] The resource owner password credentials grant type is suitable in cases where the

resource owner has a trust relationship with the client,such as the device operating system [...]Source: RFC 6749 The OAuth 2.0 Authorization Framework - Section 4.3

26

https://tools.ietf.org/html/rfc6749#section-4.3

OWASPTimo Pagel

Interpretation of OAuth ROPC-Specification

● The client and the device are completely under your control

● All other flows are not supported by the client

27

OWASPTimo Pagel

Interpretation of OAuth ROPC-Specification

● Use Case: To move legacy application into the OAuth2-Universe● Scope● Expiration of tokens● ...

28

OWASPTimo Pagel

ROPC Main Risks Overview

● UID/password anti-pattern-> client, eavesdroppers, or endpoints could eavesdrop the user id and password● Validation of the client's identity not possible● Client app might issue a not needed scope

● Token revocation nearly useless

29

OWASPTimo Pagel

Scopes

30

Action Scope

View own email profile.email:view

Modify own email profile.email:update

Delete own email profile.email:delete

OWASPTimo Pagel

31

Request profile.email:view

Single factor required

Credentials

Token (scope: profile.email:view)

ResourceServer

AuthorizationServer

Resource Owner

View profile with Token (profile.email:view)

E-Mail

OWASPTimo Pagel

32

Request profile.email:view

Single factor required

Credentials

Token (scope: profile.email:view)

ResourceServer

Update profile with Token (profile.email:view)

Error: Insufficient scopeRequest profile.email:update

Multiple factors required

AuthorizationServer

Resource Owner

View profile with Token (profile.email:view)

E-Mail

OWASPTimo Pagel

Implicit Flow

● Use Case: Browser● Client Secret: Confidentiality can not be

guaranteed

33

OWASPTimo Pagel

Implicit Flow

34

ResourceServer

AuthorizationServer

Client/Browser

Resource Owner

JavaScript

FrontendServer

OWASPTimo Pagel

Implicit Flow

35

ResourceServer

AuthorizationServer

Page with JS

Client/Browser

Open redirect URL

Resource Owner

Enter URL

JavaScript

Present Authorization UIPresent UI

Present Credentials

Present credentials

FrontendServer

(Performs Redirect)

OWASPTimo Pagel

Implicit Flow

36

ResourceServer

AuthorizationServer

Page with JS

Client/Browser

Open redirect URL

Resource Owner

Enter URL

JavaScript

(Performs Redirect)Present Authorization UI

Present UIPresent

Credentials

Present credentials

Verify credentials and create access token

Redirect to frontend server (access token in # fragment)

FrontendServer

OWASPTimo Pagel

Implicit Flow

37

ResourceServer

AuthorizationServer

Page with JS

Client/Browser

Open redirect URL

Resource Owner

Enter URL

JavaScript


Present UIPresent

Credentials

Present credentials



FrontendServer

OWASPTimo Pagel

Implicit Flow

38

ResourceServer

AuthorizationServer

Page with JS

Client/Browser

Open redirect URL

Resource Owner

Enter URL

JavaScript


Present UIPresent

Credentials

Present credentials



FrontendServer

Follow redirect URL (without access token) and get page with JS

Extract and temp. store access token

Call protected resource with access tokenReturn protected resource

OWASPTimo Pagel

Threats Implicit Flow

● Resource owners might issue a token to a malicious client (e.g. via phishing)

● Attackers might steal token via other mechanisms

Source: RFC 6749 The OAuth 2.0 Authorization Framework - Section 10.16

● Main Risk: Whom is a token issued to?

39


OWASPTimo Pagel

Further Risks/Info

● Use Case: Browser-Applications● Silent Refresh● Disadvantages: Man-in-the-Middle can fetch

tokens -> No refresh tokens

40

OWASPTimo Pagel

Authorization Code Grant

[...] the Authorization Code flow should only be used [...] where the Client Secret can be safely stored. [...]

https://auth0.com/docs/api-auth/tutorials/authorization-code-grant

41

https://auth0.com/docs/api-auth/tutorials/authorization-code-grant

OWASPTimo Pagel

Authorization Code Grant Flow

42

ResourceServer

AuthorizationServer

User-Agent

Open redirect URL with client identifier

Resource Owner

Open Client (App)

Present authorization UIPresent credentials Present submitted

credentials

Validate requestPresent authorization UI

Client


OWASPTimo Pagel


43

ResourceServer

AuthorizationServer

User-Agent


Resource Owner

Open Client (App)


credentials


Client


Authorization codeAuthorization code

Redirection URI and Authorization code

OWASPTimo Pagel


44

ResourceServer

AuthorizationServer

User-Agent


Resource Owner

Open Client (App)


credentials


Client




Why isn’t the access token directly issued?

OWASPTimo Pagel


45

ResourceServer

AuthorizationServer

User-Agent


Resource Owner

Open Client (App)


credentials


Client




Threats to URIs:● Referrer headers● Request logs● Browser history


OWASPTimo Pagel


46

ResourceServer

AuthorizationServer

User-Agent


Resource Owner

Open Client (App)


credentials


Client




Authorization code has a very short lifetime (seconds) to make replay attacks hard


OWASPTimo Pagel


47

ResourceServer

AuthorizationServer

User-Agent


Resource Owner

Open Client (App)


credentials



Client





Refresh tokenAccess Token (optional refresh token)

OWASPTimo Pagel

Native App Flow

Mainly: Proof Key for Code Exchange - PKCE (RFC 7636)

48

OWASPTimo Pagel

Authorization Code Grant Flow: Flaws

49

ResourceServer

AuthorizationServer

User-Agent


Resource Owner

Open Client (App)


credentials



Authorization code

OWASPTimo Pagel

Authorization Code Grant Flow: Flaws

50

ResourceServer

AuthorizationServer

User-Agent


Resource Owner

Open Client (App)


credentials







Refresh tokenAccess Token (optional refresh token)

OWASPTimo Pagel

RFC 8252: OAuth 2.0 for Native Apps

● External User Agent:● External browser/app● In-App browser tab

51

OWASPTimo Pagel

Authorization Code Grant Flow: Native App

52

ResourceServer

AuthorizationServer

User-Agent

Open redirect URL with client identifier & code_challange

Present submitted credentials

Validate request & store code_challengePresent authorization UI

Open redirect URL with client identifier & chall.

Authorization codeAuthorization

codeAuthorization code & code_verifyer?

Generate random code_verifyer

code_challange=sha256(code_verifyer)

Verify sha256(code_verifyer) == code_challengeDeny access

OWASPTimo Pagel

Further Security Considerations

● URI-Schema: ● Domain-Related, e.g. com.fhunii.eventmarketing● Prevent DNS-Spoofing: Use 127.0.0.1 instead of

localhost by performing redirection on localhost (Desktop)

● Defence against cross-app request forgery:● Usage of the state parameter with a random

● Embedded User Agent (Web-View):● Must open an external browser as the embedded

user agent has full access to authorization grant 53


Agenda


54


Conclusion

55

● Choose the flow based on the use case● App: Auth. Code Grant + Native Apps● Web: Implicit Flow


Questions?

[email protected]

56

OWASPTimo Pagel

Implementation Flaws

Store username and generate password in the client after authentication

57

OWASPTimo Pagel

Implementation Flaws

Storing the username/password locally

58

OWASPTimo Pagel

59

OWASPTimo Pagel

60

OWASPTimo Pagel

61

OWASPTimo Pagel

Implications

● Endless Refresh?● No Caching for shared proxies with

Authentication-Header● Logout -> Invalidation of

Refresh/Access-Tokens● Monitoring of unauthorized invalid Tokens

usage attempts● No-Algo Attack

62


Agenda

● Introduction● Flows● Implementation Flaws● Conclusion

63


Conclusion

● OAuth2 is used to delegate access● Choose the right flow for your use case● OAuth2 does not prevent from thinking on your

own! -> harden endpoints/processes

64

OWASPTimo Pagel

Risk Overview

65

Flow Client (Application) Overall Risk


Browser / Mobile App Critical (with public clients)

Authorization Code Flow Confidential Client Medium-High

Implicit Flow Browser (JavaScript) Medium-High

Authorization Code Flow (PKCE) Mobile App Medium

Disclaimer: This is an overview of the first impression

https://auth0.com/docs/api-auth/which-oauth-flow-to-use

http://wiki.oauth.net/w/page/27249271/OAuth%202%20for%20Native%20Apps



OWASPTimo Pagel

OAuth ROPC-Specification

It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.

Source: RFC 6749 The OAuth 2.0 Authorization Framework - Section 4.3

66


OWASPTimo Pagel

Hardening Resource Owner Password Credentials Flow (not recommended) 1/2

● Harden Token Endpoint:● Do not allow cross-domain requests● Brute Force / “Token Brute Force”● Timing Attacks● Lack of security sensitive information● Throttling Policy● …

● Reduce Risk of Stolen Tokens:● TLS● Disable refresh tokens and use short lived access tokens● Reconsider lifetime of tokens

67

OWASPTimo Pagel

Hardening Resource Owner Password Credentials Flow (not recommended) 2/2

● Inform resource owners about password reuse● Limit usage to org. where client/application and

authorizing service are from the same org.● The authorization server may generally restrict

the scope of access tokens issued by this flow

68

Concepts of Open Authorization 2 - OWASP · 2020. 1. 17. · Presentation of Authentication...

Documents

Transcript of Concepts of Open Authorization 2 - OWASP · 2020. 1. 17. · Presentation of Authentication...