Dominick  Baier  h.p://leastprivilege.com  @leastprivilege  

OAuth2  –  Ready  or  not?  

2  @leastprivilege  

Dominick  Baier  

•  Security  consultant  at  thinktecture  •  Focus  on  –  security  in  distributed  applica9ons  –  iden9ty  management  –  access  control  – Windows/.NET  security  –  cloud  compu9ng  

 •  MicrosoE  MVP  for  Developer  Security  •  dominick.baier@thinktecture.com  •  h.p://leastprivilege.com  

think mobile!

3  @leastprivilege  

Agenda  

•  Overview  &  use  cases  •  Concerns  &  controversies  

4  @leastprivilege  

What  is  OAuth2  ?  

5  @leastprivilege  

History  •  OAuth  started  circa  2007    •  2008  -­‐  IETF  normalizaUon  started  in  2008    •  2010  -­‐  RFC  5849  defines  OAuth  1.0    •  2010  -­‐  WRAP  (Web  Resource  AuthorizaUon  Profiles)  proposed  by  

MicrosoE,  Yahoo!  And  Google    •  2010  -­‐  OAuth  2.0  work  begins  in  IETF  

•  Working  deployments  of  various  draEs  &  versions  at  Google,  MicrosoE,  Facebook,  Github,  Twi.er,  Flickr,  Dropbox…  

•  Mid  2012  –  Lead  author  and  editor  resigned  &  withdraws  his  name  from  all  specs      

•  October  2012  –  RFC  6749,  RFC  6750  

6  @leastprivilege  

High  level  overview  

Resource  Owner  

Client  

Resource  Server  

7  @leastprivilege  

8  @leastprivilege  

9  @leastprivilege  

10  @leastprivilege  

11  @leastprivilege  

High  level  overview  

Resource  Owner  

Client  

Resource  Server  

12  @leastprivilege  

authorizes  

Resource  Owner   Resource  Server  

AuthorizaUon  Server  Client  

Confiden9al/Public  

Trusted/Untrusted  

OAuth2:  The  Players  

"owns"  a  resource  

uses   trusts  

is  registered  with  

accesses  

13  @leastprivilege  

OAuth2  Flows  •  AuthorizaUon  Code  Flow  

–  Web  applica9on  clients  1.  Request  authoriza9on  2.  Request  token  3.  Access  resource  

•  Implicit  Flow  –  Na9ve  /  local  clients  

1.  Request  authoriza9on  &  token  2.  Access  resource  

•  Resource  Owner  Password  CredenUal  Flow  –  Trusted  clients  

1.  Request  token  2.  Access  resource  

"3-­‐legged  OAuth"  

"2-­‐legged  OAuth"  

14  @leastprivilege  

Authoriza9on  Code  Flow    (Web  Applica9on  Clients)  

Web  Applica9on  (Client)   Resource  Server  

Resource  Owner  

15  @leastprivilege  

Step  1a:  Authoriza9on  Request  

Web  Applica9on  (Client)   Authoriza9on  Server  

Resource  Owner  

GET  /authorize?      client_id=webapp&      redirect_uri=https://webapp/cb&      scope=resource&      response_type=code&      state=123  

16  @leastprivilege  

Consent  

h.p://zachholman.com/2011/01/oauth_will_murder_your_children/  

17  @leastprivilege  

Step  1b:  Authoriza9on  Response  

Web  Applica9on  (Client)   Authoriza9on  Server  

Resource  Owner  

GET  /cb?      code=xyz&      state=123  

18  @leastprivilege  

Step  2a:  Token  Request  

Web  Applica9on  (Client)   Authoriza9on  Server  

Resource  Owner  

POST  /token    Authorization:  Basic  (client_id:secret)    grant_type=authorization_code&  authorization_code=xyz  

19  @leastprivilege  

Step  2b:  Token  Response  

Web  Applica9on  (Client)   Authoriza9on  Server  

Resource  Owner  

{      "access_token"  :  "abc",      "expires_in"  :  "360",      "token_type"  :  "Bearer",      "refresh_token"  :  "xyz"      }  

20  @leastprivilege  

Step  3:  Resource  Access  

Web  Applica9on  (Client)  

Resource  Owner  

GET  /resource      Authorization:  Bearer  access_token  

Resource  Server  

21  @leastprivilege  

JSON  Web  Token  (JWT)  {      "typ":  "JWT",      "alg":  "HS256"  }  

{      "iss":  "http://myIssuer",      "exp":  "1340819380",      "aud":  "http://myResource",        "name":  "alice",      "role":  "foo,bar",  }  

Header  

Claims  

eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt  

Header   Claims   Signature  

22  @leastprivilege  

(Step  4:  Refreshing  the  Token)  

Web  Applica9on  (Client)  

Resource  Owner  

POST  /token    Authorization:  Basic  (client_id:secret)    grant_type=refresh_token&  refresh_token=xyz  

Authoriza9on  Server  

23  @leastprivilege  

Client  Management  (e.g.  Flickr)  

24  @leastprivilege  

Client  Management  (e.g.  Dropbox)  

25  @leastprivilege  

Implicit  Flow  (Na9ve  /  Local  Clients)  

Resource  Owner   Client  

26  @leastprivilege  

Step  1a:  Authoriza9on  Request  

Resource  Server  

Resource  Owner   Client  

GET  /authorize?      client_id=nativeapp&      redirect_uri=http://localhost/cb&      scope=resource&      response_type=token&      state=123  

Authoriza9on  Server  

27  @leastprivilege  

Step  1b:  Token  Response  

Resource  Owner   Client  

GET  /cb#      access_token=abc&      expires_in=3600&      state=123  

Authoriza9on  Server  Resource  Server  

28  @leastprivilege  

Step  2:  Resource  Access  

Resource  Owner   Client  

GET  /resource      Authorization:          Bearer  access_token  

Resource  Server  

29  @leastprivilege  

Resource  Owner  Password  Creden9al  Flow  (Trusted  Applica9on)  

Resource  Owner   Client  

Resource  Server  

30  @leastprivilege  

Step  1a:  Token  Request  

Resource  Owner   Client  

Authoriza9on  Server  

POST  /token    Authorization:  Basic  (client_id:secret)    grant_type=password&  scope=resource&  user_name=owner&  password=password&  

Resource  Server  

31  @leastprivilege  

Step  1b:  Token  Response  

Resource  Owner   Client  

Authoriza9on  Server  

{      "access_token"  :  "abc",      "expires_in"  :  "360",      "token_type"  :  "Bearer",      "refresh_token"  :  "xyz"      }  

Resource  Server  

32  @leastprivilege  

Step  2:  Resource  Access  

Resource  Owner   Client  

GET  /resource      Authorization:          Bearer  access_token  

Resource  Server  

33  @leastprivilege  

Concerns  &  Controversies  

artwork  by  @ChrisMCarrasco  

34  @leastprivilege  

Eran  Hammer  •  h.p://hueniverse.com/2010/09/oauth-­‐bearer-­‐tokens-­‐are-­‐a-­‐terrible-­‐

idea/  •  h.p://hueniverse.com/2010/09/oauth-­‐2-­‐0-­‐without-­‐signatures-­‐is-­‐bad-­‐

for-­‐the-­‐web/  

•  h.p://hueniverse.com/2012/07/oauth-­‐2-­‐0-­‐and-­‐the-­‐road-­‐to-­‐hell/  

•  OAuth2:  Looking  back  and  moving  on  –  hdps://vimeo.com/52882780  

35  @leastprivilege  

36  @leastprivilege  

JSON  Web  Token  (JWT)    JSON  Web  Encryp9on  (JWE)  JSON  Web  Signatures  (JWS)  JSON  Web  Algorithms  (JWA)  

OAuth2  Resource  Set  Registra9on  Dynamic  Client  Registra9on  User-­‐Managed  Access  Chaining  and  Redelega9on  Metadata  &  Introspec9on  

hdp://openid.net/specs/openid-­‐connect      basic-­‐1_0-­‐23.html      implicit-­‐1_0-­‐06.html      messages-­‐1_0-­‐15.html      standard-­‐1_0-­‐16.html      discovery-­‐1_0-­‐12.html      registra9on-­‐1_0-­‐14.html      session-­‐1_0-­‐11.html  

Asser9on  Framework  for  OAuth2  JWT  Bearer  Token  Profiles  SAML  2.0  Bearer  Token  Profiles  Token  Revoca9on  MAC  Tokens  

The  OAuth2  AuthorizaUon  Framework  

(RFC  6749)  

OAuth2  Bearer  Token  Usage  

(RFC  6750)  

Core  (proposed  standards)  

Threat  Model  and    Security  ConsideraUons  

(RFC  6819)  

Informa9onal  

hdp://datatracker.ief.org/wg/oauth/  

37  @leastprivilege  

Bearer Token!!A security token with the property that any party !in possession of the token (a "bearer") can use the !token in any way that any other party in possession !of it can. Using a bearer token does not !require a bearer to prove possession of !cryptographic key material (proof-of-possession).!

38  @leastprivilege  

Developers  &  SSL  

39  @leastprivilege  

Infrastructure  &  SSL  

hdp://gigaom.com/2013/01/10/nokia-­‐yes-­‐we-­‐decrypt-­‐your-­‐hdps-­‐data-­‐but-­‐dont-­‐worry-­‐about-­‐it/  

40  @leastprivilege  

Security  Theater  

hdps://wellsoffice.wellsfargo.com/ceoportal/signon/loader.jsp    

41  @leastprivilege  

OAuth2  for  Authen9ca9on  

•  OAuth2  is  for  authorizaUon  –  authen9ca9on  is  a  pre-­‐requisite  for  that  

•  What  many  people  really  want  is:  –  let's  use  OAuth2  for  authen9ca9on  

•  "Sign-­‐in  with  social  provider  X"  •  à  especially  mobile  apps  

h.p://www.thread-­‐safe.com/2012/01/problem-­‐with-­‐oauth-­‐for-­‐authenUcaUon.html  

42  @leastprivilege  

OAuth2  for  Authen9ca9on:  Request  

UserInfo  RS  

Resource  Owner   Client  

GET  /authorize?      client_id=nativeapp&      redirect_uri=http://localhost/cb&      scope=userinfo&      response_type=token&      state=123  

Authoriza9on  Server  

43  @leastprivilege  

OAuth2  for  Authen9ca9on:  Response  

UserInfo  RS  

Resource  Owner   Client  

GET  /cb?      access_token=abc&      userid=123&      expires_in=3600&      state=123  

Authoriza9on  Server  

44  @leastprivilege  

OAuth2  for  Authen9ca9on:  Accessing  User  Data  

UserInfo  RS  

Resource  Owner   Client  

GET  /userinfo      Authorization:          Bearer  access_token  

Firstname,  Lastname,  Email…  

45  @leastprivilege  

The  Problem  

1.   User  logs  into  malicious  app  (app  steals  token)  

userid,  access  token  

2.  Malicious  developer  uses  stolen    access  token  in  legiUmate  app  

access  token  

Impersonated!

46  @leastprivilege  

(Other  recent)  Facebook  Hacks  

•  h.p://www.darkreading.com/blog/240148995/      the-­‐road-­‐to-­‐hell-­‐is-­‐authenUcated-­‐by-­‐facebook.html  

•  h.p://homakov.blogspot.no/2013/02/hacking-­‐facebook-­‐with-­‐oauth2-­‐and-­‐chrome.html  

•  www.nirgoldshlager.com/2013/03/      how-­‐i-­‐hacked-­‐any-­‐facebook-­‐accountagain.html  

47  @leastprivilege  

Conclusion  •  OAuth2  is  already  widely  used  on  the  internet  •  It  will  find  its  way  into  your  scenarios  

•  Current  implementaUons  are  lacking  –  even  by  the  big  guys  –  let  alone  the  myriad  of  DIY  implementa9ons  

•  Spec  needs  some  refinement  –  "basic  profile"  –  MAC  tokens  

•  Very  good  &  balanced  view  –  hdps://www.tbray.org/ongoing/When/201x/2013/01/23/OAuth