2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect
1. TOKEN-BASED SECURITY
FOR WEB APPLICATIONS
USING OAUTH2 AND OPENID CONNECT
Presented by Vladimir Bychkov
Email: bychkov@gmail.com
1
Tech Talk DC 2019
2. About Vladimir Bychkov
• SOFTWARE CRAFTSMAN AT EASTBANC TECHNOLOGIES
• LINKEDIN: WWW.LINKEDIN.COM/IN/BYCHKOFF/
• EMAIL: BYCHKOV@GMAIL.COM
WEBSITE: EASTBANCTECH.COM WEBSITE: WWW.KUBLR.COM
3. EastBanc Technologies | Custom Software Development
Cutting Edge Software Development.
Based in Georgetown.
We are hiring!
www.eastbanctech.com
7. Delegated Authorization
7
https + cookie
Web Client
Client Frontend
Browser
Client Backend
User
Web Backend
Bank
https + cookie
Banking Client
Browser
Transactions
Username
Password
Enter PenFed login
• 3rd party has to store password
• No way to limit scope
• Cannot revoke access
(other than changing password)
8. OAuth 2.0 - Overview
• OAUTH 2.0 IS THE INDUSTRY-STANDARD PROTOCOL FOR DELEGATED AUTHORIZATION
• PUBLISHED AS IETF RFC6749 IN OCTOBER 2012
• INITIAL PURPOSE – GIVE 3RD PARTY SOFTWARE ACCESS ON USER’S BEHALF
• LINGO:
• RESOURCE OWNER => USER (HUMAN)
• CLIENT => 3RD PARTY SOFTWARE (APP/SERVICE)
• AUTHORIZATION SERVER => WEB SERVICE (VERIFIES IDENTITY AND ISSUES TOKENS)
• RESOURCE SERVER => WEB SERVICE/API HOSTING PROTECTED RESOURCES
• AUTHORIZATION GRANT (FLOW) => STANDARD PROCESS TO OBTAIN USER’S AUTHORIZATION
• SCOPE => LEVEL OF ACCESS
• CONSENT => USER’S PERMISSION TO GRANT ACCESS
• ACESS CODE => TEMP CODE TO OBTAIN ACCESS TOKEN
• ACCESS TOKEN => TEMP AND SCOPED CREDENTIALS TO ACCESS USER’S RESOURCES
9. OAuth 2.0 – Endpoints (SSL required)
• AUTHORIZATION ENDPOINT
• USED TO INTERACT WITH THE RESOURCE OWNER AND OBTAIN AN AUTHORIZATION GRANT. THE
AUTHORIZATION SERVER MUST FIRST VERIFY THE IDENTITY OF THE RESOURCE OWNER.
• TOKEN ENDPOINT
• USED BY THE CLIENT TO OBTAIN AN ACCESS TOKEN BY PRESENTING ITS AUTHORIZATION GRANT OR
REFRESH TOKEN.
• REDIRECTION ENDPOINT (CLIENT)
11. OAuth 2.0 - Architecture
Resource owner (User) Client (Relying Party - RP) Resource server (Resources)
Authorization server
(Security Token Service – STS)
Token
Grant
(Credentials)
Token
12. OAuth 2.0 - Grants
Grant type Client type / Use case
Client Credentials For clients, such as web services, acting on their own behalf.
Authorization
code
w/ PKCE
Intended for traditional web applications with a backend as well as native (mobile or
desktop) applications to take advantage of single sign-on via the system browser.
Resource Owner
Password
For trusted native clients where the application and the authorization server belong to
the same provider.
Implicit Intended for browser-based (JavaScript) applications without a backend.
Refresh token
A special grant to let clients refresh their access token without having to go through the
steps of a code or password grant again.
Device code
For devices without a browser or with constrained input, such as a smart TV, media
console, printer, etc.
Token exchange
Lets applications and services obtain an access token in delegation and impersonation
scenarios.
13. OpenID Connect
• ID TOKEN (JWT)
• DISCOVERY ENDPOINT
• USER-INFO ENDPOINT (JSON SCHEMA)
• USES OAUTH 2 FLOWS TO OBTAIN ID TOKENS
22. Web Apps – Other security concerns
• HTTPS ALL THE WAY!
• CROSS-SITE REQUEST FORGERY (CSRF)
• ASP.NET CORE 2+ INJECTS ANTIFORGERY TOKENS AUTOMATICALLY WHEN USING TAG HELPERS
• BUILT-IN ACTION FILTERS:
• VALIDATEANTIFORGERYTOKEN
• AUTOVALIDATEANTIFORGERYTOKEN
• IGNOREANTIFORGERYTOKEN
• CROSS-SITE SCRIPTING (XSS)
• VALIDATE USER INPUT (FORMS, QUERY STRING, HTTP HEADERS)
• HTML/URL ENCODING
23. Web Apps – Other security concerns (cont.)
• CROSS-ORIGIN REQUESTS (CORS)
• ENABLE CORS AND SET EXPLICIT POLICIES
• SECRET/KEY MANAGEMENT AND DATA PROTECTION
• OPEN REDIRECTS
24. Auth Middleware
Federation gateway (Before impl)
ASP.NET
Core
Internet
Google
Facebook
…
Azure AD
Google
Facebook
…
Azure AD
Web Application
25. STS
Federation gateway (After impl)
Internet
Google
Facebook
…
Azure AD
Google
Facebook
…
Azure AD
Internet
Auth MiddlewareASP.NET
Core
Web Application
STS
Auth MiddlewareASP.NET
Core
Web Application
STS