SlideShare a Scribd company logo

De la bonne utilisation de OAuth2

Leonard Moustacchis
Leonard Moustacchis

FrogeRock Identity Tech talk presentation Léonard Moustacchis. Neil Madden

Software
1 of 28
Download to read offline
Bienvenue au Identity Tech Talk France ForgeRock
De la bonne utilisation de OAuth2 Identity Tech Talk France 21 Mars 2019 Léonard Moustacchis Prepared by Neil Madden
Are you using OAuth today?
What is OAuth? • Original problem: enable 3rd party apps/sites to access my data without giving them my password • OAuth: Protocol for delegated authorisation • OAuth 1 – 2007 (RFC 5849 in 2010) • OAuth 2 – 2012 (RFC 6749) • Now: • Lots of extensions • Used outside of Web – mobile, IoT, microservices • Uses beyond delegated authZ – OpenID Connect, UMA Copyright © 2018 ForgeRock. All rights reserved
The Dance Copyright © 2018 ForgeRock. All rights reserved Client Resource Owner (RO) wants to use Resource Server (RS) to access Authorization Server (AS) Request access (scope) Authorize access Access token Access token
OAuth 2 flows • Implicit flow – access token returned directly from authorization request (redirect) • In fragment ...#access_token=LGqTQrz71J8... • Purely redirect-based • Authorization code flow – a one-time code is returned • Client makes direct call to AS to swap code for access token • AS can directly authenticate the client • Refresh token flow • Previously authorized client • Get new access token without bothering user, extend access Copyright © 2018 ForgeRock. All rights reserved
Basic security measures (not covered) • Always use HTTPS everywhere • Basic web security best practice • Secure, HttpOnly, SameSite cookies • Content-Security-Policy • Keep client credentials secret • Don’t check into Git! • A client_secret is not a password – should be of high entropy • Use a unique random “state” parameter on all auth requests • Use limited scope access tokens Copyright © 2018 ForgeRock. All rights reserved
Resource Server Copyright © 2018 ForgeRock. All rights reserved
Where to put the access token • 4 main choices (for HTTP): • In URL parameter: ?access_token=LGqTQrz71J8... • In Cookie: Cookie: accesstoken=LGqTQrz71J8... • In POST body (form/x-www-form-urlencoded) • In a header • URL parameter – bad! • Leaks in access logs of servers, proxies, and Referer header • Cookie – beware CSRF, cookie hijacking, cookie blocking • POST body – better, but mixes authorization with application data Copyright © 2018 ForgeRock. All rights reserved
Authorization: Bearer POST /api/foo HTTP/1.1 Authorization: Bearer LGqTQrz71J8... ... HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer scope=”foo bar” • Standard approach (RFC 6750) • Middle-boxes, caches all know about Authorization headers • Triggers same-origin policy/CORS protections in browsers Copyright © 2018 ForgeRock. All rights reserved
How to validate an access token? • Scope: up to the RS – what makes sense to the user? • Validation unspecified: up to the AS and RS to agree • But see Token Introspection (RFC 7662) • Popular choice: • access token is a signed JWT • can be verified by RS alone • But... what about revocation? • Answer: • Short-lived access tokens • Client must refresh frequently Copyright © 2018 ForgeRock. All rights reserved
The fallacy of the short attack window • How short should access token lifetime be? • Minutes? • Hours? • Facebook “View As” OAuth attack in September • 50 million accounts affected • 90 million access tokens revoked afterwards • Highly automated • How long was each compromised token used for? • Seconds? Milliseconds? • Short life-times should not be primary protection measure Copyright © 2018 ForgeRock. All rights reserved
Token introspection (RFC 7662) Copyright © 2018 ForgeRock. All rights reserved Resource Server (RS) Authorization Server (AS) Client Access Token Introspect access_token=... Valid?, Scope=...
Q: Are we done now? Copyright © 2018 ForgeRock. All rights reserved
Mobile Clients
Mobile clients - old approach • Register with AS as public client • Use a custom URL scheme for redirect: • com.example.app:/callback • OS will handover to your app when redirect occurs • Use implicit flow • Spawn in-app embedded web view Copyright © 2018 ForgeRock. All rights reserved
What’s wrong with this approach? • Custom URL schemes are not enforced unique • Malicious app can register same scheme • Either app could get handed the access token • In-app web view: encourages poor practices Copyright © 2018 ForgeRock. All rights reserved Genuine App Malicious App Authorization Server my-app:/cb?access_token=...
Recommendations • Use system browser to initiate flows • Use claimed HTTPS redirects • iOS: Universal Links • Android: App Links • Use the authorization code flow... • ... with PKCE (RFC 7636) Copyright © 2018 ForgeRock. All rights reserved
PKCE: Proof Key for Code Exchange Copyright © 2018 ForgeRock. All rights reserved Resource Owner (RO) Client Resource Server (RS) Authorization Server (AS) Generate random verifier, v Request authorization code_challenge=SHA-256(v) Authorize as normal Authorization code Request access token code=<code>& code_verifier=<v> Check SHA-256(v) = challenge Access token
Web Clients Copyright © 2018 ForgeRock. All rights reserved
Server-side clients • Use authorization code flow • Confidential client, so require authentication to AS • What can go wrong? • Credential theft • Client secret recoverable from AS • Consider private_key_jwt or mTLS authentication • Code injection attack (replay) • Use PKCE on server-side too! • (But quite difficult attack model if using state properly) Copyright © 2018 ForgeRock. All rights reserved
Client-side web apps/SPAs • Old advice: use implicit flow • What can go wrong? • Token sniffing from URL • Referer leaks (document.referrer in iframe) • But fragment not usually included • Token injection • Redirects include fragment Copyright © 2018 ForgeRock. All rights reserved /spa#access_token=LGqTQrz71J8... Web Page Legitimate Script Malicious Script /spa#access_token=Kt8Fc98cDE...
New advice for SPAs • One big change since OAuth 2.0 published (2012): • CORS! • Published in 2014 • Previously not possible for SPA to make cross-origin call to AS • CORS changes that – allows SPA to use authorization code flow • New advice: auth code + PKCE • Public client, just like for mobile Copyright © 2018 ForgeRock. All rights reserved
Can’t move off implicit? • Don’t Panic! • The sky isn’t falling • Web security best practice goes a long way • Mitigations: • Use OpenID Connect flows • ID Token includes “at_hash”, “nonce” – prevents injection • Consider even if you don’t care about authentication • JARM – JWT-secure Authorization Response Mode • Sender-constrained access tokens (PoP) Copyright © 2018 ForgeRock. All rights reserved
Token binding and SPAs • Within a web-page TLS is a shared resource • No “same-origin” protections • All scripts (sandboxed or not) use the same TLS connection when talking to the same origin • TLS-level protections are not a silver bullet • Token binding • mTLS constrained access tokens • Always prefer “Authorization: Bearer” • Triggers SOP/CORS Copyright © 2018 ForgeRock. All rights reserved
Key take-aways Copyright © 2018 ForgeRock. All rights reserved
Take-aways • Prefer the authorization code flow in all cases • Even for SPAs • Implicit likely to be deprecated • Use PKCE • Even for confidential clients • Prefer Authorization: Bearer • Security drafts in progress: • draft-ietf-oauth-security-topics • draft-parecki-oauth-browser-based-apps Copyright © 2018 ForgeRock. All rights reserved
THANK YOU! Copyright © 2018 ForgeRock. All rights reserved

Recommended

OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
D@W REST security
D@W REST securityD@W REST security
D@W REST securityGaurav Sharma
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACEHannes Tschofenig
 

Recommended

OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
D@W REST security
D@W REST securityD@W REST security
D@W REST securityGaurav Sharma
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACEHannes Tschofenig
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackFITC
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure WebservicesMatthias Käppler
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCloudIDSummit
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 

More Related Content

What's hot

REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackFITC
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCloudIDSummit
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 

What's hot (20)

REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 

Similar to De la bonne utilisation de OAuth2

Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabiRafik HARABI
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodOAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodLohika_Odessa_TechTalks
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCloudIDSummit
 
APIs_ An Introduction.pptx
APIs_ An Introduction.pptxAPIs_ An Introduction.pptx
APIs_ An Introduction.pptxAkashThorat25
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...apidays
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMhackingtrialpay
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsIdentity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsTom Freestone
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 
The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)Channy Yun
 
Token Handler Pattern
Token Handler PatternToken Handler Pattern
Token Handler PatternCurity
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices SecurityBertrand Carlier
 

Similar to De la bonne utilisation de OAuth2 (20)

Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
 
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodOAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the Hood
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-Section
 
APIs_ An Introduction.pptx
APIs_ An Introduction.pptxAPIs_ An Introduction.pptx
APIs_ An Introduction.pptx
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsIdentity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation Apps
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
 
The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)
 
Token Handler Pattern
Token Handler PatternToken Handler Pattern
Token Handler Pattern
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
 

More from Leonard Moustacchis

Facebook data breach and OAuth2
Facebook data breach and OAuth2 Facebook data breach and OAuth2
Facebook data breach and OAuth2Leonard Moustacchis
 
Intelligent authentication Identity tech talks
Intelligent authentication Identity tech talksIntelligent authentication Identity tech talks
Intelligent authentication Identity tech talksLeonard Moustacchis
 
Blockchain et ses cas d'usages - Identity Tech Talk#10
Blockchain et ses cas d'usages - Identity Tech Talk#10 Blockchain et ses cas d'usages - Identity Tech Talk#10
Blockchain et ses cas d'usages - Identity Tech Talk#10 Leonard Moustacchis
 
iProov et Biométrie Identity Tech Talk #10
iProov et Biométrie Identity Tech Talk #10iProov et Biométrie Identity Tech Talk #10
iProov et Biométrie Identity Tech Talk #10Leonard Moustacchis
 
Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...
Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...
Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...Leonard Moustacchis
 
201707 dsp2 standards, sécurité, quels impacts - wavestone
201707 dsp2 standards, sécurité, quels impacts - wavestone201707 dsp2 standards, sécurité, quels impacts - wavestone
201707 dsp2 standards, sécurité, quels impacts - wavestoneLeonard Moustacchis
 
Quels sont les enjeux de la réglementation GDPR
Quels sont les enjeux de la réglementation GDPRQuels sont les enjeux de la réglementation GDPR
Quels sont les enjeux de la réglementation GDPRLeonard Moustacchis
 
Présentation de UMA (User Managed Access)
Présentation de UMA (User Managed Access)Présentation de UMA (User Managed Access)
Présentation de UMA (User Managed Access)Leonard Moustacchis
 
Identity Tech Talks #3 FIDO futur of authentication
Identity Tech Talks #3 FIDO futur of authenticationIdentity Tech Talks #3 FIDO futur of authentication
Identity Tech Talks #3 FIDO futur of authenticationLeonard Moustacchis
 
Mon Raspberry PI a une identité !
Mon Raspberry PI a une identité ! Mon Raspberry PI a une identité !
Mon Raspberry PI a une identité ! Leonard Moustacchis
 
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...Leonard Moustacchis
 
Valorisez votre écosystème d'identités
Valorisez votre écosystème d'identitésValorisez votre écosystème d'identités
Valorisez votre écosystème d'identitésLeonard Moustacchis
 
L’identité numérique : un atout incontournable pour construire une relation c...
L’identité numérique : un atout incontournable pour construire une relation c...L’identité numérique : un atout incontournable pour construire une relation c...
L’identité numérique : un atout incontournable pour construire une relation c...Leonard Moustacchis
 

More from Leonard Moustacchis (20)

Identity verification and AI
Identity verification and AIIdentity verification and AI
Identity verification and AI
 
WebAuthn & FIDO2
WebAuthn & FIDO2WebAuthn & FIDO2
WebAuthn & FIDO2
 
Facebook data breach and OAuth2
Facebook data breach and OAuth2 Facebook data breach and OAuth2
Facebook data breach and OAuth2
 
Identity techtalk orange
Identity techtalk orangeIdentity techtalk orange
Identity techtalk orange
 
Intelligent authentication Identity tech talks
Intelligent authentication Identity tech talksIntelligent authentication Identity tech talks
Intelligent authentication Identity tech talks
 
Blockchain et ses cas d'usages - Identity Tech Talk#10
Blockchain et ses cas d'usages - Identity Tech Talk#10 Blockchain et ses cas d'usages - Identity Tech Talk#10
Blockchain et ses cas d'usages - Identity Tech Talk#10
 
iProov et Biométrie Identity Tech Talk #10
iProov et Biométrie Identity Tech Talk #10iProov et Biométrie Identity Tech Talk #10
iProov et Biométrie Identity Tech Talk #10
 
Microservice et identité
Microservice et identitéMicroservice et identité
Microservice et identité
 
Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...
Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...
Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...
 
201707 dsp2 standards, sécurité, quels impacts - wavestone
201707 dsp2 standards, sécurité, quels impacts - wavestone201707 dsp2 standards, sécurité, quels impacts - wavestone
201707 dsp2 standards, sécurité, quels impacts - wavestone
 
Identité et Automobile
Identité et AutomobileIdentité et Automobile
Identité et Automobile
 
Meetup devops
Meetup devopsMeetup devops
Meetup devops
 
Quels sont les enjeux de la réglementation GDPR
Quels sont les enjeux de la réglementation GDPRQuels sont les enjeux de la réglementation GDPR
Quels sont les enjeux de la réglementation GDPR
 
Présentation de UMA (User Managed Access)
Présentation de UMA (User Managed Access)Présentation de UMA (User Managed Access)
Présentation de UMA (User Managed Access)
 
Identity Tech Talks #3 FIDO futur of authentication
Identity Tech Talks #3 FIDO futur of authenticationIdentity Tech Talks #3 FIDO futur of authentication
Identity Tech Talks #3 FIDO futur of authentication
 
Mon Raspberry PI a une identité !
Mon Raspberry PI a une identité ! Mon Raspberry PI a une identité !
Mon Raspberry PI a une identité !
 
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
 
Pas d'IoT sans Identité!
Pas d'IoT sans Identité!Pas d'IoT sans Identité!
Pas d'IoT sans Identité!
 
Valorisez votre écosystème d'identités
Valorisez votre écosystème d'identitésValorisez votre écosystème d'identités
Valorisez votre écosystème d'identités
 
L’identité numérique : un atout incontournable pour construire une relation c...
L’identité numérique : un atout incontournable pour construire une relation c...L’identité numérique : un atout incontournable pour construire une relation c...
L’identité numérique : un atout incontournable pour construire une relation c...
 

Recently uploaded

Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessWSO2
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfkalichargn70th171
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfOrtus Solutions, Corp
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisNeo4j
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1KnowledgeSeed
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockiGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockSkilrock Technologies
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILNatan Silnitsky
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...rajkumar669520
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationWave PLM
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEJelle | Nordend
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownloadvrstrong314
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAlluxio, Inc.
 

Recently uploaded (20)

Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockiGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by Skilrock
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 

De la bonne utilisation de OAuth2

  • 1. Bienvenue au Identity Tech Talk France ForgeRock
  • 2. De la bonne utilisation de OAuth2 Identity Tech Talk France 21 Mars 2019 Léonard Moustacchis Prepared by Neil Madden
  • 3. Are you using OAuth today?
  • 4. What is OAuth? • Original problem: enable 3rd party apps/sites to access my data without giving them my password • OAuth: Protocol for delegated authorisation • OAuth 1 – 2007 (RFC 5849 in 2010) • OAuth 2 – 2012 (RFC 6749) • Now: • Lots of extensions • Used outside of Web – mobile, IoT, microservices • Uses beyond delegated authZ – OpenID Connect, UMA Copyright © 2018 ForgeRock. All rights reserved
  • 5. The Dance Copyright © 2018 ForgeRock. All rights reserved Client Resource Owner (RO) wants to use Resource Server (RS) to access Authorization Server (AS) Request access (scope) Authorize access Access token Access token
  • 6. OAuth 2 flows • Implicit flow – access token returned directly from authorization request (redirect) • In fragment ...#access_token=LGqTQrz71J8... • Purely redirect-based • Authorization code flow – a one-time code is returned • Client makes direct call to AS to swap code for access token • AS can directly authenticate the client • Refresh token flow • Previously authorized client • Get new access token without bothering user, extend access Copyright © 2018 ForgeRock. All rights reserved
  • 7. Basic security measures (not covered) • Always use HTTPS everywhere • Basic web security best practice • Secure, HttpOnly, SameSite cookies • Content-Security-Policy • Keep client credentials secret • Don’t check into Git! • A client_secret is not a password – should be of high entropy • Use a unique random “state” parameter on all auth requests • Use limited scope access tokens Copyright © 2018 ForgeRock. All rights reserved
  • 8. Resource Server Copyright © 2018 ForgeRock. All rights reserved
  • 9. Where to put the access token • 4 main choices (for HTTP): • In URL parameter: ?access_token=LGqTQrz71J8... • In Cookie: Cookie: accesstoken=LGqTQrz71J8... • In POST body (form/x-www-form-urlencoded) • In a header • URL parameter – bad! • Leaks in access logs of servers, proxies, and Referer header • Cookie – beware CSRF, cookie hijacking, cookie blocking • POST body – better, but mixes authorization with application data Copyright © 2018 ForgeRock. All rights reserved
  • 10. Authorization: Bearer POST /api/foo HTTP/1.1 Authorization: Bearer LGqTQrz71J8... ... HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer scope=”foo bar” • Standard approach (RFC 6750) • Middle-boxes, caches all know about Authorization headers • Triggers same-origin policy/CORS protections in browsers Copyright © 2018 ForgeRock. All rights reserved
  • 11. How to validate an access token? • Scope: up to the RS – what makes sense to the user? • Validation unspecified: up to the AS and RS to agree • But see Token Introspection (RFC 7662) • Popular choice: • access token is a signed JWT • can be verified by RS alone • But... what about revocation? • Answer: • Short-lived access tokens • Client must refresh frequently Copyright © 2018 ForgeRock. All rights reserved
  • 12. The fallacy of the short attack window • How short should access token lifetime be? • Minutes? • Hours? • Facebook “View As” OAuth attack in September • 50 million accounts affected • 90 million access tokens revoked afterwards • Highly automated • How long was each compromised token used for? • Seconds? Milliseconds? • Short life-times should not be primary protection measure Copyright © 2018 ForgeRock. All rights reserved
  • 13. Token introspection (RFC 7662) Copyright © 2018 ForgeRock. All rights reserved Resource Server (RS) Authorization Server (AS) Client Access Token Introspect access_token=... Valid?, Scope=...
  • 14. Q: Are we done now? Copyright © 2018 ForgeRock. All rights reserved
  • 16. Mobile clients - old approach • Register with AS as public client • Use a custom URL scheme for redirect: • com.example.app:/callback • OS will handover to your app when redirect occurs • Use implicit flow • Spawn in-app embedded web view Copyright © 2018 ForgeRock. All rights reserved
  • 17. What’s wrong with this approach? • Custom URL schemes are not enforced unique • Malicious app can register same scheme • Either app could get handed the access token • In-app web view: encourages poor practices Copyright © 2018 ForgeRock. All rights reserved Genuine App Malicious App Authorization Server my-app:/cb?access_token=...
  • 18. Recommendations • Use system browser to initiate flows • Use claimed HTTPS redirects • iOS: Universal Links • Android: App Links • Use the authorization code flow... • ... with PKCE (RFC 7636) Copyright © 2018 ForgeRock. All rights reserved
  • 19. PKCE: Proof Key for Code Exchange Copyright © 2018 ForgeRock. All rights reserved Resource Owner (RO) Client Resource Server (RS) Authorization Server (AS) Generate random verifier, v Request authorization code_challenge=SHA-256(v) Authorize as normal Authorization code Request access token code=<code>& code_verifier=<v> Check SHA-256(v) = challenge Access token
  • 20. Web Clients Copyright © 2018 ForgeRock. All rights reserved
  • 21. Server-side clients • Use authorization code flow • Confidential client, so require authentication to AS • What can go wrong? • Credential theft • Client secret recoverable from AS • Consider private_key_jwt or mTLS authentication • Code injection attack (replay) • Use PKCE on server-side too! • (But quite difficult attack model if using state properly) Copyright © 2018 ForgeRock. All rights reserved
  • 22. Client-side web apps/SPAs • Old advice: use implicit flow • What can go wrong? • Token sniffing from URL • Referer leaks (document.referrer in iframe) • But fragment not usually included • Token injection • Redirects include fragment Copyright © 2018 ForgeRock. All rights reserved /spa#access_token=LGqTQrz71J8... Web Page Legitimate Script Malicious Script /spa#access_token=Kt8Fc98cDE...
  • 23. New advice for SPAs • One big change since OAuth 2.0 published (2012): • CORS! • Published in 2014 • Previously not possible for SPA to make cross-origin call to AS • CORS changes that – allows SPA to use authorization code flow • New advice: auth code + PKCE • Public client, just like for mobile Copyright © 2018 ForgeRock. All rights reserved
  • 24. Can’t move off implicit? • Don’t Panic! • The sky isn’t falling • Web security best practice goes a long way • Mitigations: • Use OpenID Connect flows • ID Token includes “at_hash”, “nonce” – prevents injection • Consider even if you don’t care about authentication • JARM – JWT-secure Authorization Response Mode • Sender-constrained access tokens (PoP) Copyright © 2018 ForgeRock. All rights reserved
  • 25. Token binding and SPAs • Within a web-page TLS is a shared resource • No “same-origin” protections • All scripts (sandboxed or not) use the same TLS connection when talking to the same origin • TLS-level protections are not a silver bullet • Token binding • mTLS constrained access tokens • Always prefer “Authorization: Bearer” • Triggers SOP/CORS Copyright © 2018 ForgeRock. All rights reserved
  • 26. Key take-aways Copyright © 2018 ForgeRock. All rights reserved
  • 27. Take-aways • Prefer the authorization code flow in all cases • Even for SPAs • Implicit likely to be deprecated • Use PKCE • Even for confidential clients • Prefer Authorization: Bearer • Security drafts in progress: • draft-ietf-oauth-security-topics • draft-parecki-oauth-browser-based-apps Copyright © 2018 ForgeRock. All rights reserved
  • 28. THANK YOU! Copyright © 2018 ForgeRock. All rights reserved