Submit Search
Upload
De la bonne utilisation de OAuth2
•
0 likes
•
109 views
Leonard Moustacchis
Follow
FrogeRock Identity Tech talk presentation Léonard Moustacchis. Neil Madden
Read less
Read more
Software
Report
Share
Report
Share
1 of 28
Download now
Download to read offline
Recommended
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
Token, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
OAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit
D@W REST security
D@W REST security
Gaurav Sharma
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
UMA for ACE
UMA for ACE
Hannes Tschofenig
Recommended
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
Token, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
OAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit
D@W REST security
D@W REST security
Gaurav Sharma
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
UMA for ACE
UMA for ACE
Hannes Tschofenig
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
FITC
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
OAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
Secure Webservices
Secure Webservices
Matthias Käppler
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
scotttomilson
OpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
Rest API Security
Rest API Security
Stormpath
An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
Securing RESTful API
Securing RESTful API
Muhammad Zbeedat
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CloudIDSummit
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
OAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
More Related Content
What's hot
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
FITC
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
OAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
Secure Webservices
Secure Webservices
Matthias Käppler
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
scotttomilson
OpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
Rest API Security
Rest API Security
Stormpath
An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
Securing RESTful API
Securing RESTful API
Muhammad Zbeedat
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CloudIDSummit
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
OAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
What's hot
(20)
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
OAuth2 + API Security
OAuth2 + API Security
Secure Webservices
Secure Webservices
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
OpenId Connect Protocol
OpenId Connect Protocol
Rest API Security
Rest API Security
An Introduction to OAuth 2
An Introduction to OAuth 2
Securing RESTful API
Securing RESTful API
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
OAuth2 - Introduction
OAuth2 - Introduction
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Introduction to OAuth2.0
Introduction to OAuth2.0
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Similar to De la bonne utilisation de OAuth2
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi
Rafik HARABI
Openstack identity protocols unconference
Openstack identity protocols unconference
David Waite
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the Hood
Lohika_Odessa_TechTalks
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-Section
CloudIDSummit
APIs_ An Introduction.pptx
APIs_ An Introduction.pptx
AkashThorat25
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Ping Identity
OAuth and OEmbed
OAuth and OEmbed
leahculver
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
hackingtrialpay
Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation Apps
Tom Freestone
HTTP Services & REST API Security
HTTP Services & REST API Security
Taiseer Joudeh
The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)
Channy Yun
Token Handler Pattern
Token Handler Pattern
Curity
API SECURITY
API SECURITY
Tubagus Rizky Dharmawan
Identiverse - Microservices Security
Identiverse - Microservices Security
Bertrand Carlier
Similar to De la bonne utilisation de OAuth2
(20)
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi
Openstack identity protocols unconference
Openstack identity protocols unconference
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the Hood
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-Section
APIs_ An Introduction.pptx
APIs_ An Introduction.pptx
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
OAuth and OEmbed
OAuth and OEmbed
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation Apps
HTTP Services & REST API Security
HTTP Services & REST API Security
The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)
Token Handler Pattern
Token Handler Pattern
API SECURITY
API SECURITY
Identiverse - Microservices Security
Identiverse - Microservices Security
More from Leonard Moustacchis
Identity verification and AI
Identity verification and AI
Leonard Moustacchis
WebAuthn & FIDO2
WebAuthn & FIDO2
Leonard Moustacchis
Facebook data breach and OAuth2
Facebook data breach and OAuth2
Leonard Moustacchis
Identity techtalk orange
Identity techtalk orange
Leonard Moustacchis
Intelligent authentication Identity tech talks
Intelligent authentication Identity tech talks
Leonard Moustacchis
Blockchain et ses cas d'usages - Identity Tech Talk#10
Blockchain et ses cas d'usages - Identity Tech Talk#10
Leonard Moustacchis
iProov et Biométrie Identity Tech Talk #10
iProov et Biométrie Identity Tech Talk #10
Leonard Moustacchis
Microservice et identité
Microservice et identité
Leonard Moustacchis
Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...
Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...
Leonard Moustacchis
201707 dsp2 standards, sécurité, quels impacts - wavestone
201707 dsp2 standards, sécurité, quels impacts - wavestone
Leonard Moustacchis
Identité et Automobile
Identité et Automobile
Leonard Moustacchis
Meetup devops
Meetup devops
Leonard Moustacchis
Quels sont les enjeux de la réglementation GDPR
Quels sont les enjeux de la réglementation GDPR
Leonard Moustacchis
Présentation de UMA (User Managed Access)
Présentation de UMA (User Managed Access)
Leonard Moustacchis
Identity Tech Talks #3 FIDO futur of authentication
Identity Tech Talks #3 FIDO futur of authentication
Leonard Moustacchis
Mon Raspberry PI a une identité !
Mon Raspberry PI a une identité !
Leonard Moustacchis
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Leonard Moustacchis
Pas d'IoT sans Identité!
Pas d'IoT sans Identité!
Leonard Moustacchis
Valorisez votre écosystème d'identités
Valorisez votre écosystème d'identités
Leonard Moustacchis
L’identité numérique : un atout incontournable pour construire une relation c...
L’identité numérique : un atout incontournable pour construire une relation c...
Leonard Moustacchis
More from Leonard Moustacchis
(20)
Identity verification and AI
Identity verification and AI
WebAuthn & FIDO2
WebAuthn & FIDO2
Facebook data breach and OAuth2
Facebook data breach and OAuth2
Identity techtalk orange
Identity techtalk orange
Intelligent authentication Identity tech talks
Intelligent authentication Identity tech talks
Blockchain et ses cas d'usages - Identity Tech Talk#10
Blockchain et ses cas d'usages - Identity Tech Talk#10
iProov et Biométrie Identity Tech Talk #10
iProov et Biométrie Identity Tech Talk #10
Microservice et identité
Microservice et identité
Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...
Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...
201707 dsp2 standards, sécurité, quels impacts - wavestone
201707 dsp2 standards, sécurité, quels impacts - wavestone
Identité et Automobile
Identité et Automobile
Meetup devops
Meetup devops
Quels sont les enjeux de la réglementation GDPR
Quels sont les enjeux de la réglementation GDPR
Présentation de UMA (User Managed Access)
Présentation de UMA (User Managed Access)
Identity Tech Talks #3 FIDO futur of authentication
Identity Tech Talks #3 FIDO futur of authentication
Mon Raspberry PI a une identité !
Mon Raspberry PI a une identité !
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Pas d'IoT sans Identité!
Pas d'IoT sans Identité!
Valorisez votre écosystème d'identités
Valorisez votre écosystème d'identités
L’identité numérique : un atout incontournable pour construire une relation c...
L’identité numérique : un atout incontournable pour construire une relation c...
Recently uploaded
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
kalichargn70th171
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
Neo4j
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
KnowledgeSeed
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by Skilrock
Skilrock Technologies
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
Peter Caitens
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
rajkumar669520
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
Wave PLM
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
Jelle | Nordend
top nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
Alluxio, Inc.
Recently uploaded
(20)
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by Skilrock
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
top nidhi software solution freedownload
top nidhi software solution freedownload
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
De la bonne utilisation de OAuth2
1.
Bienvenue au Identity Tech
Talk France ForgeRock
2.
De la bonne
utilisation de OAuth2 Identity Tech Talk France 21 Mars 2019 Léonard Moustacchis Prepared by Neil Madden
3.
Are you using
OAuth today?
4.
What is OAuth? •
Original problem: enable 3rd party apps/sites to access my data without giving them my password • OAuth: Protocol for delegated authorisation • OAuth 1 – 2007 (RFC 5849 in 2010) • OAuth 2 – 2012 (RFC 6749) • Now: • Lots of extensions • Used outside of Web – mobile, IoT, microservices • Uses beyond delegated authZ – OpenID Connect, UMA Copyright © 2018 ForgeRock. All rights reserved
5.
The Dance Copyright ©
2018 ForgeRock. All rights reserved Client Resource Owner (RO) wants to use Resource Server (RS) to access Authorization Server (AS) Request access (scope) Authorize access Access token Access token
6.
OAuth 2 flows •
Implicit flow – access token returned directly from authorization request (redirect) • In fragment ...#access_token=LGqTQrz71J8... • Purely redirect-based • Authorization code flow – a one-time code is returned • Client makes direct call to AS to swap code for access token • AS can directly authenticate the client • Refresh token flow • Previously authorized client • Get new access token without bothering user, extend access Copyright © 2018 ForgeRock. All rights reserved
7.
Basic security measures
(not covered) • Always use HTTPS everywhere • Basic web security best practice • Secure, HttpOnly, SameSite cookies • Content-Security-Policy • Keep client credentials secret • Don’t check into Git! • A client_secret is not a password – should be of high entropy • Use a unique random “state” parameter on all auth requests • Use limited scope access tokens Copyright © 2018 ForgeRock. All rights reserved
8.
Resource Server Copyright ©
2018 ForgeRock. All rights reserved
9.
Where to put
the access token • 4 main choices (for HTTP): • In URL parameter: ?access_token=LGqTQrz71J8... • In Cookie: Cookie: accesstoken=LGqTQrz71J8... • In POST body (form/x-www-form-urlencoded) • In a header • URL parameter – bad! • Leaks in access logs of servers, proxies, and Referer header • Cookie – beware CSRF, cookie hijacking, cookie blocking • POST body – better, but mixes authorization with application data Copyright © 2018 ForgeRock. All rights reserved
10.
Authorization: Bearer POST /api/foo
HTTP/1.1 Authorization: Bearer LGqTQrz71J8... ... HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer scope=”foo bar” • Standard approach (RFC 6750) • Middle-boxes, caches all know about Authorization headers • Triggers same-origin policy/CORS protections in browsers Copyright © 2018 ForgeRock. All rights reserved
11.
How to validate
an access token? • Scope: up to the RS – what makes sense to the user? • Validation unspecified: up to the AS and RS to agree • But see Token Introspection (RFC 7662) • Popular choice: • access token is a signed JWT • can be verified by RS alone • But... what about revocation? • Answer: • Short-lived access tokens • Client must refresh frequently Copyright © 2018 ForgeRock. All rights reserved
12.
The fallacy of
the short attack window • How short should access token lifetime be? • Minutes? • Hours? • Facebook “View As” OAuth attack in September • 50 million accounts affected • 90 million access tokens revoked afterwards • Highly automated • How long was each compromised token used for? • Seconds? Milliseconds? • Short life-times should not be primary protection measure Copyright © 2018 ForgeRock. All rights reserved
13.
Token introspection (RFC
7662) Copyright © 2018 ForgeRock. All rights reserved Resource Server (RS) Authorization Server (AS) Client Access Token Introspect access_token=... Valid?, Scope=...
14.
Q: Are we
done now? Copyright © 2018 ForgeRock. All rights reserved
15.
Mobile Clients
16.
Mobile clients -
old approach • Register with AS as public client • Use a custom URL scheme for redirect: • com.example.app:/callback • OS will handover to your app when redirect occurs • Use implicit flow • Spawn in-app embedded web view Copyright © 2018 ForgeRock. All rights reserved
17.
What’s wrong with
this approach? • Custom URL schemes are not enforced unique • Malicious app can register same scheme • Either app could get handed the access token • In-app web view: encourages poor practices Copyright © 2018 ForgeRock. All rights reserved Genuine App Malicious App Authorization Server my-app:/cb?access_token=...
18.
Recommendations • Use system
browser to initiate flows • Use claimed HTTPS redirects • iOS: Universal Links • Android: App Links • Use the authorization code flow... • ... with PKCE (RFC 7636) Copyright © 2018 ForgeRock. All rights reserved
19.
PKCE: Proof Key
for Code Exchange Copyright © 2018 ForgeRock. All rights reserved Resource Owner (RO) Client Resource Server (RS) Authorization Server (AS) Generate random verifier, v Request authorization code_challenge=SHA-256(v) Authorize as normal Authorization code Request access token code=<code>& code_verifier=<v> Check SHA-256(v) = challenge Access token
20.
Web Clients Copyright ©
2018 ForgeRock. All rights reserved
21.
Server-side clients • Use
authorization code flow • Confidential client, so require authentication to AS • What can go wrong? • Credential theft • Client secret recoverable from AS • Consider private_key_jwt or mTLS authentication • Code injection attack (replay) • Use PKCE on server-side too! • (But quite difficult attack model if using state properly) Copyright © 2018 ForgeRock. All rights reserved
22.
Client-side web apps/SPAs •
Old advice: use implicit flow • What can go wrong? • Token sniffing from URL • Referer leaks (document.referrer in iframe) • But fragment not usually included • Token injection • Redirects include fragment Copyright © 2018 ForgeRock. All rights reserved /spa#access_token=LGqTQrz71J8... Web Page Legitimate Script Malicious Script /spa#access_token=Kt8Fc98cDE...
23.
New advice for
SPAs • One big change since OAuth 2.0 published (2012): • CORS! • Published in 2014 • Previously not possible for SPA to make cross-origin call to AS • CORS changes that – allows SPA to use authorization code flow • New advice: auth code + PKCE • Public client, just like for mobile Copyright © 2018 ForgeRock. All rights reserved
24.
Can’t move off
implicit? • Don’t Panic! • The sky isn’t falling • Web security best practice goes a long way • Mitigations: • Use OpenID Connect flows • ID Token includes “at_hash”, “nonce” – prevents injection • Consider even if you don’t care about authentication • JARM – JWT-secure Authorization Response Mode • Sender-constrained access tokens (PoP) Copyright © 2018 ForgeRock. All rights reserved
25.
Token binding and
SPAs • Within a web-page TLS is a shared resource • No “same-origin” protections • All scripts (sandboxed or not) use the same TLS connection when talking to the same origin • TLS-level protections are not a silver bullet • Token binding • mTLS constrained access tokens • Always prefer “Authorization: Bearer” • Triggers SOP/CORS Copyright © 2018 ForgeRock. All rights reserved
26.
Key take-aways Copyright ©
2018 ForgeRock. All rights reserved
27.
Take-aways • Prefer the
authorization code flow in all cases • Even for SPAs • Implicit likely to be deprecated • Use PKCE • Even for confidential clients • Prefer Authorization: Bearer • Security drafts in progress: • draft-ietf-oauth-security-topics • draft-parecki-oauth-browser-based-apps Copyright © 2018 ForgeRock. All rights reserved
28.
THANK YOU! Copyright ©
2018 ForgeRock. All rights reserved
Download now