TL
Uploaded byTorsten Lodderstedt
PPTX, PDF403 views

NextGenPSD2 OAuth SCA Mode Security Recommendations

The document outlines security recommendations for implementing OAuth 2.0 in the context of payment initiation and account access using the SCA mode. Key focus areas include the separation of authentication and authorization, measures to prevent security threats such as impersonation and replay attacks, and the need for TPP (Third Party Provider) authentication through eIDAS certificates. Detailed procedures for managing authorization requests, token issuance, and API interaction are provided to mitigate risks associated with cross-browser attacks and unauthorized access.

Technologyâ—¦

Embed presentation

Downloaded 10 times
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt @tlodderstedt yes®
OAuth 2.0 â—Ź Standard for API access authorization â—Ź Current version 2.0 published in 2012, broadly used and mature â—Ź Updated Security Guidlines under way Design pattern: â—Ź Separate authentication and authorization from actual API access â—Ź Delegate user interactions to service provider â—Ź User credentials are only touched by the service provider and no 3rd party â—Ź Versatile, secure and, privacy preserving
ASPSPUser AIS with OAuth SCA Mode - High Level Create Account Access Consent Use access_token for AIS AISP Consent-ID User gives authorization for Account Access with Consent-ID access_token OAuth Authorization Code Grant Start XS2A
Closer Look: OAuth SCA Mode GET /authorize?scope=AIS:<Consent-ID>&... Redirect to ASPSP Redirect to aisp.com/authok?code=foo42&... POST /token, code=foo42... Send code=foo42 Send access_token ASPSPUser AISP User gives authorization for account access (incl. SCA)
ASPSPUser PIS with OAuth SCA Mode - High Level Create Payment Resource Use access_token PISP Payment-ID User gives authorization for Payment with Payment-ID access_token OAuth Authorization Code Grant Start Payment
User What happens when? Payment Initiation ASPSP Use access_token PISP Payment-ID User gives authorization for Payment with Payment-ID access_token Start Payment Payment authorized & executed Payment prepared Potential attacks!
ASPSPAttacker Cross-Browser Payment Initiation Attack Payment Initiation PISP Payment-ID User gives authorization for Payment with Payment-ID Pay my order Redirect to ASPSP User Redirect to ASPSP Attacker disguises as a merchant. User thinks she pays for her order at the merchant, but instead pays for the attacker’s order at PISP! Attacker’s Payment executed! Pay my order All details: https://cutt.ly/cross-browser-payment-initation
Security of OAuth ● Many security features of OAuth against CSRF, Replay, … come into play after user authorization ● Security of OAuth lies in the access token ● Therefore, any subsequent process, including payment, should be performed with the access token, not within the user authorization process
User Better Solution! Payment Initiation ASPSP Use access_token PISP Payment-ID User gives authorization for Payment with Payment-ID access_token Start Payment Payment authorized Payment prepared Payment executed
Security Threats
Security Threats needed to be coped with â—Ź TPP Impersonation â—Ź TPP Privilege Exceedance â—Ź Open Redirection â—Ź CSRF â—Ź Authorization Code Replay â—Ź Mix-Up â—Ź Scope Swap â—Ź Access Token Replay More details can be found at https://tools.ietf.org/html/draft-ietf-oauth-security- topics
Security Recommendations
Security Advice in Detail GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
Resource Creation GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
Resource Creation â—Ź Mix-up attack* detection: TPP shall set up a redirect URI with the ASPSP which uniquely identifies the ASPSP Example: https://pisp.com/authok/aspsp2 *Mix-up attack: a malicious or compromised ASPSP confuses the TPP in order to learn an authorization code
Example Request POST https://api.testbank.com/v1/payments/sepa-credit-transfers Content-Type: application/json TPP-Redirect-URI: https%3A%2F%2Fpisp%2Ecom%2Fauthok%2Faspsp2 { "instructedAmount": { "currency": "EUR", "amount": "123" }, "creditor": { "name": "Merchant123" }, "creditorAccount": { "iban": "DE23100120020123456789" }, ... }
Resource Creation (ASPSP) ● TPP Impersonation and Privileges Exceedance: ASPSP needs to authentication TPP using eIDAS certificate and check TPP’s authorization to perform desired services.
Example Response HTTP/1.x 201 Created Location: https://api.testbank.com/psd2/v1/payments/sepa-credit-transfers/1234-wertiq-983 Content-Type: application/json { "transactionStatus": "RCVD", "paymentId": "1234-wertiq-983", "_links": { "scaOAuth": { "href": "https://www.testbank.com/oauth/.well-known/oauth-authorization-server" }, ... } } }
Example oauth-authorization-server { "issuer": "https://as.testbank.com", "authorization_endpoint": "https://as.example.com/authorize", "token_endpoint": "https://as.example.com/token", "token_endpoint_auth_methods_supported": ["tls_client_auth",”self_signed_tls_client_auth”], "scopes_supported": ["pis","ais","offline_access"], "response_types_supported": ["code"], "grant_types_supported": "authorization_code", "code_challenge_methods_supported": "S256", ... }
Authorization Request GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
Authorization Request In preparation of sending the authorization request, the TPP shall 1. CSRF protection: Create a one-time use CSRF token to be conveyed to the ASPSP in the “state” parameter 2. Code replay protection: Create a one-time use nonce, whose SHA-256 value will be conveyed to the ASPSP in the “code_challenge” parameter 3. Bind those values to the current session in the user agent 4. Mix-Up protection: Memorize in the current session the identity of the ASPSP the request will be sent to
Example Request GET /authorise?response_type=code& client_id=PSDES%2DBDE%2D3DFD21& scope=pis%3A1234-wertiq-983& state=S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw& redirect_uri=https%3A%2F%2Fpisp%2Ecom%2Fauthok%2Faspsp2& code_challenge_method=S256& code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM HTTP/1.1 Host: as.testbank.com
Authorization Request The ASPSP upon receiving this request must perform these checks: ● Open Redirection Prevention: “redirect_uri” value must exactly match the value sent to the ASPSP with the request used to create the payment or consent resource in the header “TPP-Redirect-URI”. ● Otherwise, the ASPSP must refuse to process the request and must not redirect the user agent back to the TPP.
Authorization Response GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
Authorization Response The TPP upon receiving this response shall perform the following checks: 1. Mix-Up detection: Redirect URI where the response was received must match the ASPSP the response was expected to come from. 2. CSRF detection: The “state” value is linked to the current session in the user agent. If any of these check fails, the TPP must refuse to process the authorization response.
Example Authorization Response HTTP/1.1 302 Found Location: https%3A%2F%2Fpisp%2Ecom%2Fauthok%2Faspsp2? code=SplxlOBeZQQYbYS6WxSbIA& state=S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw
Token Request GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
Token Request The ASPSP upon receiving the request shall perform the following checks: 1. TPP impersonation detection: Authenticate TPP with eIDAS certificate 2. Code leakage and replay detection: Check that code is bound to the TPP (client_id), is still valid, and was sent to exactly the redirect URI conveyed in the “redirect_uri” request parameter. 3. Code injection detection: “code_verifier” value, when hashed with S256, matches the “code_challenge” value the code parameter is bound to (see [RFC7636], Section 4.6). If any of these check fails, the ASPSP must refuse to process the token request. See [RFC6749], Section 10 and [OAuth 2.0 Security BCP], Section 2.1
Example Token Request POST /token HTTP/1.1 Host: https://api.testbank.com Content-Type: application/x-www-form-urlencoded client_id=PSDES-BDE-3DFD21 &grant_type=authorisation_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fpisp%2Ecom%2Fauthok%2Faspsp2 &code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Token Response GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
Token Response ● Access Token Replay Detection: ASPSP issues access token that is bound to the TPP’s client certificate ● Scope swap prevention ○ ASPSP must return scope values assigned to the access token ○ Upon receiving the token response, the TPP must check whether the scope assigned to the access token is the same as requested in the authorization request. ○ If this check fails, the TPP must refuse to process the token response
Example Token Response HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "SlAV32hkKG", "token_type": "Bearer", "expires_in": 3600, "scope": "pis:1234-wertiq-983" }
API Requests GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
API Requests â—Ź Access Token Replay Detection â—‹ On every API request, the TPP shall authenticate using TLS client authentication and its eIDAS certificate according to [mTLS], Section 3. â—‹ The resource server must check whether the certificate used for TLS Client Authentication matches the certificate the access token is bound to (see [mTLS], Section 3). â—Ź Authorization: The ASPSP must also check that the access token is still valid and whether the permission associated with the access token entitles the TPP to perform the specific request. â—Ź If any of these checks fails, the request must be refused by responding with a suitable HTTP Status code.
Security Recommendations (Overview) â—Ź Adhere to OAuth 2.0 Security Best Current Practice (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) â—Ź TPP authentication and access token replay protection using OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens â—Ź Protection against code injection through Proof Key for Code Exchange â—Ź Protection against CSRF using session-bound state parameter values â—Ź Protection against Mix-Up attacks using session bound ASPSP specific redirect URIs â—Ź Protection against session-fixation type of attacks by utilizing OAuth grant flow as designed
Q&A! Latest Drafts & Publications OAuth 2.0 Security Best Current Practice https://tools.ietf.org/html/draft-ietf-oauth-security-topics OAuth 2.0 Pushed Authorization Requests (PAR) https://cutt.ly/oauth-transaction-authorization OAuth 2.0 Rich Authorization Requests (RAR) https://openid.net/specs/openid-financial-api-jarm-ID1.html JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) https://tools.ietf.org/html/draft-fett-oauth-dpop Cross-Browser Payment Initiation Attack https://cutt.ly/cross-browser-payment-initation OpenID Connect 4 Identity Assurance https://openid.net/specs/openid-connect-4-identity-assurance.html Dr. Torsten Lodderstedt CTO, yes.com torsten@yes.com @tlodderstedt yes® Talk to me about - Details on OAuth Security Best Practices - The OAuth Security Workshop - Other emerging OAuth & OpenID stuff - Partnering with and working at yes.com
Mix-Up Attack
Mix-Up Attack GET /authorize... ASPSPPISPUser Forward Redirect to ASPSP1 2 ASPSP 1 Redirect to aisp.com/authok?code=42&... GET /authok?code=42&... User gives authorization for account access POST /token, code=42... Attacker learns code!
Mitigation GET /authorize... Redirect to aisp.com/authok?aspsp=2&code=42&... GET /authok?aspsp=2&code=... ASPSPPISP User gives authorization for account access User Redirect to ASPSP1 2 ASPSP 1 PISP can detect attack here! Mismatch between intended ASPSP (1) and ASPSP identity in the redirect URI (2) 1 Uses unique redirect URI for each ASPSP, e.g., by encoding ASPSP ID into URI parameter. Forward 2

More Related Content

PPTX
Comprehensive overview FAPI 1 and FAPI 2
byTorsten Lodderstedt
 
PDF
Rich Authorization Requests
byTorsten Lodderstedt
 
PDF
Pushed Authorization Requests
byTorsten Lodderstedt
 
PDF
Comprehensive overview FAPI 1 and 2
byTorsten Lodderstedt
 
PPTX
NextGenPSD2 OAuth SCA Mode Security Recommendations
byTorsten Lodderstedt
 
PDF
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 
PDF
OAuth Base Camp
byOliver Pfaff
 
PDF
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 
Comprehensive overview FAPI 1 and FAPI 2
byTorsten Lodderstedt
 
Rich Authorization Requests
byTorsten Lodderstedt
 
Pushed Authorization Requests
byTorsten Lodderstedt
 
Comprehensive overview FAPI 1 and 2
byTorsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
byTorsten Lodderstedt
 
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 
OAuth Base Camp
byOliver Pfaff
 
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 

What's hot

PDF
Full stack security
byDPC Consulting Ltd
 
PDF
Protecting web APIs with OAuth 2.0
byVladimir Dzhuvinov
 
PDF
CIS14: Developing with OAuth and OIDC Connect
byCloudIDSummit
 
PDF
What the Heck is OAuth and Open ID Connect? - UberConf 2017
byMatt Raible
 
PPT
Understanding OpenID
byPrabath Siriwardena
 
PDF
OAuth 2.0
byUwe Friedrichsen
 
PDF
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
byCodemotion
 
PDF
2016 pycontw web api authentication
byMicron Technology
 
PDF
Summary of OAuth 2.0 draft 8 memo
byRyo Ito
 
PDF
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PDF
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
byProfesia Srl, Lynx Group
 
PPTX
REST Service Authetication with TLS & JWTs
byJon Todd
 
PPTX
OpenID Connect 1.0 Explained
byEugene Siow
 
PPTX
OpenID Connect: An Overview
byPat Patterson
 
PDF
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
byAlvaro Sanchez-Mariscal
 
PPTX
Oauth 2.0 security
byvinoth kumar
 
PDF
Building an API Security Ecosystem
byPrabath Siriwardena
 
PPT
Security via Java
byBahaa Zaid
 
Full stack security
byDPC Consulting Ltd
 
Protecting web APIs with OAuth 2.0
byVladimir Dzhuvinov
 
CIS14: Developing with OAuth and OIDC Connect
byCloudIDSummit
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
byMatt Raible
 
Understanding OpenID
byPrabath Siriwardena
 
OAuth 2.0
byUwe Friedrichsen
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
byCodemotion
 
2016 pycontw web api authentication
byMicron Technology
 
Summary of OAuth 2.0 draft 8 memo
byRyo Ito
 
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
Demystifying OAuth 2.0
byKarl McGuinness
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
byProfesia Srl, Lynx Group
 
REST Service Authetication with TLS & JWTs
byJon Todd
 
OpenID Connect 1.0 Explained
byEugene Siow
 
OpenID Connect: An Overview
byPat Patterson
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
byAlvaro Sanchez-Mariscal
 
Oauth 2.0 security
byvinoth kumar
 
Building an API Security Ecosystem
byPrabath Siriwardena
 
Security via Java
byBahaa Zaid
 

Similar to NextGenPSD2 OAuth SCA Mode Security Recommendations

PDF
Trends in Banking APIs
byTatsuo Kudo
 
PPTX
OAuth2 and OpenID with Spring Boot
byGeert Pante
 
PPTX
OAuth and OpenID Connect for PSD2 and Third-Party Access
byNordic APIs
 
PPTX
Enterprise Access Control Patterns for Rest and Web APIs
byCA API Management
 
PDF
Building a Fool Proof Security Strategy for PSD2 Compliance
byWSO2
 
PPTX
OAuth 2
byChrisWood262
 
PDF
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
byCA API Management
 
PPTX
Securing APIs with oAuth2
byMichae Blakeney
 
PDF
OAuth 2.0 Security Reinforced
byTorsten Lodderstedt
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
PDF
Who Needs That FAPI Thing, Anyway? - Michal Trojanowski, Curity
byNordic APIs
 
PDF
Spring security oauth2
byaxykim00
 
PDF
Security for oauth 2.0 - @topavankumarj
byPavan Kumar J
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 
PDF
De la bonne utilisation de OAuth2
byLeonard Moustacchis
 
PDF
Beyond API Authorization
byJared Hanson
 
PPTX
O auth
byAshok Kumar N
 
PDF
Jordan ahli bank plc psd2 api details
byahli bank
 
PDF
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
byapidays
 
PPTX
Securing API data models
byJonathan LeBlanc
 
Trends in Banking APIs
byTatsuo Kudo
 
OAuth2 and OpenID with Spring Boot
byGeert Pante
 
OAuth and OpenID Connect for PSD2 and Third-Party Access
byNordic APIs
 
Enterprise Access Control Patterns for Rest and Web APIs
byCA API Management
 
Building a Fool Proof Security Strategy for PSD2 Compliance
byWSO2
 
OAuth 2
byChrisWood262
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
byCA API Management
 
Securing APIs with oAuth2
byMichae Blakeney
 
OAuth 2.0 Security Reinforced
byTorsten Lodderstedt
 
OAuth2 + API Security
byAmila Paranawithana
 
Who Needs That FAPI Thing, Anyway? - Michal Trojanowski, Curity
byNordic APIs
 
Spring security oauth2
byaxykim00
 
Security for oauth 2.0 - @topavankumarj
byPavan Kumar J
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
byJonathan LeBlanc
 
De la bonne utilisation de OAuth2
byLeonard Moustacchis
 
Beyond API Authorization
byJared Hanson
 
O auth
byAshok Kumar N
 
Jordan ahli bank plc psd2 api details
byahli bank
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
byapidays
 
Securing API data models
byJonathan LeBlanc
 

More from Torsten Lodderstedt

PDF
OpenID 4 Verifiable Credentials + HAIP (Update)
byTorsten Lodderstedt
 
PDF
The European Union goes Decentralized
byTorsten Lodderstedt
 
PDF
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
byTorsten Lodderstedt
 
PDF
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
byTorsten Lodderstedt
 
PPTX
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
byTorsten Lodderstedt
 
PDF
OpenID for Verifiable Credentials @ IIW 36
byTorsten Lodderstedt
 
PDF
OpenID for Verifiable Credentials
byTorsten Lodderstedt
 
PDF
OpenID for Verifiable Credentials (IIW 35)
byTorsten Lodderstedt
 
PPTX
OpenID for Verifiable Credentials
byTorsten Lodderstedt
 
PPTX
GAIN Presentation.pptx
byTorsten Lodderstedt
 
PDF
OpenID for SSI
byTorsten Lodderstedt
 
PDF
OpenID Connect 4 SSI (DIFCon F2F)
byTorsten Lodderstedt
 
PDF
OpenID Connect 4 SSI
byTorsten Lodderstedt
 
PDF
OpenID Connect 4 SSI (at EIC 2021)
byTorsten Lodderstedt
 
PDF
OIDC4VP for AB/C WG
byTorsten Lodderstedt
 
PDF
OpenID Connect 4 Identity Assurance at IIW #32
byTorsten Lodderstedt
 
PPTX
OpenID Connect for W3C Verifiable Credential Objects
byTorsten Lodderstedt
 
PPTX
Identity Assurance with OpenID Connect
byTorsten Lodderstedt
 
PDF
OpenID Connect for Identity Assurance
byTorsten Lodderstedt
 
PPTX
Identiverse: PSD2, Open Banking, and Technical Interoperability
byTorsten Lodderstedt
 
OpenID 4 Verifiable Credentials + HAIP (Update)
byTorsten Lodderstedt
 
The European Union goes Decentralized
byTorsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
byTorsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
byTorsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
byTorsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
byTorsten Lodderstedt
 
OpenID for Verifiable Credentials
byTorsten Lodderstedt
 
OpenID for Verifiable Credentials (IIW 35)
byTorsten Lodderstedt
 
OpenID for Verifiable Credentials
byTorsten Lodderstedt
 
GAIN Presentation.pptx
byTorsten Lodderstedt
 
OpenID for SSI
byTorsten Lodderstedt
 
OpenID Connect 4 SSI (DIFCon F2F)
byTorsten Lodderstedt
 
OpenID Connect 4 SSI
byTorsten Lodderstedt
 
OpenID Connect 4 SSI (at EIC 2021)
byTorsten Lodderstedt
 
OIDC4VP for AB/C WG
byTorsten Lodderstedt
 
OpenID Connect 4 Identity Assurance at IIW #32
byTorsten Lodderstedt
 
OpenID Connect for W3C Verifiable Credential Objects
byTorsten Lodderstedt
 
Identity Assurance with OpenID Connect
byTorsten Lodderstedt
 
OpenID Connect for Identity Assurance
byTorsten Lodderstedt
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
byTorsten Lodderstedt
 

Recently uploaded

PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
API-First Architecture in Financial Systems
bycyy111112
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
December Patch Tuesday
byIvanti
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
The year in review - MarvelClient in 2025
bypanagenda
 

NextGenPSD2 OAuth SCA Mode Security Recommendations

  • 1.
    NextGenPSD2 OAuth SCAMode Security Recommendations Torsten Lodderstedt @tlodderstedt yes®
  • 2.
    OAuth 2.0 â—Ź Standardfor API access authorization â—Ź Current version 2.0 published in 2012, broadly used and mature â—Ź Updated Security Guidlines under way Design pattern: â—Ź Separate authentication and authorization from actual API access â—Ź Delegate user interactions to service provider â—Ź User credentials are only touched by the service provider and no 3rd party â—Ź Versatile, secure and, privacy preserving
  • 3.
    ASPSPUser AIS with OAuthSCA Mode - High Level Create Account Access Consent Use access_token for AIS AISP Consent-ID User gives authorization for Account Access with Consent-ID access_token OAuth Authorization Code Grant Start XS2A
  • 4.
    Closer Look: OAuthSCA Mode GET /authorize?scope=AIS:<Consent-ID>&... Redirect to ASPSP Redirect to aisp.com/authok?code=foo42&... POST /token, code=foo42... Send code=foo42 Send access_token ASPSPUser AISP User gives authorization for account access (incl. SCA)
  • 5.
    ASPSPUser PIS with OAuthSCA Mode - High Level Create Payment Resource Use access_token PISP Payment-ID User gives authorization for Payment with Payment-ID access_token OAuth Authorization Code Grant Start Payment
  • 6.
    User What happens when? PaymentInitiation ASPSP Use access_token PISP Payment-ID User gives authorization for Payment with Payment-ID access_token Start Payment Payment authorized & executed Payment prepared Potential attacks!
  • 7.
    ASPSPAttacker Cross-Browser Payment InitiationAttack Payment Initiation PISP Payment-ID User gives authorization for Payment with Payment-ID Pay my order Redirect to ASPSP User Redirect to ASPSP Attacker disguises as a merchant. User thinks she pays for her order at the merchant, but instead pays for the attacker’s order at PISP! Attacker’s Payment executed! Pay my order All details: https://cutt.ly/cross-browser-payment-initation
  • 8.
    Security of OAuth ●Many security features of OAuth against CSRF, Replay, … come into play after user authorization ● Security of OAuth lies in the access token ● Therefore, any subsequent process, including payment, should be performed with the access token, not within the user authorization process
  • 9.
    User Better Solution! Payment Initiation ASPSP Useaccess_token PISP Payment-ID User gives authorization for Payment with Payment-ID access_token Start Payment Payment authorized Payment prepared Payment executed
  • 10.
  • 11.
    Security Threats neededto be coped with â—Ź TPP Impersonation â—Ź TPP Privilege Exceedance â—Ź Open Redirection â—Ź CSRF â—Ź Authorization Code Replay â—Ź Mix-Up â—Ź Scope Swap â—Ź Access Token Replay More details can be found at https://tools.ietf.org/html/draft-ietf-oauth-security- topics
  • 12.
  • 13.
    Security Advice inDetail GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
  • 14.
    Resource Creation GET /authorize?... Redirectto ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
  • 15.
    Resource Creation â—Ź Mix-upattack* detection: TPP shall set up a redirect URI with the ASPSP which uniquely identifies the ASPSP Example: https://pisp.com/authok/aspsp2 *Mix-up attack: a malicious or compromised ASPSP confuses the TPP in order to learn an authorization code
  • 16.
    Example Request POST https://api.testbank.com/v1/payments/sepa-credit-transfers Content-Type:application/json TPP-Redirect-URI: https%3A%2F%2Fpisp%2Ecom%2Fauthok%2Faspsp2 { "instructedAmount": { "currency": "EUR", "amount": "123" }, "creditor": { "name": "Merchant123" }, "creditorAccount": { "iban": "DE23100120020123456789" }, ... }
  • 17.
    Resource Creation (ASPSP) ●TPP Impersonation and Privileges Exceedance: ASPSP needs to authentication TPP using eIDAS certificate and check TPP’s authorization to perform desired services.
  • 18.
    Example Response HTTP/1.x 201Created Location: https://api.testbank.com/psd2/v1/payments/sepa-credit-transfers/1234-wertiq-983 Content-Type: application/json { "transactionStatus": "RCVD", "paymentId": "1234-wertiq-983", "_links": { "scaOAuth": { "href": "https://www.testbank.com/oauth/.well-known/oauth-authorization-server" }, ... } } }
  • 19.
    Example oauth-authorization-server { "issuer": "https://as.testbank.com", "authorization_endpoint":"https://as.example.com/authorize", "token_endpoint": "https://as.example.com/token", "token_endpoint_auth_methods_supported": ["tls_client_auth",”self_signed_tls_client_auth”], "scopes_supported": ["pis","ais","offline_access"], "response_types_supported": ["code"], "grant_types_supported": "authorization_code", "code_challenge_methods_supported": "S256", ... }
  • 20.
    Authorization Request GET /authorize?... Redirectto ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
  • 21.
    Authorization Request In preparationof sending the authorization request, the TPP shall 1. CSRF protection: Create a one-time use CSRF token to be conveyed to the ASPSP in the “state” parameter 2. Code replay protection: Create a one-time use nonce, whose SHA-256 value will be conveyed to the ASPSP in the “code_challenge” parameter 3. Bind those values to the current session in the user agent 4. Mix-Up protection: Memorize in the current session the identity of the ASPSP the request will be sent to
  • 22.
  • 23.
    Authorization Request The ASPSPupon receiving this request must perform these checks: ● Open Redirection Prevention: “redirect_uri” value must exactly match the value sent to the ASPSP with the request used to create the payment or consent resource in the header “TPP-Redirect-URI”. ● Otherwise, the ASPSP must refuse to process the request and must not redirect the user agent back to the TPP.
  • 24.
    Authorization Response GET /authorize?... Redirectto ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
  • 25.
    Authorization Response The TPPupon receiving this response shall perform the following checks: 1. Mix-Up detection: Redirect URI where the response was received must match the ASPSP the response was expected to come from. 2. CSRF detection: The “state” value is linked to the current session in the user agent. If any of these check fails, the TPP must refuse to process the authorization response.
  • 26.
    Example Authorization Response HTTP/1.1302 Found Location: https%3A%2F%2Fpisp%2Ecom%2Fauthok%2Faspsp2? code=SplxlOBeZQQYbYS6WxSbIA& state=S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw
  • 27.
    Token Request GET /authorize?... Redirectto ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
  • 28.
    Token Request The ASPSPupon receiving the request shall perform the following checks: 1. TPP impersonation detection: Authenticate TPP with eIDAS certificate 2. Code leakage and replay detection: Check that code is bound to the TPP (client_id), is still valid, and was sent to exactly the redirect URI conveyed in the “redirect_uri” request parameter. 3. Code injection detection: “code_verifier” value, when hashed with S256, matches the “code_challenge” value the code parameter is bound to (see [RFC7636], Section 4.6). If any of these check fails, the ASPSP must refuse to process the token request. See [RFC6749], Section 10 and [OAuth 2.0 Security BCP], Section 2.1
  • 29.
    Example Token Request POST/token HTTP/1.1 Host: https://api.testbank.com Content-Type: application/x-www-form-urlencoded client_id=PSDES-BDE-3DFD21 &grant_type=authorisation_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fpisp%2Ecom%2Fauthok%2Faspsp2 &code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
  • 30.
    Token Response GET /authorize?... Redirectto ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
  • 31.
    Token Response ● AccessToken Replay Detection: ASPSP issues access token that is bound to the TPP’s client certificate ● Scope swap prevention ○ ASPSP must return scope values assigned to the access token ○ Upon receiving the token response, the TPP must check whether the scope assigned to the access token is the same as requested in the authorization request. ○ If this check fails, the TPP must refuse to process the token response
  • 32.
    Example Token Response HTTP/1.1200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "SlAV32hkKG", "token_type": "Bearer", "expires_in": 3600, "scope": "pis:1234-wertiq-983" }
  • 33.
    API Requests GET /authorize?... Redirectto ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Payment Resource Payment ID
  • 34.
    API Requests â—Ź AccessToken Replay Detection â—‹ On every API request, the TPP shall authenticate using TLS client authentication and its eIDAS certificate according to [mTLS], Section 3. â—‹ The resource server must check whether the certificate used for TLS Client Authentication matches the certificate the access token is bound to (see [mTLS], Section 3). â—Ź Authorization: The ASPSP must also check that the access token is still valid and whether the permission associated with the access token entitles the TPP to perform the specific request. â—Ź If any of these checks fails, the request must be refused by responding with a suitable HTTP Status code.
  • 35.
    Security Recommendations (Overview) â—ŹAdhere to OAuth 2.0 Security Best Current Practice (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) â—Ź TPP authentication and access token replay protection using OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens â—Ź Protection against code injection through Proof Key for Code Exchange â—Ź Protection against CSRF using session-bound state parameter values â—Ź Protection against Mix-Up attacks using session bound ASPSP specific redirect URIs â—Ź Protection against session-fixation type of attacks by utilizing OAuth grant flow as designed
  • 36.
    Q&A! Latest Drafts &Publications OAuth 2.0 Security Best Current Practice https://tools.ietf.org/html/draft-ietf-oauth-security-topics OAuth 2.0 Pushed Authorization Requests (PAR) https://cutt.ly/oauth-transaction-authorization OAuth 2.0 Rich Authorization Requests (RAR) https://openid.net/specs/openid-financial-api-jarm-ID1.html JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) https://tools.ietf.org/html/draft-fett-oauth-dpop Cross-Browser Payment Initiation Attack https://cutt.ly/cross-browser-payment-initation OpenID Connect 4 Identity Assurance https://openid.net/specs/openid-connect-4-identity-assurance.html Dr. Torsten Lodderstedt CTO, yes.com torsten@yes.com @tlodderstedt yes® Talk to me about - Details on OAuth Security Best Practices - The OAuth Security Workshop - Other emerging OAuth & OpenID stuff - Partnering with and working at yes.com
  • 37.
  • 38.
    Mix-Up Attack GET /authorize... ASPSPPISPUser Forward Redirectto ASPSP1 2 ASPSP 1 Redirect to aisp.com/authok?code=42&... GET /authok?code=42&... User gives authorization for account access POST /token, code=42... Attacker learns code!
  • 39.
    Mitigation GET /authorize... Redirect toaisp.com/authok?aspsp=2&code=42&... GET /authok?aspsp=2&code=... ASPSPPISP User gives authorization for account access User Redirect to ASPSP1 2 ASPSP 1 PISP can detect attack here! Mismatch between intended ASPSP (1) and ASPSP identity in the redirect URI (2) 1 Uses unique redirect URI for each ASPSP, e.g., by encoding ASPSP ID into URI parameter. Forward 2