Cory Forsyth, profile picture
Uploaded byCory Forsyth
PDF, PPTX669 views

OAuth 2.0 Misconceptions

This document discusses common misconceptions about OAuth 2.0. It clarifies that while OAuth 2.0 is an authorization framework, it does not directly provide authentication. It also explains differences between access tokens and refresh tokens, and notes that bearer tokens issued to different clients are not equal. Additionally, it clarifies the differences between authorization code flow and implicit grant flow.

Embed presentation

Download as PDF, PPTX
Misconceptions of OAuth 2.0
Cory Forsyth @bantic
201 Created Consultants in NewYork City
Logan, UT
“A set of clean abstractions for authentication in Ember.js”
OAuth a short intro
OAuth 1.0 & 2.0 • A delegated authorization protocol/framework • Canonical example: • User wants to print photos • Photos are stored at my-pix.com • User grants authorization to print-me.com to access photos at my-pix.com • Solves the “share my password” anti-pattern
OAuth • 1.0: • Uses cryptographic signatures, server-to-server communication • 2.0: • Includes “implicit grant” (front-end only) flow • Includes “authorization code grant” flow • No signatures (encrypted https communication only) • Both: • browser-centric redirection-based flows
OAuth • 1.0: • A protocol • 2.0: • “Simpler” • Less secure? • A framework
OAuth Love Triangle Resource Owner (user) Resource / Authorization Server (my-pix.com) Client (print-me.com) visits1 directs browser to2 consent screen 3 redirects to, with authz in url 4
OAuth Love Triangle User e.g. Google+ your ember app visits1 opens popup to2 consent screen 3 redirects to, with authz in url 4
OAuth 1 & 2 Terminology • Resource Owner / User • Human, likes taking and printing pictures • Client / Consumer • E.g., print-me.com • For most people in this room: You code OAuth clients • Server / Service Provider • E.g., my-pix.com (and Google+, Facebook, Github, etc.)
OAuth Clients • Can be confidential or public • Public clients include: • JavaScript that runs in the browser • Native Apps (could be decompiled) • Must be registered with a provider — provider issues client_id, client_secret
OAuth 2 Flows • Authorization Code Grant • Implicit Grant • 2 others, less important
OAuth 2 Flows • Client crafts URL pointing at provider, redirects browser to it • e.g. https://accounts.google.com/o/oauth2/auth?
 client_id=xyz&
 redirect_uri=my-pix.com/callback&
 response_type=code or token&
 scope=email&
 …=…
OAuth 2 Flows • Server / Provider authenticates user • Obtains authorization consent • Redirects back to redirect_uri with code, e.g.
 http://my-pix.com/callback?
 code=abc123
Authorization Code Grant • Client redirects to provider endpoint with client_id, redirect_uri, token_type=code, scope, etc, query params • Provider authenticates user, obtains authorization consent, redirects to redirect_uri with code=abc123 query param • Client POSTs to provider with client_id, grant_type=authorization_code, code=abc123, redirect_uri • Provider responds to client with access_token
Implicit Grant • Client redirects to provider endpoint with client_id, redirect_uri, token_type=token, scope, etc, query params • Provider authenticates user, obtains authorization consent, redirects to redirect_uri with access_token=abc123 hash fragment • e.g. print-me.com/callback#access_token=abc123
Misunderstanding #1 Access vs Bearer Tokens
• Clients use access tokens to make requests of providers for protected resources (on behalf of users) • Clients present “bearer” access tokens as query parameters, headers (“Authorization: Bearer xyz”), or form parameters Access vs Bearer Tokens
Access vs Bearer Tokens • Access Tokens are almost always Bearer Tokens • Providers include “token_type” when issuing tokens • “bearer” is a token_type (there is also “mac”) • Called “Bearer” because the Provider will allow any request with the token present (whoever holds/“bears” the token has access)
Misunderstanding #2 All Bearer Tokens are Created Equal Client X gets token via authorization code grant Client X gets token via implicit grant Client Y gets token via authorization code grant Client Y gets token via implicit grant Same user, provider, scope, token is not expired. Spot the difference:
Misunderstanding #2 All Bearer Tokens are Created Equal • Access tokens are opaque to client • Client cannot tell: • What client the token was issued for • When the token expires • If the token is valid
Misunderstanding #3 Refresh Tokens “refresh” nothing • What is a refresh token? • Optionally issued by OAuth provider in certain scenarios: • when requested with “scope” • in Authorization Code Grant (server-side) flow • Becaus: Clients cannot know when access token is invalid
Misunderstanding #3 Refresh Tokens “refresh” nothing • “You cannot refresh an implicit grant token” • “You can only refresh an access token from Authorization Code grant”
Misunderstanding #3 Refresh Tokens “refresh” nothing • “You cannot refresh an implicit grant token” • “You can only refresh an access token from Authorization Code grant”
Misunderstanding #3 Refresh Tokens “refresh” nothing
Misunderstanding #4 OAuth does not do authentication • authentication: Who are you? • authorization: What are you allowed to do? • OAuth 2.0: An Authorization Framework
Misunderstanding #4 OAuth does not do authentication Naive OAuth Authentication: • Get access token via implicit grant (request ‘email’ scope) • Use access token to read email from OAuth provider (i.e. `GET /me?access_token=XYZ`) • Use the email to find user in your database, log them in •After all, if the access token provides that email, that’s who they are, right?
Misunderstanding #4 OAuth does not do authentication • Remember, access token is opaque to client • Client cannot tell: • who that token was issued for • when that token was issued • Simple to intercept redirect, inject another access token
Misunderstanding #4 OAuth does not do authentication • What does work? • authorization code flow (server-side) with ‘state’ param: • ensures access token is “fresh”, for this client • OpenID Connect • Builds upon OAuth, uses JWT • Allow in-browser verification of token integrity, audience, identity
Misunderstanding #4 OAuth does not do authentication
Thanks Cory Forsyth @bantic Links • Torii: https://github.com/vestorly/torii • OAuth 2 explanation • More curated links Image Credits • https://twitter.com/old_sound/status/670412302135500803/photo/1

More Related Content

PDF
OAuth 2.0
byUwe Friedrichsen
 
PPTX
OAuth [noddyCha]
bynoddycha
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
PPTX
OAuth
byMohan Kumar Tadikimalla
 
PPTX
OAuth2 & OpenID Connect
byMarcin Wolnik
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PDF
Securing APIs with OAuth 2.0
byKai Hofstetter
 
PPTX
Oauth 2.0 security
byvinoth kumar
 
OAuth 2.0
byUwe Friedrichsen
 
OAuth [noddyCha]
bynoddycha
 
OAuth2 + API Security
byAmila Paranawithana
 
OAuth
byMohan Kumar Tadikimalla
 
OAuth2 & OpenID Connect
byMarcin Wolnik
 
Demystifying OAuth 2.0
byKarl McGuinness
 
Securing APIs with OAuth 2.0
byKai Hofstetter
 
Oauth 2.0 security
byvinoth kumar
 

What's hot

PDF
OAuth - Open API Authentication
byleahculver
 
PPTX
An introduction to OAuth 2
bySanjoy Kumar Roy
 
PDF
Implementing OAuth
byleahculver
 
PDF
Protecting web APIs with OAuth 2.0
byVladimir Dzhuvinov
 
PPTX
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
PDF
Introduction to OAuth2.0
byOracle Corporation
 
PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PDF
OAuth2 primer
byManish Pandit
 
ODP
OAuth2 - Introduction
byKnoldus Inc.
 
PPTX
An Introduction to OAuth2
byAaron Parecki
 
PDF
Spring security oauth2
byaxykim00
 
PPT
Silicon Valley Code Camp 2009: OAuth: What, Why and How
byManish Pandit
 
PDF
Building an API Security Ecosystem
byPrabath Siriwardena
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
PPTX
(1) OAuth 2.0 Overview
byanikristo
 
PPTX
REST Service Authetication with TLS & JWTs
byJon Todd
 
PPTX
TLDR - OAuth
byAndy March
 
PPTX
OAuth and Open-id
byParisa Moosavinezhad
 
PPTX
Securing Single Page Applications with Token Based Authentication
byStefan Achtsnit
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
byManish Pandit
 
OAuth - Open API Authentication
byleahculver
 
An introduction to OAuth 2
bySanjoy Kumar Roy
 
Implementing OAuth
byleahculver
 
Protecting web APIs with OAuth 2.0
byVladimir Dzhuvinov
 
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
Introduction to OAuth2.0
byOracle Corporation
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
OAuth2 primer
byManish Pandit
 
OAuth2 - Introduction
byKnoldus Inc.
 
An Introduction to OAuth2
byAaron Parecki
 
Spring security oauth2
byaxykim00
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
byManish Pandit
 
Building an API Security Ecosystem
byPrabath Siriwardena
 
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
(1) OAuth 2.0 Overview
byanikristo
 
REST Service Authetication with TLS & JWTs
byJon Todd
 
TLDR - OAuth
byAndy March
 
OAuth and Open-id
byParisa Moosavinezhad
 
Securing Single Page Applications with Token Based Authentication
byStefan Achtsnit
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
byManish Pandit
 

Viewers also liked

PDF
Chrome Extensions at Manhattan JS
byCory Forsyth
 
PDF
Making ember-wormhole work with Fastboot
byCory Forsyth
 
KEY
APIs: Internet for Robots
byCory Forsyth
 
PDF
Stackup New Languages Talk: Ember is for Everybody
byCory Forsyth
 
PDF
Microsoft tech talk march 28 2014
byCory Forsyth
 
PDF
EmberFest Mobiledoc Demo Lightning Talk
byCory Forsyth
 
PDF
Torii: Ember.js Authentication Library
byCory Forsyth
 
PDF
Ember testing internals with ember cli
byCory Forsyth
 
PDF
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
byCory Forsyth
 
PPTX
Introduction to HTTP/2
byIdo Flatow
 
PDF
What HTTP/2.0 Will Do For You
byMark Nottingham
 
Chrome Extensions at Manhattan JS
byCory Forsyth
 
Making ember-wormhole work with Fastboot
byCory Forsyth
 
APIs: Internet for Robots
byCory Forsyth
 
Stackup New Languages Talk: Ember is for Everybody
byCory Forsyth
 
Microsoft tech talk march 28 2014
byCory Forsyth
 
EmberFest Mobiledoc Demo Lightning Talk
byCory Forsyth
 
Torii: Ember.js Authentication Library
byCory Forsyth
 
Ember testing internals with ember cli
byCory Forsyth
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
byCory Forsyth
 
Introduction to HTTP/2
byIdo Flatow
 
What HTTP/2.0 Will Do For You
byMark Nottingham
 

Similar to OAuth 2.0 Misconceptions

PPTX
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
PDF
Full stack security
byDPC Consulting Ltd
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
PPTX
OAuth2 Implementation Presentation (Java)
byKnoldus Inc.
 
PDF
OAuth2
bySPARK MEDIA
 
PDF
Keeping Pace with OAuth’s Evolving Security Practices.pdf
bySirris
 
PPTX
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
PDF
oauth-for-credentials-security-in-rest-api-access
byidsecconf
 
PPTX
OAuth2 Introduction
byArpit Suthar
 
KEY
OAuth Android Göteborg
bydanieloskarsson
 
PPTX
OAuth
byTom Elrod
 
PDF
Securing the API Economy: Leveraging OAuth 2.0 for Safe Digitization - LoginR...
byKevin Mathew
 
PDF
Stateless Auth using OAUTH2 & JWT
byMobiliya
 
PPTX
O auth
byAshok Kumar N
 
PPTX
OAuth 2
byChrisWood262
 
PDF
OAuth Base Camp
byOliver Pfaff
 
PPTX
Y U No OAuth?!?
byJason Robert
 
PPTX
OAuth 2 Spring Boot 3 Integration Presentation
byKnoldus Inc.
 
PDF
Oauth2.0 tutorial
byHarikaReddy115
 
PDF
RFC6749 et alia 20130504
byMattias Jidhage
 
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
Full stack security
byDPC Consulting Ltd
 
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
OAuth2 Implementation Presentation (Java)
byKnoldus Inc.
 
OAuth2
bySPARK MEDIA
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
bySirris
 
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
oauth-for-credentials-security-in-rest-api-access
byidsecconf
 
OAuth2 Introduction
byArpit Suthar
 
OAuth Android Göteborg
bydanieloskarsson
 
OAuth
byTom Elrod
 
Securing the API Economy: Leveraging OAuth 2.0 for Safe Digitization - LoginR...
byKevin Mathew
 
Stateless Auth using OAUTH2 & JWT
byMobiliya
 
O auth
byAshok Kumar N
 
OAuth 2
byChrisWood262
 
OAuth Base Camp
byOliver Pfaff
 
Y U No OAuth?!?
byJason Robert
 
OAuth 2 Spring Boot 3 Integration Presentation
byKnoldus Inc.
 
Oauth2.0 tutorial
byHarikaReddy115
 
RFC6749 et alia 20130504
byMattias Jidhage
 

OAuth 2.0 Misconceptions

  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
    “A set ofclean abstractions for authentication in Ember.js”
  • 6.
  • 7.
    OAuth 1.0 &2.0 • A delegated authorization protocol/framework • Canonical example: • User wants to print photos • Photos are stored at my-pix.com • User grants authorization to print-me.com to access photos at my-pix.com • Solves the “share my password” anti-pattern
  • 8.
    OAuth • 1.0: • Usescryptographic signatures, server-to-server communication • 2.0: • Includes “implicit grant” (front-end only) flow • Includes “authorization code grant” flow • No signatures (encrypted https communication only) • Both: • browser-centric redirection-based flows
  • 9.
    OAuth • 1.0: • Aprotocol • 2.0: • “Simpler” • Less secure? • A framework
  • 10.
    OAuth Love Triangle ResourceOwner (user) Resource / Authorization Server (my-pix.com) Client (print-me.com) visits1 directs browser to2 consent screen 3 redirects to, with authz in url 4
  • 11.
    OAuth Love Triangle Usere.g. Google+ your ember app visits1 opens popup to2 consent screen 3 redirects to, with authz in url 4
  • 12.
    OAuth 1 &2 Terminology • Resource Owner / User • Human, likes taking and printing pictures • Client / Consumer • E.g., print-me.com • For most people in this room: You code OAuth clients • Server / Service Provider • E.g., my-pix.com (and Google+, Facebook, Github, etc.)
  • 13.
    OAuth Clients • Canbe confidential or public • Public clients include: • JavaScript that runs in the browser • Native Apps (could be decompiled) • Must be registered with a provider — provider issues client_id, client_secret
  • 14.
    OAuth 2 Flows •Authorization Code Grant • Implicit Grant • 2 others, less important
  • 15.
    OAuth 2 Flows •Client crafts URL pointing at provider, redirects browser to it • e.g. https://accounts.google.com/o/oauth2/auth?
 client_id=xyz&
 redirect_uri=my-pix.com/callback&
 response_type=code or token&
 scope=email&
 …=…
  • 16.
    OAuth 2 Flows •Server / Provider authenticates user • Obtains authorization consent • Redirects back to redirect_uri with code, e.g.
 http://my-pix.com/callback?
 code=abc123
  • 17.
    Authorization Code Grant •Client redirects to provider endpoint with client_id, redirect_uri, token_type=code, scope, etc, query params • Provider authenticates user, obtains authorization consent, redirects to redirect_uri with code=abc123 query param • Client POSTs to provider with client_id, grant_type=authorization_code, code=abc123, redirect_uri • Provider responds to client with access_token
  • 18.
    Implicit Grant • Clientredirects to provider endpoint with client_id, redirect_uri, token_type=token, scope, etc, query params • Provider authenticates user, obtains authorization consent, redirects to redirect_uri with access_token=abc123 hash fragment • e.g. print-me.com/callback#access_token=abc123
  • 19.
  • 20.
    • Clients useaccess tokens to make requests of providers for protected resources (on behalf of users) • Clients present “bearer” access tokens as query parameters, headers (“Authorization: Bearer xyz”), or form parameters Access vs Bearer Tokens
  • 21.
    Access vs BearerTokens • Access Tokens are almost always Bearer Tokens • Providers include “token_type” when issuing tokens • “bearer” is a token_type (there is also “mac”) • Called “Bearer” because the Provider will allow any request with the token present (whoever holds/“bears” the token has access)
  • 22.
    Misunderstanding #2 All BearerTokens are Created Equal Client X gets token via authorization code grant Client X gets token via implicit grant Client Y gets token via authorization code grant Client Y gets token via implicit grant Same user, provider, scope, token is not expired. Spot the difference:
  • 23.
    Misunderstanding #2 All BearerTokens are Created Equal • Access tokens are opaque to client • Client cannot tell: • What client the token was issued for • When the token expires • If the token is valid
  • 24.
    Misunderstanding #3 Refresh Tokens“refresh” nothing • What is a refresh token? • Optionally issued by OAuth provider in certain scenarios: • when requested with “scope” • in Authorization Code Grant (server-side) flow • Becaus: Clients cannot know when access token is invalid
  • 25.
    Misunderstanding #3 Refresh Tokens“refresh” nothing • “You cannot refresh an implicit grant token” • “You can only refresh an access token from Authorization Code grant”
  • 26.
    Misunderstanding #3 Refresh Tokens“refresh” nothing • “You cannot refresh an implicit grant token” • “You can only refresh an access token from Authorization Code grant”
  • 27.
  • 28.
    Misunderstanding #4 OAuth doesnot do authentication • authentication: Who are you? • authorization: What are you allowed to do? • OAuth 2.0: An Authorization Framework
  • 29.
    Misunderstanding #4 OAuth doesnot do authentication Naive OAuth Authentication: • Get access token via implicit grant (request ‘email’ scope) • Use access token to read email from OAuth provider (i.e. `GET /me?access_token=XYZ`) • Use the email to find user in your database, log them in •After all, if the access token provides that email, that’s who they are, right?
  • 30.
    Misunderstanding #4 OAuth doesnot do authentication • Remember, access token is opaque to client • Client cannot tell: • who that token was issued for • when that token was issued • Simple to intercept redirect, inject another access token
  • 31.
    Misunderstanding #4 OAuth doesnot do authentication • What does work? • authorization code flow (server-side) with ‘state’ param: • ensures access token is “fresh”, for this client • OpenID Connect • Builds upon OAuth, uses JWT • Allow in-browser verification of token integrity, audience, identity
  • 32.
    Misunderstanding #4 OAuth doesnot do authentication
  • 33.
    Thanks Cory Forsyth @bantic Links • Torii:https://github.com/vestorly/torii • OAuth 2 explanation • More curated links Image Credits • https://twitter.com/old_sound/status/670412302135500803/photo/1