SlideShare a Scribd company logo

OAuth 2.0 Threat Landscape

Download as PPTX, PDF
Prabath Siriwardena
Prabath Siriwardena

OAuth 2.0 Threat Landscape - Talk at the RSAConference 2018

Education
1 of 31
SESSION ID: #RSAC Prabath Siriwardena OAUTH 2.0 THREAT LANDSCAPE IDY-W04 Senior Director of Security Architecture WSO2 @prabath
Presenter’s Company Logo – replace or delete on master slide # R S A C
#RSAC OAUTH 2.0 - A QUICK OVERVIEW
Presenter’s Company Logo – replace or delete on master slide # R S A C OAuth 2.0 4
Presenter’s Company Logo – replace or delete on master slide # R S A C Authorization Code Grant Type 5
Presenter’s Company Logo – replace or delete on master slide # R S A C Implicit Grant Type 6
Presenter’s Company Logo – replace or delete on master slide # R S A C Client Credentials Grant Type 7
Presenter’s Company Logo – replace or delete on master slide # R S A C Password Grant Type 8
#RSAC THREATS / MITIGATIONS / BEST PRACTICES
Presenter’s Company Logo – replace or delete on master slide # R S A C Session Injection with CSRF (Threats) 10
Presenter’s Company Logo – replace or delete on master slide # R S A C Session Injection with CSRF (Victims) 11 Web / Mobile application users
Presenter’s Company Logo – replace or delete on master slide # R S A C Session Injection with CSRF (Mitigation / Best Practices) 12 Short-lived authorization code Use state parameter Proof-key-for-code-exchange (PKCE)
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Threats) 13 Attacker may attempt to eavesdrop authorization code/access token/refresh token in transit. Authorization Code Flow Open Redirector OAuth 2.0 native apps can get hold of the authorization code.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Threats) 14 Attacker may attempt a brute force attack to crack the authorization code/access token. Attacker may attempt to steal the authorization code/access token/refresh token stored in the authorization server. IdP Mix-Up / Malicious Endpoint.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Victims) 15 Web/Mobile application users Web/Mobile application owners
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 16 Always on TLS (use TLS 1.2 or later) Address all the TLS level vulnerabilities both at the client, authorization server and the resource server. The token value should be >=128 bits long and constructed from a cryptographically strong random or pseudo-random number sequence.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 17 Never store tokens in clear text - but the salted hash. Short-lived tokens. LinkedIn has an expiration of 30 seconds for its authorization codes. The token expiration time would depend on the following parameters. Risk associated with token leakage Duration of the underlying access grant Time required for an attacker to guess or produce a valid token
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 18 One-time authorization code One-time access token (implicit grant type) Use PKCE (proof key for code exchange) to avoid authorization code interception attack. Have S256 as the code challenge method Enforce standard SQL injection countermeasures
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 19 Avoid using the same client_id/client_secret for each instance of a mobile app - rather use the Dynamic Client Registration API to generate a key pair per instance. Most of the time the leakage of authorization code becomes a threat when the attacker is in hold of the client id and client secret. Restrict grant types by client. Most of the authorization servers do support all core grant types. If unrestricted, leakage of client id/client secret gives the attacker the opportunity obtain an access token via client credentials grant type.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 20 Enable client authentication via a much secured manner. JWT client assertions TLS mutual authentication Have a key of size 2048 bits or larger if RSA algorithms are used for the client authentication Have a key of size 160 bits or larger if elliptic curve algorithms are used for the client authentication
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 21 White-list callback URLs (redirect_uri) The absolute URL or a regEx pattern IdP-Mixup Use different callback URLs by IdP https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Threats) 22 A malicious resource could reuse an access token used to access itself by a legitimate client to access another resource, impersonating the original client
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Threats) 23 An evil web site gets an access token from a legitimate user, can reuse it at another web site (which trusts the same authorization server) with the implicit grant type https://target-app/callback?access_token=<access_token> A legitimate user misuses an access token (issued under implicit grant type/SPA) to access a set of backend APIs in a way, exhausting server resources.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Victims) 24 Web/Mobile application users Web/Mobile application owners
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Mitigations / Best Practices) 25 A malicious resource (an API / Microservice) could reuse an access token used to access itself by a legitimate client to access another resource, impersonating the original client. An evil web site gets an access token from a legitimate user, can reuse it at another web site (which trusts the same authorization server) with the implicit grant type https://target-app/callback?access_token=<access_token>
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Mitigations / Best Practices) 26 A legitimate user misuses an access token (issued under implicit grant type/SPA) to access a set of backend APIs in a way, exhausting server resources. To avoid exhausting resources at the server side, enforce throttle limits by user by application. In case an attacker wants to misuse a token - the worst he/she can do is to eats his/her own quota.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Export (Threats) 27 An attacker could export an access token from its originating channel and use somewhere else. A common attack vector for SPAs (Single Page Applications) A major concerns with bearer tokens.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Export (Victims) 28 Web/Mobile application users Web/Mobile application owners
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Export (Mitigations / Best Practices) 29 The use of Token Binding protects access tokens from man-in-the- middle and token export and replay attacks. https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
Presenter’s Company Logo – replace or delete on master slide # R S A C Apply What You Have Learned Today! 30 Review and test current OAuth 2.0 client applications against the threats we discussed – probably build a test suite! Build a security check-list for an OAuth 2.0 Authorization Server, and make sure what you build or what you buy, adheres to it. Be the security champion of your team!
#RSAC THANK YOU!

Recommended

Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
Building trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeBuilding trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeajessup
 
IoC with PHP
IoC with PHPIoC with PHP
IoC with PHPChris Weldon
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016Nov Matake
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Ioan Eugen Stan
 
Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1KlaraOrban
 
I Can See Clearly Now - Observing & understanding your Spring applications at...
I Can See Clearly Now - Observing & understanding your Spring applications at...I Can See Clearly Now - Observing & understanding your Spring applications at...
I Can See Clearly Now - Observing & understanding your Spring applications at...Joris Kuipers
 

Recommended

Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
Building trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeBuilding trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeajessup
 
IoC with PHP
IoC with PHPIoC with PHP
IoC with PHPChris Weldon
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016Nov Matake
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Ioan Eugen Stan
 
Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1KlaraOrban
 
I Can See Clearly Now - Observing & understanding your Spring applications at...
I Can See Clearly Now - Observing & understanding your Spring applications at...I Can See Clearly Now - Observing & understanding your Spring applications at...
I Can See Clearly Now - Observing & understanding your Spring applications at...Joris Kuipers
 
Tech talk live on new alfresco api
Tech talk live on new alfresco apiTech talk live on new alfresco api
Tech talk live on new alfresco apiAlfresco Software
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITYTubagus Rizky Dharmawan
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...Cisco DevNet
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Stormpath
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailPuma Security, LLC
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesVladimir Budilov
 
Apic dc api deep dive
Apic dc api deep dive Apic dc api deep dive
Apic dc api deep dive Cisco DevNet
 
Apache con@home 2021_sha
Apache con@home 2021_shaApache con@home 2021_sha
Apache con@home 2021_shaHitachi, Ltd. OSS Solution Center.
 
Aci programmability
Aci programmabilityAci programmability
Aci programmabilityCisco DevNet
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakCharles Moulliard
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...Nick Maludy
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesPriyanka Aash
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesPrabath Siriwardena
 

More Related Content

What's hot

Tech talk live on new alfresco api
Tech talk live on new alfresco apiTech talk live on new alfresco api
Tech talk live on new alfresco apiAlfresco Software
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...Cisco DevNet
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Stormpath
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesVladimir Budilov
 
Apic dc api deep dive
Apic dc api deep dive Apic dc api deep dive
Apic dc api deep dive Cisco DevNet
 
Aci programmability
Aci programmabilityAci programmability
Aci programmabilityCisco DevNet
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakCharles Moulliard
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...Nick Maludy
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 

What's hot (20)

Tech talk live on new alfresco api
Tech talk live on new alfresco apiTech talk live on new alfresco api
Tech talk live on new alfresco api
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutes
 
Apic dc api deep dive
Apic dc api deep dive Apic dc api deep dive
Apic dc api deep dive
 
Apache con@home 2021_sha
Apache con@home 2021_shaApache con@home 2021_sha
Apache con@home 2021_sha
 
Aci programmability
Aci programmabilityAci programmability
Aci programmability
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & Keycloak
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
 

Similar to OAuth 2.0 Threat Landscape

OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesPriyanka Aash
 
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat LandscapesWSO2
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Bryce Kunz
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationpeter lam
 
Top Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesTop Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesAndreas Grabner
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA Technologies
 
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsAdventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsPriyanka Aash
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!Mike Schwartz
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!Priyanka Aash
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...Hitachi, Ltd. OSS Solution Center.
 

Similar to OAuth 2.0 Threat Landscape (20)

OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
 
The Pivot
The PivotThe Pivot
The Pivot
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalization
 
Top Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesTop Performance Problems in Distributed Architectures
Top Performance Problems in Distributed Architectures
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
 
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsAdventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
 

More from Prabath Siriwardena

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementPrabath Siriwardena
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application DevelopersPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity ManagementPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusPrabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesPrabath Siriwardena
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet IdentityPrabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudPrabath Siriwardena
 

More from Prabath Siriwardena (20)

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Identity is Eating the World!
Identity is Eating the World!Identity is Eating the World!
Identity is Eating the World!
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access Management
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity Bus
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet Identity
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and Cloud
 
Securing Insecure
Securing InsecureSecuring Insecure
Securing Insecure
 
Evolution of Internet Identity
Evolution of Internet IdentityEvolution of Internet Identity
Evolution of Internet Identity
 
Securing the Insecure
Securing the InsecureSecuring the Insecure
Securing the Insecure
 

Recently uploaded

mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPoojaSen20
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 

Recently uploaded (20)

mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 

OAuth 2.0 Threat Landscape

  • 1. SESSION ID: #RSAC Prabath Siriwardena OAUTH 2.0 THREAT LANDSCAPE IDY-W04 Senior Director of Security Architecture WSO2 @prabath
  • 2. Presenter’s Company Logo – replace or delete on master slide # R S A C
  • 3. #RSAC OAUTH 2.0 - A QUICK OVERVIEW
  • 4. Presenter’s Company Logo – replace or delete on master slide # R S A C OAuth 2.0 4
  • 5. Presenter’s Company Logo – replace or delete on master slide # R S A C Authorization Code Grant Type 5
  • 6. Presenter’s Company Logo – replace or delete on master slide # R S A C Implicit Grant Type 6
  • 7. Presenter’s Company Logo – replace or delete on master slide # R S A C Client Credentials Grant Type 7
  • 8. Presenter’s Company Logo – replace or delete on master slide # R S A C Password Grant Type 8
  • 9. #RSAC THREATS / MITIGATIONS / BEST PRACTICES
  • 10. Presenter’s Company Logo – replace or delete on master slide # R S A C Session Injection with CSRF (Threats) 10
  • 11. Presenter’s Company Logo – replace or delete on master slide # R S A C Session Injection with CSRF (Victims) 11 Web / Mobile application users
  • 12. Presenter’s Company Logo – replace or delete on master slide # R S A C Session Injection with CSRF (Mitigation / Best Practices) 12 Short-lived authorization code Use state parameter Proof-key-for-code-exchange (PKCE)
  • 13. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Threats) 13 Attacker may attempt to eavesdrop authorization code/access token/refresh token in transit. Authorization Code Flow Open Redirector OAuth 2.0 native apps can get hold of the authorization code.
  • 14. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Threats) 14 Attacker may attempt a brute force attack to crack the authorization code/access token. Attacker may attempt to steal the authorization code/access token/refresh token stored in the authorization server. IdP Mix-Up / Malicious Endpoint.
  • 15. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Victims) 15 Web/Mobile application users Web/Mobile application owners
  • 16. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 16 Always on TLS (use TLS 1.2 or later) Address all the TLS level vulnerabilities both at the client, authorization server and the resource server. The token value should be >=128 bits long and constructed from a cryptographically strong random or pseudo-random number sequence.
  • 17. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 17 Never store tokens in clear text - but the salted hash. Short-lived tokens. LinkedIn has an expiration of 30 seconds for its authorization codes. The token expiration time would depend on the following parameters. Risk associated with token leakage Duration of the underlying access grant Time required for an attacker to guess or produce a valid token
  • 18. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 18 One-time authorization code One-time access token (implicit grant type) Use PKCE (proof key for code exchange) to avoid authorization code interception attack. Have S256 as the code challenge method Enforce standard SQL injection countermeasures
  • 19. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 19 Avoid using the same client_id/client_secret for each instance of a mobile app - rather use the Dynamic Client Registration API to generate a key pair per instance. Most of the time the leakage of authorization code becomes a threat when the attacker is in hold of the client id and client secret. Restrict grant types by client. Most of the authorization servers do support all core grant types. If unrestricted, leakage of client id/client secret gives the attacker the opportunity obtain an access token via client credentials grant type.
  • 20. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 20 Enable client authentication via a much secured manner. JWT client assertions TLS mutual authentication Have a key of size 2048 bits or larger if RSA algorithms are used for the client authentication Have a key of size 160 bits or larger if elliptic curve algorithms are used for the client authentication
  • 21. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 21 White-list callback URLs (redirect_uri) The absolute URL or a regEx pattern IdP-Mixup Use different callback URLs by IdP https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01
  • 22. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Threats) 22 A malicious resource could reuse an access token used to access itself by a legitimate client to access another resource, impersonating the original client
  • 23. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Threats) 23 An evil web site gets an access token from a legitimate user, can reuse it at another web site (which trusts the same authorization server) with the implicit grant type https://target-app/callback?access_token=<access_token> A legitimate user misuses an access token (issued under implicit grant type/SPA) to access a set of backend APIs in a way, exhausting server resources.
  • 24. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Victims) 24 Web/Mobile application users Web/Mobile application owners
  • 25. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Mitigations / Best Practices) 25 A malicious resource (an API / Microservice) could reuse an access token used to access itself by a legitimate client to access another resource, impersonating the original client. An evil web site gets an access token from a legitimate user, can reuse it at another web site (which trusts the same authorization server) with the implicit grant type https://target-app/callback?access_token=<access_token>
  • 26. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Mitigations / Best Practices) 26 A legitimate user misuses an access token (issued under implicit grant type/SPA) to access a set of backend APIs in a way, exhausting server resources. To avoid exhausting resources at the server side, enforce throttle limits by user by application. In case an attacker wants to misuse a token - the worst he/she can do is to eats his/her own quota.
  • 27. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Export (Threats) 27 An attacker could export an access token from its originating channel and use somewhere else. A common attack vector for SPAs (Single Page Applications) A major concerns with bearer tokens.
  • 28. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Export (Victims) 28 Web/Mobile application users Web/Mobile application owners
  • 29. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Export (Mitigations / Best Practices) 29 The use of Token Binding protects access tokens from man-in-the- middle and token export and replay attacks. https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
  • 30. Presenter’s Company Logo – replace or delete on master slide # R S A C Apply What You Have Learned Today! 30 Review and test current OAuth 2.0 client applications against the threats we discussed – probably build a test suite! Build a security check-list for an OAuth 2.0 Authorization Server, and make sure what you build or what you buy, adheres to it. Be the security champion of your team!

Editor's Notes

  1. The attacker tries to log into the target website (OAuth 2.0 client) with his account at the corresponding identity provider. The attacker blocks the redirection to the target web site, and captures the authorization code. The target web site never sees the code. The attacker constructs the callback URL for the target site - and lets the victim, clicks on it. The victim logs into the target web site, with the account attached to the attacker - and adds credit card information. The attacker too logs into the target website with his/her valid credentials and uses victim’s credit card to buy goods.