SB
Uploaded byScott Brady
PPTX, PDF446 views

Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)

The document discusses secure authorization for devices using the OAuth device flow, addressing problems like delegating application access for browserless and input-constrained devices. It outlines the protocol for device authorization and user interaction, emphasizing the importance of user security and privacy. Additionally, it highlights the implementation of OAuth device flow in IdentityServer and its potential applications in various contexts, such as public printers and smart devices.

Embed presentation

Download to read offline
Secure Authorization for your Printer – The OAuth Device Flow Scott Brady @scottbrady91 – Rock Solid Knowledge #devsum18
Introductions • Identity & Access Control Lead @ Rock Solid Knowledge • Commercial side of the IdentityServer OSS project • AdminUI • SAML2P & WS-Federation • IdentityServer European Partner • Development, consultancy, support, and training • Helps fund the IdentityServer project @scottbrady91 – Rock Solid Knowledge (identityserver.com)
The Problem • SOLVED: Delegating an application access to protected resources on behalf of user (OAuth 2.0) • SOLVED: Verifying the identity of the resource owner who delegated access (OpenID Connect 1.0) • How to delegate access to: • Browserless devices • Input constrained devices @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Browserless Devices • Smart TVs • Internet of Things • Printers • Fridges • Sensors @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Input Constrained Devices @scottbrady91 – Rock Solid Knowledge (identityserver.com)
User Client Protected Resource Authorization Server Authorization Request Authorization Grant Authorization Grant Access Token Request Protected Resource Trust Authentication @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Resource Owner Password Credentials? @scottbrady91 – Rock Solid Knowledge (identityserver.com) POST /token grant_type=password &client_id=oauth_client &username=scott &password=Password123! { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600 }
Resource Owner Password Credentials? • No browser necessary • Impersonation • No scoped access • Exposes user credentials to device • Breaks when we add phishing resistant credentials • No federation (unless using “benevolent phishing”) @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Solution The OAuth Device Flow • Uses an external browser to bridge the gap • (your smartphone) • User authentication external to the device • Currently in draft 9: • datatracker.ietf.org/doc/draft-ietf-oauth-device-flow • Already in use by Google • Similar implementations available, but now there’s a spec! @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Demo! @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Device User Secondary Device Authorization Server
The Protocol Device Authorization (Request) POST /device_authorization HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded client_id=459691054427 @scottbrady91 – Rock Solid Knowledge (identityserver.com)
The Protocol Device Authorization (Response) { "device_code": "GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8", "verification_uri": "https://www.example.com/device", "user_code": "WDJB-MJHT", "verification_uri_complete": "https://www.example.com/device?user_code=WDJB-MJHT", "expires_in": 1800, "interval": 5 } @scottbrady91 – Rock Solid Knowledge (identityserver.com)
The Protocol User Interaction +-----------------------------------------------+ | | | Using a browser on another device, visit: | | https://example.com/device | | | | And enter the code: | | WDJB-MJHT | | | +-----------------------------------------------+ @scottbrady91 – Rock Solid Knowledge (identityserver.com)
The Protocol User Interaction @scottbrady91 – Rock Solid Knowledge (identityserver.com)
The Protocol Token Request POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:device_code &device_code=GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8 &client_id=459691054427 @scottbrady91 – Rock Solid Knowledge (identityserver.com)
The Protocol Token Request { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, } @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Extras • OpenID Connect • Refresh tokens @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Proof of Concept Code @scottbrady91 – Rock Solid Knowledge (identityserver.com)
IdentityServer4 & Device Flow • Open Source (part of the core repository) • Hopefully available in v2.next • Consent page may have to come later… • Otherwise v3 @scottbrady91 – Rock Solid Knowledge (identityserver.com)
@scottbrady91 – Rock Solid Knowledge (identityserver.com) IdentityServer4 & Device Flow
Security Considerations User Codes • Shorter codes are better for the user • Longer codes are better for security • Numeric is better for the user • Alphanumeric is better for security • What’s the worst that could happen? • Breach of privacy • Something embarrassing… @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Security Considerations User Interaction • Phishing for credentials • Phishing for tokens @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Further Use Cases • Public printers • Bringing strong authentication to native devices • Screenless devices • Virtual assistants? • Device Pairing @scottbrady91 – Rock Solid Knowledge (identityserver.com)
Don’t forget to evaluate this session in the DevSum app! @scottbrady91 – Rock Solid Knowledge #devsum18 Thanks! @scottbrady91 www.identityserver.com

More Related Content

PPTX
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
byScott Brady
 
PPTX
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
byScott Brady
 
PPTX
Microservices Manchester: Authentication in Microservice Systems by David Borsos
byOpenCredo
 
PDF
muCon 2016: Authentication in Microservice Systems By David Borsos
byOpenCredo
 
PDF
Getting Started in Blockchain Security and Smart Contract Auditing
byBeau Bullock
 
PDF
Authorization and Authentication in Microservice Environments
byLeanIX GmbH
 
PDF
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
byOpenCredo
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
byVMware Tanzu
 
Authorization for the IoT: The OAuth Device Flow (European Identity & Cloud C...
byScott Brady
 
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
byScott Brady
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
byOpenCredo
 
muCon 2016: Authentication in Microservice Systems By David Borsos
byOpenCredo
 
Getting Started in Blockchain Security and Smart Contract Auditing
byBeau Bullock
 
Authorization and Authentication in Microservice Environments
byLeanIX GmbH
 
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
byOpenCredo
 
An Authentication and Authorization Architecture for a Microservices World
byVMware Tanzu
 

What's hot

PDF
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
bySecuRing
 
PDF
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
bySecuRing
 
PPTX
Internet of Things Security & Privacy
byChris Adriaensen
 
PPTX
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
byAltoros
 
PPTX
JWTs and JOSE in a flash
byEvan J Johnson (Not a CISSP)
 
PPTX
Code signing and trust
byJapneet Singh
 
PPTX
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
byFIWARE
 
PDF
FIWARE Wednesday Webinars - How to Secure IoT Devices
byFIWARE
 
PDF
FIWARE Training: API Umbrella
byFIWARE
 
PPTX
Security and privacy with blockchain
byCeline George
 
PDF
Privacy-preserving techniques using zero knowledge proof in public Ethereum
byNagib Aouini
 
PPT
An Introduction to OpenID
byMax Manders
 
PDF
Blockchain a-new-disruption-in-financial-servies - IBM
byDiego Alberto Tamayo
 
PDF
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
byMikeLeszcz
 
PDF
Authentication in microservice systems
byDavid Borsos
 
PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
PPTX
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
byHorea Porutiu
 
PDF
ICO and Cyber security - How to protect from hackers during ICOs
byNagib Aouini
 
PDF
Bitcoin, the Blockchain, and Open Source
byAll Things Open
 
PPTX
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
byLaurentiu Meirosu
 
Outsmarting Smart Contracts - an essential walkthrough a blockchain security ...
bySecuRing
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
bySecuRing
 
Internet of Things Security & Privacy
byChris Adriaensen
 
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
byAltoros
 
JWTs and JOSE in a flash
byEvan J Johnson (Not a CISSP)
 
Code signing and trust
byJapneet Singh
 
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
byFIWARE
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
byFIWARE
 
FIWARE Training: API Umbrella
byFIWARE
 
Security and privacy with blockchain
byCeline George
 
Privacy-preserving techniques using zero knowledge proof in public Ethereum
byNagib Aouini
 
An Introduction to OpenID
byMax Manders
 
Blockchain a-new-disruption-in-financial-servies - IBM
byDiego Alberto Tamayo
 
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
byMikeLeszcz
 
Authentication in microservice systems
byDavid Borsos
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
byHorea Porutiu
 
ICO and Cyber security - How to protect from hackers during ICOs
byNagib Aouini
 
Bitcoin, the Blockchain, and Open Source
byAll Things Open
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
byLaurentiu Meirosu
 

Similar to Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)

PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
PDF
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
PDF
OAuth Base Camp
byOliver Pfaff
 
PDF
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
byProfesia Srl, Lynx Group
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
PPTX
Securing APIs with oAuth2
byMichae Blakeney
 
PDF
Beyond API Authorization
byJared Hanson
 
PDF
1000 ways to die in mobile oauth
byPriyanka Aash
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
PDF
JavaOne 2014 - Securing RESTful Resources with OAuth2
byRodrigo Cândido da Silva
 
PDF
IoT Wonderland: Understanding the Magic of OAuth2 Device Registration Flow
byForgeRock
 
PPTX
OAuth2 para desarrolladores
byLuis Ruiz Pavón
 
PDF
RFC6749 et alia 20130504
byMattias Jidhage
 
PPTX
CIS 2012 - Going Mobile with PingFederate and OAuth 2
byscotttomilson
 
PDF
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
byVladimir Bychkov
 
PDF
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
PDF
OAuth2
bySPARK MEDIA
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
OAuth Base Camp
byOliver Pfaff
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
byProfesia Srl, Lynx Group
 
Demystifying OAuth 2.0
byKarl McGuinness
 
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
Securing APIs with oAuth2
byMichae Blakeney
 
Beyond API Authorization
byJared Hanson
 
1000 ways to die in mobile oauth
byPriyanka Aash
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
byRodrigo Cândido da Silva
 
IoT Wonderland: Understanding the Magic of OAuth2 Device Registration Flow
byForgeRock
 
OAuth2 para desarrolladores
byLuis Ruiz Pavón
 
RFC6749 et alia 20130504
byMattias Jidhage
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
byscotttomilson
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
byVladimir Bychkov
 
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
OAuth2
bySPARK MEDIA
 
OAuth2 + API Security
byAmila Paranawithana
 

Recently uploaded

PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 

Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)

  • 1.
    Secure Authorization foryour Printer – The OAuth Device Flow Scott Brady @scottbrady91 – Rock Solid Knowledge #devsum18
  • 2.
    Introductions • Identity &Access Control Lead @ Rock Solid Knowledge • Commercial side of the IdentityServer OSS project • AdminUI • SAML2P & WS-Federation • IdentityServer European Partner • Development, consultancy, support, and training • Helps fund the IdentityServer project @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 3.
    The Problem • SOLVED:Delegating an application access to protected resources on behalf of user (OAuth 2.0) • SOLVED: Verifying the identity of the resource owner who delegated access (OpenID Connect 1.0) • How to delegate access to: • Browserless devices • Input constrained devices @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 4.
    Browserless Devices • SmartTVs • Internet of Things • Printers • Fridges • Sensors @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 5.
    Input Constrained Devices @scottbrady91– Rock Solid Knowledge (identityserver.com)
  • 6.
  • 7.
    Resource Owner PasswordCredentials? @scottbrady91 – Rock Solid Knowledge (identityserver.com) POST /token grant_type=password &client_id=oauth_client &username=scott &password=Password123! { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600 }
  • 8.
    Resource Owner PasswordCredentials? • No browser necessary • Impersonation • No scoped access • Exposes user credentials to device • Breaks when we add phishing resistant credentials • No federation (unless using “benevolent phishing”) @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 9.
    Solution The OAuth DeviceFlow • Uses an external browser to bridge the gap • (your smartphone) • User authentication external to the device • Currently in draft 9: • datatracker.ietf.org/doc/draft-ietf-oauth-device-flow • Already in use by Google • Similar implementations available, but now there’s a spec! @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 10.
    Demo! @scottbrady91 – RockSolid Knowledge (identityserver.com)
  • 11.
  • 12.
    The Protocol Device Authorization(Request) POST /device_authorization HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded client_id=459691054427 @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 13.
    The Protocol Device Authorization(Response) { "device_code": "GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8", "verification_uri": "https://www.example.com/device", "user_code": "WDJB-MJHT", "verification_uri_complete": "https://www.example.com/device?user_code=WDJB-MJHT", "expires_in": 1800, "interval": 5 } @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 14.
    The Protocol User Interaction +-----------------------------------------------+ || | Using a browser on another device, visit: | | https://example.com/device | | | | And enter the code: | | WDJB-MJHT | | | +-----------------------------------------------+ @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 15.
    The Protocol User Interaction @scottbrady91– Rock Solid Knowledge (identityserver.com)
  • 16.
    The Protocol Token Request POST/token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:device_code &device_code=GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8 &client_id=459691054427 @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 17.
  • 18.
    Extras • OpenID Connect •Refresh tokens @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 19.
    Proof of ConceptCode @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 20.
    IdentityServer4 & DeviceFlow • Open Source (part of the core repository) • Hopefully available in v2.next • Consent page may have to come later… • Otherwise v3 @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 21.
    @scottbrady91 – RockSolid Knowledge (identityserver.com) IdentityServer4 & Device Flow
  • 22.
    Security Considerations User Codes •Shorter codes are better for the user • Longer codes are better for security • Numeric is better for the user • Alphanumeric is better for security • What’s the worst that could happen? • Breach of privacy • Something embarrassing… @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 23.
    Security Considerations User Interaction •Phishing for credentials • Phishing for tokens @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 24.
    Further Use Cases •Public printers • Bringing strong authentication to native devices • Screenless devices • Virtual assistants? • Device Pairing @scottbrady91 – Rock Solid Knowledge (identityserver.com)
  • 25.
    Don’t forget toevaluate this session in the DevSum app! @scottbrady91 – Rock Solid Knowledge #devsum18 Thanks! @scottbrady91 www.identityserver.com