The document provides an overview of OAuth 2.0 authorization framework and discusses common security issues. It begins with introducing the speaker and their background in security. The main topics covered include the history and core elements of OAuth, common grant types and flows, and vulnerabilities like insecure storage of secrets, CSRF attacks during authorization, scope permission issues, and account takeover risks. Best practices for clients and authorization servers to mitigate these threats are also outlined.
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
How to integrate the complex use cases in the hyper-connected world with millions of devices and services.
Bhavna Bhatnagar (VigourSoft Technical Advisor and Industry expert) talks about SAML, OAuth, OpenID and what you need to make your place in the complex scenario this presents
OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Curity, will cram in as much about these two protocols as will fit into 20 minutes.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
OAuth 2.0
Oauth2.0 is an “authorization” framework for web applications. It permits selective access to a user’s resource without disclosing the password to the website which asks for the resource.
Agenda for the session:
What is Oauth 2.0
Oauth 2.0 Terminologies
Oauth workflow
Exploiting Oauth for fun and profit
Reference
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
We know and love our authentication standards for the web, yet on mobile we often still resort to usernames & passwords in our apps.
This presentation explores OpenID Connect (OIDC) and OAuth 2.0 in the context of mobile apps to see how they decouple authentication logic from your app and promote simpler and more flexible patterns for user authentication and API authorization.
This presentation was first given in the London Mobile Security Meetup
https://www.meetup.com/London-Mobile-Developer-Security/
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
How to integrate the complex use cases in the hyper-connected world with millions of devices and services.
Bhavna Bhatnagar (VigourSoft Technical Advisor and Industry expert) talks about SAML, OAuth, OpenID and what you need to make your place in the complex scenario this presents
OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Curity, will cram in as much about these two protocols as will fit into 20 minutes.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
OAuth 2.0
Oauth2.0 is an “authorization” framework for web applications. It permits selective access to a user’s resource without disclosing the password to the website which asks for the resource.
Agenda for the session:
What is Oauth 2.0
Oauth 2.0 Terminologies
Oauth workflow
Exploiting Oauth for fun and profit
Reference
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
We know and love our authentication standards for the web, yet on mobile we often still resort to usernames & passwords in our apps.
This presentation explores OpenID Connect (OIDC) and OAuth 2.0 in the context of mobile apps to see how they decouple authentication logic from your app and promote simpler and more flexible patterns for user authentication and API authorization.
This presentation was first given in the London Mobile Security Meetup
https://www.meetup.com/London-Mobile-Developer-Security/
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
Learn about the basics of OAuth 2.0 and the different OAuth flows in this introductory video. Understand how OAuth works and the various authorization mechanisms involved.
The cloud is rapidly becoming the de-facto standard for deploying enterprise applications. Microservices are at the core of building cloud-native applications due to its proven advantages such as granularity, cloud-native deployment, and scalability. With the exponential growth of the consumer base of these service offerings, enforcing microservice/API security has become one of the biggest challenges to overcome.
In this deck, we discuss:
- The need for API/Microservices Security
- The importance of delegating security enforcement to an API Gateway
- API Authentication and Authorization methodologies
- OAuth2 - The de-facto standard of API Authentication
- Protection against cyber attacks and anomalies
- Security aspects to consider when designing Single Page Applications (SPAs)
Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/11/api-security-in-a-cloud-native-era/
1. Intro - Auth - Authentication & Authorization & SSO
2. OAuth2 in Depth
3. Where does JWT fit in ?
4. How to do stateless Authorization using OAUTH2 & JWT ?
5. Some Sample Code ? How easy is it to implement ?
An introduction to OAuth 2.0 from a Salesforce perspective to establish the foundations of OAuth 2.0. Discusses the key concepts of Authentication and Authorization and distinguishes the two. Also discusses Open ID connect.
The OWASP Top Ten Proactive Controls 2016 is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control #1 being the most important. This presentation is the second part which contains control #5 to #10 in the following controls
C5: Implement Identity and Authentication Controls
C6: Implement Appropriate Access Controls
C7: Protect Data
C8: Implement Logging and Intrusion Detection
C9: Leverage Security Frameworks and Libraries
C10: Error and Exception Handling
Similar to Security for oauth 2.0 - @topavankumarj (20)
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Security for oauth 2.0 - @topavankumarj
1. Pavan Kumar J
Security For OAuth 2.0 : How To Handle
Protected Data
An Introduction to OAuth Framework and Security Countermeasures
2. Our Speaker today
● Security Lead at we45.
● Seasoned security professional with over 5 years experience
leading Pen Testing projects.
● Written numerous automation scripts for automating host
environment reconnaissance.
● Specializes in custom security automation solutions.
● Ardent researcher around a host of different subjects (Cloud
Security, OAuth, SSO etc. )
3. Over the next 45 minutes...
● Comprehensive understanding of the OAuth 2.0 authorization
framework.
● Threats/Attacks specific to OAuth 2.0
● Practical demonstration of exploit vectors
● Outline of architectural best practices in OAuth 2.0
4. History of Authentication and Authorization
Authentication Protocol Authorization Framework
Built upon OAuth 2.0
(Identity, Authentication) + OAuth 2.0 = OpenID Connect
5. Erstwhile OAuth….
● Storing of user credentials
● Complete Access to user’s accounts
● Insecure handling of user credentials.
● Users can't revoke access
● Compromised apps expose user's
password
6. Presenting OAuth2.0
● OAuth 2.0 stands for Open Authorization
● Protocol provides simple and secure authorization for
different types of applications
● A way to provide user access without exchange of
credentials
● One of the best method for consumers to interact with
protected data
7. Core Elements of an OAuth Flow
● Resource Owner - User
● Client - Coolmart (an example app)
● Authorization Server - Facebook / Google etc
● Resource Server - Facebook/ Google etc
8. OAuth 2.0 : Abstract Flow
1. Application redirects to Auth server
4. Request Access token using Authorization
code
6. Fetch protected data using Access Token
3. Application gets Authorization code
5. Application gets Access Token
7. Serves Protected data
User
Auth server
Resource Server
2. User Authorize the Request
9. OAuth 2.0 Grant Types
● Authorization Code Grant
● Implicit Grant
● Password Grant
● Client Credentials
10. Authorization Code Grant
1. Application redirects to Auth server
4. Request Access token using Authorization code
6. Fetch protected data using Access Token
3. Application gets Authorization code
5. Application gets Access Token
7. Serves Protected data
User
Auth Server
Resource Server
2. User Authorize the Request
11. Security Perspective : Auth Code Grant
● Two step protocol
● Authorization code is used to obtain access token
and refresh token
● Support for refresh tokens
● Uses Cookies
12. Implicit Grant
1. Application redirects to Auth server
4. Fetch protected data using Access Token
3. Application gets Access token
5. Serves Protected data
User
Auth server
Resource Server
2. User Authorize the Request
13. Security Perspective : Implicit Grant
● Can log into a site WITHOUT storage or knowledge
of client_secret key
● Does not supports refresh tokens
● Access token are returned directly
from authorization request.
● XSS Attacks
14. Resource Owner Password Grant
1. Application asks facebook credentials
5. Fetch protected data using Access Token
4. Application gets Access token
6. Serves Protected data
User
Auth server
Resource Server
2. User provide credentials to the application
3. Application forward credentials
15. Security Perspective : Password Grant
● Suitable for In-House/own
Organization applications
● Not suitable for external clients
● Clients will have user credentials
● Compromised apps expose user's
password
● Insecurely handle the credentials
16. Client Credential Grant
5. Fetch protected data using Access Token
4. Application gets Access token
6. Serves Protected data
Auth server
Resource Server
1. Application sends Client credentials
17. Security Perspective : Client Credentials
● Suitable for machine-machine
applications.
● No support for refresh token
● No authorization grant
● Chances of exposing Client
Credentials
20. Authorization Codes not invalidated
Attack Scenario:
● Authorization token must be revoked once it used.
● When user denies access for the application, with access token authorization codes must be revoke
https://clients.amazonworkspaces.com/webclient?auth_code=11QXVVW9Fm8qj29VD55kbfawj_14OqAqrbVqs_tzaEtuor4NL_g-K8eS
PW4QtCVRb_pKi7eELFJndQ0LBDaJrhgP2q65lJJQMhVRQg6sBwTu83Z6AKj9Vm7vCE4P2lnvrSLUba6ZAhVYo6QZ4I5O7WGajMslI98IcMy
Bk-tZHreaIgGaE52XVXB4VPQPFoIRuSfh1OyYlgF0OIy0JpywU®istrationCode=SLiad+RN58HY&errorHandlerUrl=aHR0cHM6Ly9sb2d
pbi5kYWFzLnVtdWMuZWR1LyMvV29ya3NwYWNlSWQ9d3MtMTl3Z3F4NnQxLw==#/main
23. Mitigation Strategy
● Do not accept used Authorization codes
● Client websites must never send authorization code in the referral header
● Ensure that pages containing sensitive information are only visible post authentication. .
○ Ensure that authenticated functionality is not cached using Cache Control
○ Consider implementing a robots.txt file to ensure that Search engines do not index and
cache sensitive pages
26. Mitigation Strategy
● Developers must consider the scope of grant given to different client website types while
setting up the authorization server.
● Client website MUST explain the scope of permissions it is asking of the user
28. Account Takeover using CSRF
Attacker
User
2. Sign-In with facebook1.Createsdummyacount
3 . Redirects to facebook
4.Getsauthorizationcode
5. Craft and Sends CSRF forged
request
6 . Clicks on Forged request
7 . Attacker FB connected to victim coolmart account
29. Mitigation Strategy
● OAuth 2.0 provides security against such attacks through the state parameter. It acts like a
CSRF token.
● Client websites must be sure to send a state parameter and handle requests
● Authorization servers must issue proper guidelines for generating and handling CSRF
tokens.
31. Stealing OAuth Tokens
● The attacker owns his website, www.attacker.com.
● After grabbing the victim's authorization URI, the attacker replaces the "redirect_uri" param to
"www.attacker.com".
● Then, After successful authentication, oauth-server redirects back to attacker URL, with the auth code.
● Using the code attacker can easily gets access token.
40. Mitigation Strategy
Configuring X-Frame-Options header
• DENY - Cannot be displayed in a frame.
• SAMEORIGIN - Only be displayed in a frame on the same origin
• ALLOW-FROM - Only be displayed in a frame on the specified origins
41. Best Practices - Client Applications
● Use secure communication channels
● Do not authorization code more than once
● Implement CSRF protection for its redirection URI
● Implement appropriate countermeasures against open redirection
42. Best Practices - Auth/Resource Server
● Do not accept used Authorization codes
● Never whitelist entire domains
● Validate client redirect URIs against pre-registered URIs
● Implement CSRF protection for its authorization endpoint
● Authorization server should redirects back to the client with "state" parameter.
