Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

INTERFACE by apidays - The State of OAuth by Aaron Parecki,

3 028 vues

Publié le

INTERFACE by apidays
The State of OAuth
Aaron Parecki, Author of "OAuth 2.0 Simplified: A Guide to Building OAuth 2.0 Servers"

Publié dans : Technologie
  • Listen guys, I am a wife who lost my husband to another woman. I just got my husband back through the help of Dr Unity love spell Experts. My name is Emily Sarah am from Tx,USA. My husband left me for another woman, This was just 3 years of our marriage. The most painful thing is that I was pregnant with our second baby. I wanted him back. I did everything within my reach to bring him back but all was in vain, I wanted him back so badly because of the love I had for him, I begged him with everything, I made promises but he refused. I explained my problem to my friend and she suggested that I should rather contact a spell caster that could help me cast a spell to bring him back , I had no choice than to try it. I messaged the spell caster called dr unity, and he assured me there was no problem and that everything will be okay before 11 hours. He cast the spell and surprisingly 11 hours later my husband called me. I was so surprised, I answered the call and all he said was that he was so sorry for everything that had happened He wanted me to return to him. He also said he loved me so much. I was so happy and went to him that was how we started living together happily again.thanks to dr unity . if you are here and your Lover is turning you down, or your husband moved to another woman, do not cry anymore, contact Dr.Unity for help now..Here his contact, WhatsApp him: +2348055361568 Email him at: Unityspelltemple@gmail.com His website:https://unityspells.blogspot.com
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Soyez le premier à aimer ceci

INTERFACE by apidays - The State of OAuth by Aaron Parecki,

  1. 1. The State of OAuth Aaron Parecki Senior Security Architect, Okta Interface API Days • June 2020
  2. 2. @aaronpkJune 2020 oauth.net/2
  3. 3. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials GrantTypes
  4. 4. @aaronpkJune 2020
  5. 5. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials GrantTypes RFC6750 Bearer Tokens TokenUsage Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  6. 6. @aaronpkJune 2020
  7. 7. @aaronpkJune 2020 OAuth Server OAuth Client Passing Data via the Front Channel Did they catch 
 it? Did someone else 
 steal it? Is this really 
 from the real 
 OAuth server?
  8. 8. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  9. 9. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  10. 10. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  11. 11. @aaronpkJune 2020
  12. 12. @aaronpkJune 2020 https://example.com https://app.example.com https://auth.example GET / HTML, CSS, etc POST /token access token CORS
  13. 13. @aaronpkJune 2020 caniuse.com/cors
  14. 14. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  15. 15. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String
  16. 16. @aaronpkJune 2020 OAuth 2.0 for Browser-Based Apps
  17. 17. @aaronpkJune 2020 OAuth 2.0 for Browser-Based Apps
  18. 18. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP
  19. 19. @aaronpkJune 2020 Password oauth.net/2/oauth-best-practice
  20. 20. @aaronpkJune 2020 Password oauth.net/2/oauth-best-practice • Added to OAuth to enable migrating applications from HTTP Basic Auth or using a stored password to OAuth
  21. 21. @aaronpkJune 2020 Password • Exposes the username and password to the application • Even for first-party / trusted clients, this increases the attack surface • Trains users that it's okay to enter their password in more than one place • Difficult or impossible to extend to support multifactor or passwordless authentication (WebCrypto, WebAuthn)
  22. 22. @aaronpkJune 2020 OAuth 2.0 Security BCP • All OAuth clients MUST use PKCE with the authorization code flow • Password grant MUST NOT be used • Use exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens for public clients must be 
 sender-constrained or one-time use oauth.net/2/oauth-best-practice
  23. 23. @aaronpkJune 2020 In-Progress Work • JWT Profile for Access Tokens • DPoP (Proof of Possession)
  24. 24. @aaronpkJune 2020 JWT Profile for Access Tokens oauth.net/2/jwt-access-tokens eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiO iJodHRwczovL2F1dGhvcml6YXRpb24tc2VydmVyLmV4YW1 wbGUuY29tLyIsInN1YiI6IiA1YmE1NTJkNjciLCJhdWQiO iJodHRwczovL3JzLmV4YW1wbGUuY29tLyIsImV4cCI6MTU 5MzQ4NjY0OCwiY2xpZW50X2lkIjoiczZCaGRSa3F0M18iL CJzY29wZSI6Im9wZW5pZCBwcm9maWxlIHJlYWRlbWFpbCI sImp0aSI6IjAxODEwMmE1LTkzYmQtNDE0OC05ODI2LThlY TE3NTBjMjMyNiIsImlhdCI6MTU5MzQ4MzA0OH0.lWWmEU2 kxTtlwu5TOTkXa7e7ZUNd0WbKtsef7EuJyB8
  25. 25. @aaronpkJune 2020 JWT Profile for Access Tokens oauth.net/2/jwt-access-tokens {"typ":"at+JWT","alg":"RS256","kid":"RjEwOwOA"} { "iss": "https://authorization-server.example.com/", "sub": " 5ba552d67", "aud": "https://rs.example.com/", "exp": 1544645174, "client_id": "s6BhdRkqt3_", "scope": "openid profile reademail" }
  26. 26. @aaronpkJune 2020 DPoP oauth.net/2/dpop POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7Imt0eSI6Ik VDIiwieCI6Imw4dEZyaHgtMzR0VjNoUklDUkRZOXpDa0RscEJoRjQyVVFVZldWQVdCR nMiLCJ5IjoiOVZFNGpmX09rX282NHpiVFRsY3VOSmFqSG10NnY5VERWclUwQ2R2R1JE QSIsImNydiI6IlAtMjU2In19.eyJqdGkiOiItQndDM0VTYzZhY2MybFRjIiwiaHRtIj oiUE9TVCIsImh0dSI6Imh0dHBzOi8vc2VydmVyLmV4YW1wbGUuY29tL3Rva2VuIiwia WF0IjoxNTYyMjYyNjE2fQ.2-GxA6T8lP4vfrg8v-FdWP0A0zdrj8igiMLvqRMUvwnQg 4PtFLbdLXiOSsX0x7NVY-FNyJK70nfbV37xRZT3Lg grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb &code_verifier=bEaL42izcC-o-xBk0K2vuJ6U-y1p9r_wW2dFWIWgjz-
  27. 27. @aaronpkJune 2020 New OAuth Extensions • Rich Authorization Requests (RAR) • Pushed Authorization Requests (PAR) • JWT Authorization Requests (JAR)
  28. 28. @aaronpkJune 2020 Rich Authorization Requests (RAR) • OAuth "scope" is limited to fixed lists of scopes • Need a way to authorize fine-grained transactions or resources • and present that to the user in the authorization interface oauth.net/2/rich-authorization-requests
  29. 29. @aaronpkJune 2020 Pay Merchant123 €123.50 
 from your account ending in 8603
  30. 30. @aaronpkJune 2020 Rich Authorization Requests (RAR) oauth.net/2/rich-authorization-requests
  31. 31. @aaronpkJune 2020 Pushed Authorization Requests (PAR) • Currently, the authorization request is sent in the front-channel • Front-channel is susceptible to inspection and modification • PAR initiates the OAuth flow from the back-channel oauth.net/2/pushed-authorization-requests
  32. 32. @aaronpkJune 2020 Pushed Authorization Requests (PAR) GET /authorize?response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 Host: as.example.com POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb Instead of: Push the request to the AS: oauth.net/2/pushed-authorization-requests
  33. 33. @aaronpkJune 2020 Pushed Authorization Requests (PAR) { "request_uri": "urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2", "expires_in": 90 } GET /authorize?request_uri= urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2 HTTP/1.1 AS responds with a URL: User visits that URL, authorization request details are hidden! oauth.net/2/pushed-authorization-requests
  34. 34. @aaronpkJune 2020 JWT Authorization Requests (JAR) • Create a signed JWT with the authorization request details • Prevents front-channel tampering with the request, similar to PAR • Authenticates the request so the AS knows the client really did initiate it tools.ietf.org/html/draft-ietf-oauth-jwsreq
  35. 35. @aaronpkJune 2020 JWT Authorization Requests (JAR) { "iss": "s6BhdRkqt3", "aud": "https://server.example.com", "response_type": "code id_token", "client_id": "s6BhdRkqt3", "redirect_uri": "https://client.example.org/cb", "scope": "openid", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2Mj", "max_age": 86400 } eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ewogICAgImlzcyI6ICJzNkJoZF JrcXQzIiwKICAgICJhdWQiOiAiaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLAog ICAgInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsCiAgICAiY2xpZW50X2 lkIjogInM2QmhkUmtxdDMiLAogICAgInJlZGlyZWN0X3VyaSI6ICJodHRwczovL2Ns aWVudC5leGFtcGxlLm9yZy9jYiIsCiAgICAic2NvcGUiOiAib3BlbmlkIiwKICAgIC JzdGF0ZSI6ICJhZjBpZmpzbGRraiIsCiAgICAibm9uY2UiOiAibi0wUzZfV3pBMk1q IiwKICAgICJtYXhfYWdlIjogODY0MDAKfQ.Nsxa_18VUElVaPjqW_ToI1yrEJ67BgK b5xsuZRVqzGkfKrOIX7BCx0biSxYGmjK9KJPctH1OC0iQJwXu5YVY-vnW0_PLJb1C2 HG-ztVzcnKZC2gE4i0vgQcpkUOCpW3SEYXnyWnKzuKzqSb1wAZALo5f89B_p6QA6j6 JwBSRvdVsDPdulW8lKxGTbH82czCaQ50rLAg3EYLYaCb4ik4I1zGXE4fvim9FIMs8O CMmzwIB5S-ujFfzwFjoyuPEV4hJnoVUmXR_W9typPf846lGwA8h9G9oNTIuX8Ft2jf pnZdFmLg3_wr3Wa5q3a-lfbgF3S9H_8nN3j1i7tLR_5Nz-g tools.ietf.org/html/draft-ietf-oauth-jwsreq
  36. 36. @aaronpkJune 2020 JWT Authorization Requests (JAR) https://server.example.com/authorize?request=eyJhbGciOiJS... Either passed by value in the URL: https://server.example.com/authorize?request_uri=https://example.org/r... ...by reference in the URL: POST https://server.example.com/authorize request=eyJhbGciOiJS... ...or pushed using PAR: tools.ietf.org/html/draft-ietf-oauth-jwsreq
  37. 37. @aaronpkJune 2020 RFC6749 RFC6750 CLIENTTYPE AUTH GRANT TYPE RFC6819 RFC7009RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 BUILDING YOUR APPLICATION RFC8252 OIDC RFC8414 STATE TLS CSRF UMA 2 FAPI RFC7515RFC7516 RFC7517 RFC7518 TOKEN POP SECURITY BCP CIBA HTTPSIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN DPOP PAR
  38. 38. @aaronpkJune 2020 The State of OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for confidential clients Security BCP
  39. 39. @aaronpkJune 2020 OAuth 2.1 Authorization Code Client Credentials +PKCE Tokens in HTTP Header Tokens in POST Form Body
  40. 40. OAuth 2.1 oauth.net/2.1
  41. 41. @aaronpkJune 2020 OAuth 2.1 Consolidate the OAuth 2.0 specs,
 adding best practices, 
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name Add references to extensions that didn't exist when OAuth 2.0 was published
  42. 42. @aaronpkJune 2020 OAuth 2.1 No new behavior defined by OAuth 2.1 Non-Goals: Don't include anything experimental, 
 in progress or not widely implemented
  43. 43. @aaronpkJune 2020 OAuth 2.1 RFC6749 - OAuth 2.0 Core RFC6750 - Bearer Token Usage RFC7636 - PKCE Native App & Browser-Based App BCPs Security BCP • MUST support PKCE for all OAuth clients • No password grant • No implicit flow • Exact string matching for redirect URIs • No access tokens in query strings • Refresh tokens must be sender-constrained or one-time use
  44. 44. @aaronpkJune 2020 OAuth 2.1 oauth.net/2.1 tools.ietf.org/html/draft-parecki-oauth-v2-1
  45. 45. @aaronpkJune 2020 oauth.net/3 ? ? ?
  46. 46. OAuth 3 aka XYZ aka XAuth
  47. 47. @aaronpkJune 2020 OAuth 3 • In development under a new IETF working group (GNAP) • Re-thinking OAuth from the ground up • Not backwards compatible • Consolidate all the various use cases in OAuth into a new framework
  48. 48. @aaronpkJune 2020 GNAP / TxAuthvery much in progress!
  49. 49. Thank you! @aaronpk aaronpk.com oauth.wtf

×