OAuth 2.0 Public Client Secret Extension

•Télécharger en tant que PPTX, PDF•

0 j'aime•1,271 vues

Nat Sakimura

Technologie

Problem Statement
• App selection by custom scheme is in
deterministic on iOS.
• Thus, code may be intercepted by a malicious
app that registered the same custom scheme
as the target app.
• Those apps are generally public client so does
not have client secret.
• As the result, the access token is obtained by
the malicious app at a rather high probability.
2

5
Short & Sweet
The Main text
is just 2 pages long

JSON Metadata for OAuth
Responses 1.0
http://tools.ietf.org/html/draft-
sakimura-oauth-meta-02
Nat Sakimura
Nomura Research Institute
6

$Introducing metadata to OAuth Responses • Especially link relationships for HATEOAS (Hypermedia as the Engine of Application State) but not limited to. • It will give a stub element to put other metadata about the response. 7 { "_links":{ "self":{"href":"https://example.com/token?code=123"}, "userinfo": { "href":"https://example.com/user/{user_id}", "Authorize":"{token_type} {access_token}" } }, "token_type":"Bearer", "access_token":"aCeSsToKen" }$

Contenu connexe

Tendances

SQL injection implementation and prevention Rejaul Islam Royel

Secure Code Warrior - Defense in depthSecure Code Warrior

Owasp first5 presentationAshwini Paranjpe

Secure Code Warrior - Cross site scriptingSecure Code Warrior

E Com Security solutions hand book on Web application security best practicesDolly Juhu

Secure Web Applications Ver0.01Vasan Ramadoss

Secure Code Warrior - Remote file inclusionSecure Code Warrior

OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu

Top 10 Web Application vulnerabilitiesTerrance Medina

Owasp Top 10 A1: InjectionMichael Hendrickx

referer spoofblackprice2

Error codes & custom 404sRonan Dunne, CEH, SSCP

Step by step guide for web application security testingAvyaan, Web Security Company in India

Secure Code Warrior - Local storageSecure Code Warrior

Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff

A5: Security Misconfiguration Tariq Islam

Owasp 2017 oveviewShreyas N

Secure Code Warrior - AuthenticationSecure Code Warrior

Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya

A Hybrid Approach For Phishing Website Detection Using Machine Learning.vivatechijri

Tendances (20)

SQL injection implementation and prevention

Secure Code Warrior - Defense in depth

Owasp first5 presentation

Secure Code Warrior - Cross site scripting

E Com Security solutions hand book on Web application security best practices

Secure Web Applications Ver0.01

Secure Code Warrior - Remote file inclusion

OWASP Top 10 - 2017 Top 10 web application security risks

Top 10 Web Application vulnerabilities

Owasp Top 10 A1: Injection

referer spoof

Error codes & custom 404s

Step by step guide for web application security testing

Secure Code Warrior - Local storage

Top 10 Web Security Vulnerabilities (OWASP Top 10)

A5: Security Misconfiguration

Owasp 2017 oveview

Secure Code Warrior - Authentication

Hacking A Web Site And Secure Web Server Techniques Used

A Hybrid Approach For Phishing Website Detection Using Machine Learning.

En vedette

OAuth SPOP @ IETF 91Nat Sakimura

OpenID Foundation Foundation Financial API (FAPI) WGNat Sakimura

車輪は丸くなったか？~デジタル・アイデンティティの標準化動向とそのゴールNat Sakimura

Oidc how it solves your problemsNat Sakimura

OpenID Foundation Foundation Financial API (FAPI) WGNat Sakimura

Financial Grade OAuth & OpenID ConnectNat Sakimura

En vedette (6)

OAuth SPOP @ IETF 91

OpenID Foundation Foundation Financial API (FAPI) WG

車輪は丸くなったか？~デジタル・アイデンティティの標準化動向とそのゴール

Oidc how it solves your problems

OpenID Foundation Foundation Financial API (FAPI) WG

Financial Grade OAuth & OpenID Connect

Similaire à OAuth 2.0 Public Client Secret Extension

OAuth2 - IntroductionKnoldus Inc.

OAuth2 IntroductionArpit Suthar

attacks-oauth-secure-oauth-implementation-33644.pdfMohitRampal5

Securing RESTful APIMuhammad Zbeedat

Implementing Microservices Security Patterns & Protocols with SpringVMware Tanzu

CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne

Netsuite open air connectorD.Rajesh Kumar

Netsuite open air connectorhimajareddys

Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)gemziebeth

EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn

Oauth2.0Yasmine Gaber

OAuthAdi Challa

OpenSocial and Mixi platformPham Thinh

OAuth2 and LinkedInKamyar Mohager

Building A Mobile First API When You're Not Mobile First - Tyler SingletaryProgrammableWeb

OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyMike Schwartz

Box connectorThang Loi

Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...VMware Tanzu

Module 11 (hacking web servers)Wail Hassan

Web Technologies Notes - TutorialsDuniya.pdfRaghunathan52

Similaire à OAuth 2.0 Public Client Secret Extension (20)

OAuth2 - Introduction

OAuth2 Introduction

attacks-oauth-secure-oauth-implementation-33644.pdf

Securing RESTful API

Implementing Microservices Security Patterns & Protocols with Spring

CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)

Netsuite open air connector

Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)

EduID Mobile App - Use-Cases, Concepts and Implementation

Oauth2.0

OAuth

OpenSocial and Mixi platform

OAuth2 and LinkedIn

Building A Mobile First API When You're Not Mobile First - Tyler Singletary

OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key

Box connector

Welcome to the Reactive Revolution:RSocket and Spring Cloud Gateway - Spencer...

Module 11 (hacking web servers)

Web Technologies Notes - TutorialsDuniya.pdf

Plus de Nat Sakimura

FAPI and beyond - よりよいセキュリティのためにNat Sakimura

OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureNat Sakimura

170724 JP/UK Open Banking Summit English TranslationNat Sakimura

Introduction to  the FAPI Read & Write OAuth Profile - Jan 2018 UpdatesNat Sakimura

Introduction to the FAPI Read & Write OAuth ProfileNat Sakimura

金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WGNat Sakimura

ブロックチェーン〜信頼の源泉の民主化のもたらす変革Nat Sakimura

Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...Nat Sakimura

OpenID Foundation FAPI WG: June 2017 UpdateNat Sakimura

API Days 2016 Day 1: OpenID Financial API WGNat Sakimura

Introduction to OpenID Connect Nat Sakimura

Nc 30 sakimura-distribution_0604Nat Sakimura

Smartphone Native Application OPNat Sakimura

Open idとcyber空間Nat Sakimura

サイバー空間上の信頼フレームワークとパーソナルデータ経済Nat Sakimura

Closing NoteNat Sakimura

20110706 PIDSプロジェクト中間報告Nat Sakimura

Open id specifications_work_update-tokyo_2011Nat Sakimura

国民ID制度とトラスト・フレームワークNat Sakimura

Introduction to OpenID TX proposed extensionNat Sakimura

Plus de Nat Sakimura (20)

FAPI and beyond - よりよいセキュリティのために

OpenID in the Digital ID Landscape: A Perspective From the Past to the Future

170724 JP/UK Open Banking Summit English Translation

Introduction to  the FAPI Read & Write OAuth Profile - Jan 2018 Updates

Introduction to the FAPI Read & Write OAuth Profile

金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG

ブロックチェーン〜信頼の源泉の民主化のもたらす変革

Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...

OpenID Foundation FAPI WG: June 2017 Update

API Days 2016 Day 1: OpenID Financial API WG

Introduction to OpenID Connect

Nc 30 sakimura-distribution_0604

Smartphone Native Application OP

Open idとcyber空間

サイバー空間上の信頼フレームワークとパーソナルデータ経済

Closing Note

20110706 PIDSプロジェクト中間報告

Open id specifications_work_update-tokyo_2011

国民ID制度とトラスト・フレームワーク

Introduction to OpenID TX proposed extension

Dernier

The State of Passkeys with FIDO Alliance.pptxLoriGlavin3

Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro

Commit 2024 - Secret Management made easyAlfredo García Lavilla

SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero

Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3

How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe

TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc

unit 4 immunoblotting technique complete.pptxBkGupta21

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3

What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett

DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy

Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos

DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre

TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey

Take control of your SAP testing with UiPath Test SuiteDianaGray10

Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University

Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed

Dernier (20)

The State of Passkeys with FIDO Alliance.pptx

Unraveling Multimodality with Large Language Models.pdf

Commit 2024 - Secret Management made easy

SIP trunking in Janus @ Kamailio World 2024

Streamlining Python Development: A Guide to a Modern Project Setup

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx

How AI, OpenAI, and ChatGPT impact business and software.

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy

unit 4 immunoblotting technique complete.pptx

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx

What's New in Teams Calling, Meetings and Devices March 2024

DevoxxFR 2024 Reproducible Builds with Apache Maven

Dev Dives: Streamline document processing with UiPath Studio Web

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)

DMCC Future of Trade Web3 - Special Edition

TeamStation AI System Report LATAM IT Salaries 2024

Take control of your SAP testing with UiPath Test Suite

Nell’iperspazio con Rocket: il Framework Web di Rust!

Scanning the Internet for External Cloud Exposures via SSL Certs

OAuth 2.0 Public Client Secret Extension

1. Transient Client Secret Extension for OAuth 2.0 Public Clients http://tools.ietf.org/html/draft- sakimura-oauth-tcse-01 Nat Sakimura Nomura Research Institute

2. Problem Statement • App selection by custom scheme is in deterministic on iOS. • Thus, code may be intercepted by a malicious app that registered the same custom scheme as the target app. • Those apps are generally public client so does not have client secret. • As the result, the access token is obtained by the malicious app at a rather high probability. 2

3. 3 bad good browser server

4. 4 bad good browser server

5. 5 Short & Sweet The Main text is just 2 pages long

6. JSON Metadata for OAuth Responses 1.0 http://tools.ietf.org/html/draft- sakimura-oauth-meta-02 Nat Sakimura Nomura Research Institute 6

7. Introducing metadata to OAuth Responses • Especially link relationships for HATEOAS (Hypermedia as the Engine of Application State) but not limited to. • It will give a stub element to put other metadata about the response. 7 { "_links":{ "self":{"href":"https://example.com/token?code=123"}, "userinfo": { "href":"https://example.com/user/{user_id}", "Authorize":"{token_type} {access_token}" } }, "token_type":"Bearer", "access_token":"aCeSsToKen" }

OAuth 2.0 Public Client Secret Extension

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (6)

Similaire à OAuth 2.0 Public Client Secret Extension

Similaire à OAuth 2.0 Public Client Secret Extension (20)

Plus de Nat Sakimura

Plus de Nat Sakimura (20)

Dernier

Dernier (20)

OAuth 2.0 Public Client Secret Extension