Facebook data breach and OAuth2

•

0 recomendaciones•108 vistas

Leonard Moustacchis

France Identity Tech talks

Internet

Facebook data breach and
OAuth2
Identity Tech Talk France
13 Décembre 2018
Léonard Moustacchis

It has helped to kill the “password anti-pattern”
OAuth is for constrained delegation to apps
3
Authorization
server
Resource server
Resource owner
Client

It has helped to kill the “password anti-pattern”
OAuth is for constrained delegation to apps
Authorizes (consents) at run
time after authenticating, at
the AS
4
Authorization
server
Resource server
Resource owner
Client

Do NOT use Oauth token for
authentication!

How did it append?
Facebook Hack
Authenticate
Get access

How did it append?
Facebook Hack
View as… Alice

How did it append?
Facebook Hack
Token
stolen!

How did it append?
Facebook Hack
Token
stolen!
Cheshire cat
is ALICE!!!

Do it right!
• Use ID token to represent a user
> OAuth is a vehicule for authorization not authentication
> Numbers: Google, Azure, Wechat uses OIDC
• Data minimization
• Priviledge minimization (scopes)
• Other method: the use of audience, PKCE

© 2017 ForgeRock. All rights reserved.
Thank You

Más contenido relacionado

La actualidad más candente

D@W REST securityGaurav Sharma

Secure Code Warrior - Least privilegeSecure Code Warrior

Secure your SPA with Auth0Joel Lord

Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal

Techniques for securing restSudhakar Anivella

Web authentication & authorizationAlexandru Pasaila

Api security with OAuththariyarox

Security 101George V. Reilly

A10 - Unvalidated Redirects and ForwardsShane Stanley

OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud

SecurityAkram Salih

Deciphering 'Claims-based Identity'Oliver Pfaff

O auth2.0 guideDilip Mohapatra

Deltecs Services for Vulnerability Assessment and penetration testingdivyeshkharade

Secure Code Warrior - Secure by defaultSecure Code Warrior

Csrf final•sreejith •sree

CiNPA Security SIG - Exploiting the Tiredful APIThreatReel Podcast

A7 Missing Function Level Access Controlstevil1224

AAA serverhetvi naik

Authentication, authorization, accounting(aaa) slidesrahul kundu

La actualidad más candente (20)

D@W REST security

Secure Code Warrior - Least privilege

Secure your SPA with Auth0

Stateless authentication for microservices - GR8Conf 2015

Techniques for securing rest

Web authentication & authorization

Api security with OAuth

Security 101

A10 - Unvalidated Redirects and Forwards

OAuth - Don’t Throw the Baby Out with the Bathwater

Security

Deciphering 'Claims-based Identity'

O auth2.0 guide

Deltecs Services for Vulnerability Assessment and penetration testing

Secure Code Warrior - Secure by default

Csrf final

CiNPA Security SIG - Exploiting the Tiredful API

A7 Missing Function Level Access Control

AAA server

Authentication, authorization, accounting(aaa) slides

Similar a Facebook data breach and OAuth2

Stateless Auth using OAuth2 & JWTGaurav Roy

Single-Page-Application & REST securityIgor Bossenko

Stateless Auth using OAUTH2 & JWTMobiliya

Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin

Intro to OAuth2 and OpenID ConnectLiamWadman

Digital Consent: Taking UMA from Concept to RealityForgeRock

API Security FundamentalsJosé Haro Peralta

OAuth OpenID ConnectLéopold Gault

Securing APIs using OAuth 2.0Adam Lewis

O auth with facebook and google using .netSathyaish Chakravarthy

What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible

REST API Authentication Methods.pdfRubersy Ramos García

What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible

Flaws in Oauth 2.0 Can Oauth be used as a Security Serverijtsrd

O auth2.0 20141003Syed Ali Raza

UserCentric Identity based Service Invocationguestd5dde6

Oauth 2.0Manish Kumar Singh

Securing RESTful APIMuhammad Zbeedat

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell

Enterprise Access Control Patterns for Rest and Web APIsCA API Management

Similar a Facebook data breach and OAuth2 (20)

Stateless Auth using OAuth2 & JWT

Single-Page-Application & REST security

Stateless Auth using OAUTH2 & JWT

Rest API Security - A quick understanding of Rest API Security

Intro to OAuth2 and OpenID Connect

Digital Consent: Taking UMA from Concept to Reality

API Security Fundamentals

OAuth OpenID Connect

Securing APIs using OAuth 2.0

O auth with facebook and google using .net

What the Heck is OAuth and OpenID Connect? Connect.Tech 2017

REST API Authentication Methods.pdf

What the Heck is OAuth and OpenID Connect - DOSUG 2018

Flaws in Oauth 2.0 Can Oauth be used as a Security Server

O auth2.0 20141003

UserCentric Identity based Service Invocation

Oauth 2.0

Securing RESTful API

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...

Enterprise Access Control Patterns for Rest and Web APIs

Más de Leonard Moustacchis

Identity verification and AILeonard Moustacchis

De la bonne utilisation de OAuth2 Leonard Moustacchis

WebAuthn & FIDO2Leonard Moustacchis

Identity techtalk orangeLeonard Moustacchis

Intelligent authentication Identity tech talksLeonard Moustacchis

Blockchain et ses cas d'usages - Identity Tech Talk#10 Leonard Moustacchis

iProov et Biométrie Identity Tech Talk #10Leonard Moustacchis

Microservice et identitéLeonard Moustacchis

Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...Leonard Moustacchis

201707 dsp2 standards, sécurité, quels impacts - wavestoneLeonard Moustacchis

Identité et AutomobileLeonard Moustacchis

Meetup devopsLeonard Moustacchis

Quels sont les enjeux de la réglementation GDPRLeonard Moustacchis

Présentation de UMA (User Managed Access)Leonard Moustacchis

Identity Tech Talks #3 FIDO futur of authenticationLeonard Moustacchis

Mon Raspberry PI a une identité ! Leonard Moustacchis

Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...Leonard Moustacchis

Pas d'IoT sans Identité!Leonard Moustacchis

Valorisez votre écosystème d'identitésLeonard Moustacchis

L’identité numérique : un atout incontournable pour construire une relation c...Leonard Moustacchis

Más de Leonard Moustacchis (20)

Identity verification and AI

De la bonne utilisation de OAuth2

WebAuthn & FIDO2

Identity techtalk orange

Intelligent authentication Identity tech talks

Blockchain et ses cas d'usages - Identity Tech Talk#10

iProov et Biométrie Identity Tech Talk #10

Microservice et identité

Évènement 01 Business - GDPR, confiance et confidentialité des données, défi ...

201707 dsp2 standards, sécurité, quels impacts - wavestone

Identité et Automobile

Meetup devops

Quels sont les enjeux de la réglementation GDPR

Présentation de UMA (User Managed Access)

Identity Tech Talks #3 FIDO futur of authentication

Mon Raspberry PI a une identité !

Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...

Pas d'IoT sans Identité!

Valorisez votre écosystème d'identités

L’identité numérique : un atout incontournable pour construire une relation c...

Último

Trump Diapers Over Dems t shirts Sweatshirtrahman018755

best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014

哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC

Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Balliameghakumariji156

Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156

20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair

"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids

一比一原版田纳西大学毕业证如何办理F

20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair

Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney

Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney

Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy

Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney

Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515

Real Men Wear Diapers T Shirts sweatshirtrahman018755

2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou

Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs

Facebook data breach and OAuth2

1. Facebook data breach and OAuth2 Identity Tech Talk France 13 Décembre 2018 Léonard Moustacchis

2. OAuth2 runs the world

3. It has helped to kill the “password anti-pattern” OAuth is for constrained delegation to apps 3 Authorization server Resource server Resource owner Client

4. It has helped to kill the “password anti-pattern” OAuth is for constrained delegation to apps Authorizes (consents) at run time after authenticating, at the AS 4 Authorization server Resource server Resource owner Client

5. It has helped to kill the “password anti-pattern” OAuth is for constrained delegation to apps Authorizes (consents) at run time after authenticating, at the AS App gets consent based on the API scopes it requested; it has its own identity distinct from the RO’s 5 Authorization server Resource server Resource owner Client

6. It has helped to kill the “password anti-pattern” OAuth is for constrained delegation to apps Authorizes (consents) at run time after authenticating, at the AS Standard OAuth endpoints for authorization and access token issuance App gets consent based on the API scopes it requested; it has its own identity distinct from the RO’s 6 Authorization server Resource server Resource owner Client

7. It has helped to kill the “password anti-pattern” OAuth is for constrained delegation to apps Authorizes (consents) at run time after authenticating, at the AS Standard OAuth endpoints for authorization and access token issuance Some number of API endpoints that deliver the data or other value-add App gets consent based on the API scopes it requested; it has its own identity distinct from the RO’s 7 Authorization server Resource server Resource owner Client

8. It has helped to kill the “password anti-pattern” OAuth is for constrained delegation to apps Authorizes (consents) at run time after authenticating, at the AS Standard OAuth endpoints for authorization and access token issuance Some number of API endpoints that deliver the data or other value-add App gets consent based on the API scopes it requested; it has its own identity distinct from the RO’s (A) Authorization Request (B) Authorization Grant (C) Authorization Grant (D) Access Token (E) Access Token (F) Protected Resource 8 Authorization server Resource server Resource owner Client

9. Do NOT use Oauth token for authentication!

10. How did it append? Facebook Hack Authenticate Get access

11. How did it append? Facebook Hack View as… Alice

12. How did it append? Facebook Hack Token stolen!

13. How did it append? Facebook Hack Token stolen! Cheshire cat is ALICE!!!

14. Do it right! • Use ID token to represent a user > OAuth is a vehicule for authorization not authentication > Numbers: Google, Azure, Wechat uses OIDC • Data minimization • Priviledge minimization (scopes) • Other method: the use of audience, PKCE

Facebook data breach and OAuth2

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Facebook data breach and OAuth2

Similar a Facebook data breach and OAuth2 (20)

Más de Leonard Moustacchis

Más de Leonard Moustacchis (20)

Último

Último (20)

Facebook data breach and OAuth2