SlideShare a Scribd company logo

OAuth 2.0 Threat Landscape

Download as PPTX, PDF
Prabath Siriwardena
Prabath Siriwardena

OAuth 2.0 Threat Landscape - Talk at the RSAConference 2018

Education
1 of 31
SESSION ID: #RSAC Prabath Siriwardena OAUTH 2.0 THREAT LANDSCAPE IDY-W04 Senior Director of Security Architecture WSO2 @prabath
Presenter’s Company Logo – replace or delete on master slide # R S A C
#RSAC OAUTH 2.0 - A QUICK OVERVIEW
Presenter’s Company Logo – replace or delete on master slide # R S A C OAuth 2.0 4
Presenter’s Company Logo – replace or delete on master slide # R S A C Authorization Code Grant Type 5
Presenter’s Company Logo – replace or delete on master slide # R S A C Implicit Grant Type 6
Presenter’s Company Logo – replace or delete on master slide # R S A C Client Credentials Grant Type 7
Presenter’s Company Logo – replace or delete on master slide # R S A C Password Grant Type 8
#RSAC THREATS / MITIGATIONS / BEST PRACTICES
Presenter’s Company Logo – replace or delete on master slide # R S A C Session Injection with CSRF (Threats) 10
Presenter’s Company Logo – replace or delete on master slide # R S A C Session Injection with CSRF (Victims) 11 Web / Mobile application users
Presenter’s Company Logo – replace or delete on master slide # R S A C Session Injection with CSRF (Mitigation / Best Practices) 12 Short-lived authorization code Use state parameter Proof-key-for-code-exchange (PKCE)
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Threats) 13 Attacker may attempt to eavesdrop authorization code/access token/refresh token in transit. Authorization Code Flow Open Redirector OAuth 2.0 native apps can get hold of the authorization code.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Threats) 14 Attacker may attempt a brute force attack to crack the authorization code/access token. Attacker may attempt to steal the authorization code/access token/refresh token stored in the authorization server. IdP Mix-Up / Malicious Endpoint.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Victims) 15 Web/Mobile application users Web/Mobile application owners
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 16 Always on TLS (use TLS 1.2 or later) Address all the TLS level vulnerabilities both at the client, authorization server and the resource server. The token value should be >=128 bits long and constructed from a cryptographically strong random or pseudo-random number sequence.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 17 Never store tokens in clear text - but the salted hash. Short-lived tokens. LinkedIn has an expiration of 30 seconds for its authorization codes. The token expiration time would depend on the following parameters. Risk associated with token leakage Duration of the underlying access grant Time required for an attacker to guess or produce a valid token
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 18 One-time authorization code One-time access token (implicit grant type) Use PKCE (proof key for code exchange) to avoid authorization code interception attack. Have S256 as the code challenge method Enforce standard SQL injection countermeasures
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 19 Avoid using the same client_id/client_secret for each instance of a mobile app - rather use the Dynamic Client Registration API to generate a key pair per instance. Most of the time the leakage of authorization code becomes a threat when the attacker is in hold of the client id and client secret. Restrict grant types by client. Most of the authorization servers do support all core grant types. If unrestricted, leakage of client id/client secret gives the attacker the opportunity obtain an access token via client credentials grant type.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 20 Enable client authentication via a much secured manner. JWT client assertions TLS mutual authentication Have a key of size 2048 bits or larger if RSA algorithms are used for the client authentication Have a key of size 160 bits or larger if elliptic curve algorithms are used for the client authentication
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 21 White-list callback URLs (redirect_uri) The absolute URL or a regEx pattern IdP-Mixup Use different callback URLs by IdP https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Threats) 22 A malicious resource could reuse an access token used to access itself by a legitimate client to access another resource, impersonating the original client
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Threats) 23 An evil web site gets an access token from a legitimate user, can reuse it at another web site (which trusts the same authorization server) with the implicit grant type https://target-app/callback?access_token=<access_token> A legitimate user misuses an access token (issued under implicit grant type/SPA) to access a set of backend APIs in a way, exhausting server resources.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Victims) 24 Web/Mobile application users Web/Mobile application owners
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Mitigations / Best Practices) 25 A malicious resource (an API / Microservice) could reuse an access token used to access itself by a legitimate client to access another resource, impersonating the original client. An evil web site gets an access token from a legitimate user, can reuse it at another web site (which trusts the same authorization server) with the implicit grant type https://target-app/callback?access_token=<access_token>
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Mitigations / Best Practices) 26 A legitimate user misuses an access token (issued under implicit grant type/SPA) to access a set of backend APIs in a way, exhausting server resources. To avoid exhausting resources at the server side, enforce throttle limits by user by application. In case an attacker wants to misuse a token - the worst he/she can do is to eats his/her own quota.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Export (Threats) 27 An attacker could export an access token from its originating channel and use somewhere else. A common attack vector for SPAs (Single Page Applications) A major concerns with bearer tokens.
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Export (Victims) 28 Web/Mobile application users Web/Mobile application owners
Presenter’s Company Logo – replace or delete on master slide # R S A C Token Export (Mitigations / Best Practices) 29 The use of Token Binding protects access tokens from man-in-the- middle and token export and replay attacks. https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
Presenter’s Company Logo – replace or delete on master slide # R S A C Apply What You Have Learned Today! 30 Review and test current OAuth 2.0 client applications against the threats we discussed – probably build a test suite! Build a security check-list for an OAuth 2.0 Authorization Server, and make sure what you build or what you buy, adheres to it. Be the security champion of your team!
#RSAC THANK YOU!

Recommended

Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
Building trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeBuilding trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffe
ajessup
 
IoC with PHP
IoC with PHPIoC with PHP
IoC with PHP
Chris Weldon
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
Nov Matake
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Ioan Eugen Stan
 
Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1
KlaraOrban
 
I Can See Clearly Now - Observing & understanding your Spring applications at...
I Can See Clearly Now - Observing & understanding your Spring applications at...I Can See Clearly Now - Observing & understanding your Spring applications at...
I Can See Clearly Now - Observing & understanding your Spring applications at...
Joris Kuipers
 

Recommended

Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
Building trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeBuilding trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffe
ajessup
 
IoC with PHP
IoC with PHPIoC with PHP
IoC with PHP
Chris Weldon
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
Nov Matake
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Ioan Eugen Stan
 
Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1Encode x NEAR: Technical Overview of NEAR 1
Encode x NEAR: Technical Overview of NEAR 1
KlaraOrban
 
I Can See Clearly Now - Observing & understanding your Spring applications at...
I Can See Clearly Now - Observing & understanding your Spring applications at...I Can See Clearly Now - Observing & understanding your Spring applications at...
I Can See Clearly Now - Observing & understanding your Spring applications at...
Joris Kuipers
 
Tech talk live on new alfresco api
Tech talk live on new alfresco apiTech talk live on new alfresco api
Tech talk live on new alfresco api
Alfresco Software
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
Tubagus Rizky Dharmawan
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
Cisco DevNet
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
Stormpath
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutes
Vladimir Budilov
 
Apic dc api deep dive
Apic dc api deep dive Apic dc api deep dive
Apic dc api deep dive
Cisco DevNet
 
Apache con@home 2021_sha
Apache con@home 2021_shaApache con@home 2021_sha
Apache con@home 2021_sha
Hitachi, Ltd. OSS Solution Center.
 
Aci programmability
Aci programmabilityAci programmability
Aci programmability
Cisco DevNet
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & Keycloak
Charles Moulliard
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
Nick Maludy
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
Ryan Dawson
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
scotttomilson
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
DataStax Academy
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
Priyanka Aash
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
Prabath Siriwardena
 

More Related Content

What's hot

Tech talk live on new alfresco api
Tech talk live on new alfresco apiTech talk live on new alfresco api
Tech talk live on new alfresco api
Alfresco Software
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutes
Vladimir Budilov
 
Apic dc api deep dive
Apic dc api deep dive Apic dc api deep dive
Apic dc api deep dive
Cisco DevNet
 

What's hot (20)

Tech talk live on new alfresco api
Tech talk live on new alfresco apiTech talk live on new alfresco api
Tech talk live on new alfresco api
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutes
 
Apic dc api deep dive
Apic dc api deep dive Apic dc api deep dive
Apic dc api deep dive
 
Apache con@home 2021_sha
Apache con@home 2021_shaApache con@home 2021_sha
Apache con@home 2021_sha
 
Aci programmability
Aci programmabilityAci programmability
Aci programmability
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & Keycloak
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
The Dynamic Duo of Puppet and Vault tame SSL Certificates - Puppet Camps Cent...
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
 

Similar to OAuth 2.0 Threat Landscape

Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
CA API Management
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalization
peter lam
 
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsAdventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Priyanka Aash
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
 

Similar to OAuth 2.0 Threat Landscape (20)

OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes
 
The Pivot
The PivotThe Pivot
The Pivot
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalization
 
Top Performance Problems in Distributed Architectures
Top Performance Problems in Distributed ArchitecturesTop Performance Problems in Distributed Architectures
Top Performance Problems in Distributed Architectures
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
 
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsAdventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
 

More from Prabath Siriwardena

Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
Prabath Siriwardena
 

More from Prabath Siriwardena (20)

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Identity is Eating the World!
Identity is Eating the World!Identity is Eating the World!
Identity is Eating the World!
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access Management
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity Bus
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet Identity
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and Cloud
 
Securing Insecure
Securing InsecureSecuring Insecure
Securing Insecure
 
Evolution of Internet Identity
Evolution of Internet IdentityEvolution of Internet Identity
Evolution of Internet Identity
 
Securing the Insecure
Securing the InsecureSecuring the Insecure
Securing the Insecure
 

Recently uploaded

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 

Recently uploaded (20)

Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIFood Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
 

OAuth 2.0 Threat Landscape

  • 1. SESSION ID: #RSAC Prabath Siriwardena OAUTH 2.0 THREAT LANDSCAPE IDY-W04 Senior Director of Security Architecture WSO2 @prabath
  • 2. Presenter’s Company Logo – replace or delete on master slide # R S A C
  • 3. #RSAC OAUTH 2.0 - A QUICK OVERVIEW
  • 4. Presenter’s Company Logo – replace or delete on master slide # R S A C OAuth 2.0 4
  • 5. Presenter’s Company Logo – replace or delete on master slide # R S A C Authorization Code Grant Type 5
  • 6. Presenter’s Company Logo – replace or delete on master slide # R S A C Implicit Grant Type 6
  • 7. Presenter’s Company Logo – replace or delete on master slide # R S A C Client Credentials Grant Type 7
  • 8. Presenter’s Company Logo – replace or delete on master slide # R S A C Password Grant Type 8
  • 9. #RSAC THREATS / MITIGATIONS / BEST PRACTICES
  • 10. Presenter’s Company Logo – replace or delete on master slide # R S A C Session Injection with CSRF (Threats) 10
  • 11. Presenter’s Company Logo – replace or delete on master slide # R S A C Session Injection with CSRF (Victims) 11 Web / Mobile application users
  • 12. Presenter’s Company Logo – replace or delete on master slide # R S A C Session Injection with CSRF (Mitigation / Best Practices) 12 Short-lived authorization code Use state parameter Proof-key-for-code-exchange (PKCE)
  • 13. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Threats) 13 Attacker may attempt to eavesdrop authorization code/access token/refresh token in transit. Authorization Code Flow Open Redirector OAuth 2.0 native apps can get hold of the authorization code.
  • 14. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Threats) 14 Attacker may attempt a brute force attack to crack the authorization code/access token. Attacker may attempt to steal the authorization code/access token/refresh token stored in the authorization server. IdP Mix-Up / Malicious Endpoint.
  • 15. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Victims) 15 Web/Mobile application users Web/Mobile application owners
  • 16. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 16 Always on TLS (use TLS 1.2 or later) Address all the TLS level vulnerabilities both at the client, authorization server and the resource server. The token value should be >=128 bits long and constructed from a cryptographically strong random or pseudo-random number sequence.
  • 17. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 17 Never store tokens in clear text - but the salted hash. Short-lived tokens. LinkedIn has an expiration of 30 seconds for its authorization codes. The token expiration time would depend on the following parameters. Risk associated with token leakage Duration of the underlying access grant Time required for an attacker to guess or produce a valid token
  • 18. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 18 One-time authorization code One-time access token (implicit grant type) Use PKCE (proof key for code exchange) to avoid authorization code interception attack. Have S256 as the code challenge method Enforce standard SQL injection countermeasures
  • 19. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 19 Avoid using the same client_id/client_secret for each instance of a mobile app - rather use the Dynamic Client Registration API to generate a key pair per instance. Most of the time the leakage of authorization code becomes a threat when the attacker is in hold of the client id and client secret. Restrict grant types by client. Most of the authorization servers do support all core grant types. If unrestricted, leakage of client id/client secret gives the attacker the opportunity obtain an access token via client credentials grant type.
  • 20. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 20 Enable client authentication via a much secured manner. JWT client assertions TLS mutual authentication Have a key of size 2048 bits or larger if RSA algorithms are used for the client authentication Have a key of size 160 bits or larger if elliptic curve algorithms are used for the client authentication
  • 21. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Leakage (Mitigation / Best Practices) 21 White-list callback URLs (redirect_uri) The absolute URL or a regEx pattern IdP-Mixup Use different callback URLs by IdP https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01
  • 22. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Threats) 22 A malicious resource could reuse an access token used to access itself by a legitimate client to access another resource, impersonating the original client
  • 23. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Threats) 23 An evil web site gets an access token from a legitimate user, can reuse it at another web site (which trusts the same authorization server) with the implicit grant type https://target-app/callback?access_token=<access_token> A legitimate user misuses an access token (issued under implicit grant type/SPA) to access a set of backend APIs in a way, exhausting server resources.
  • 24. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Victims) 24 Web/Mobile application users Web/Mobile application owners
  • 25. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Mitigations / Best Practices) 25 A malicious resource (an API / Microservice) could reuse an access token used to access itself by a legitimate client to access another resource, impersonating the original client. An evil web site gets an access token from a legitimate user, can reuse it at another web site (which trusts the same authorization server) with the implicit grant type https://target-app/callback?access_token=<access_token>
  • 26. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Reuse/Misuse (Mitigations / Best Practices) 26 A legitimate user misuses an access token (issued under implicit grant type/SPA) to access a set of backend APIs in a way, exhausting server resources. To avoid exhausting resources at the server side, enforce throttle limits by user by application. In case an attacker wants to misuse a token - the worst he/she can do is to eats his/her own quota.
  • 27. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Export (Threats) 27 An attacker could export an access token from its originating channel and use somewhere else. A common attack vector for SPAs (Single Page Applications) A major concerns with bearer tokens.
  • 28. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Export (Victims) 28 Web/Mobile application users Web/Mobile application owners
  • 29. Presenter’s Company Logo – replace or delete on master slide # R S A C Token Export (Mitigations / Best Practices) 29 The use of Token Binding protects access tokens from man-in-the- middle and token export and replay attacks. https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
  • 30. Presenter’s Company Logo – replace or delete on master slide # R S A C Apply What You Have Learned Today! 30 Review and test current OAuth 2.0 client applications against the threats we discussed – probably build a test suite! Build a security check-list for an OAuth 2.0 Authorization Server, and make sure what you build or what you buy, adheres to it. Be the security champion of your team!

Editor's Notes

  1. The attacker tries to log into the target website (OAuth 2.0 client) with his account at the corresponding identity provider. The attacker blocks the redirection to the target web site, and captures the authorization code. The target web site never sees the code. The attacker constructs the callback URL for the target site - and lets the victim, clicks on it. The victim logs into the target web site, with the account attached to the attacker - and adds credit card information. The attacker too logs into the target website with his/her valid credentials and uses victim’s credit card to buy goods.