The Client is not always right! How to secure OAuth authentication from your app.
-
Upload
mike-schwartz -
Category
Technology
-
view
521 -
download
4
Transcript of The Client is not always right! How to secure OAuth authentication from your app.
![Page 1: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/1.jpg)
The Client is not
always right!
Michael Schwartz, CEO Gluu
![Page 2: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/2.jpg)
ServerClient
![Page 3: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/3.jpg)
Level setting
![Page 4: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/4.jpg)
User Agent,
UA, BrowserClient,
Relying Party,
RP
Subject,
sub, User,
End User,
Person,
“Meat”
OpenID Provider,
Identity Provider,
Authorization Server,
OP, IDP, AS
![Page 5: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/5.jpg)
Source: Nat Sakimura, CIS 2016
Supporting low to high assurance with OpenID
![Page 6: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/6.jpg)
back channel token front channel token
public clientConfidential client
![Page 7: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/7.jpg)
Basic Client Hygiene
![Page 8: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/8.jpg)
No access tokens as query parameters
BAD, BAD, BAD, BAD!!!!(I know none of you would do this…)
Don’t forget about Form Post Response Mode: the fragment
shows up in the browser history
http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
![Page 9: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/9.jpg)
Not all client creds are created equal
Method Secret Not
Sent in the
Clear
Signed Only
client has
secret
client_secret_basic
Client_secret_post
client_secret_jwt X X
private_key_jwt X X X
![Page 10: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/10.jpg)
Cross Site Request
Forgery
1. Use non-static state
values to make sure the
response received at your
callback corresponds to a
request you actually
made. Verify either state
or s_hash in response.
CSRF: The Most Common OAuth 2 Vulnerability
http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oauth2.html
![Page 11: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/11.jpg)
2. iss - verify that the
token was issued by the
correct OpenID Provider
3. aud - verify this is
your client_id
4. nonce - verify it
matches the nonce value
you sent in your request.
5. exp - verify that the
assertion is not expired!
Minimal id_token claim validation
{
"iss": "https://idp.example.com",
"aud": "9bac-4ada-9c64",
"nonce": "1d58c9a9-cb05-4e7f",
"at_hash": "77QmUPjzWtFAnKRQ",
"exp": 1494702905,
"sub": "3046f517963f"
}
![Page 12: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/12.jpg)
6. Verify the signature!
TLS is not perfect...
Symmetric - use your
client secret to verify
Asymmetric - use the
public key of the OP to
verify
signature
![Page 13: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/13.jpg)
9. iat- Maybe you want
an id_token that was
issued with a certain
time frame?
10. auth_time - check
if too much time has
elapsed since the user
authenticated. If
necessary send the user
back for re-
authentication with the
prompt=login
authorization endpoint
parameter.
Optional id_token claim validation
{ "at_hash": "ae09d...897d91b",
"s_hash": "febb18...29802",
"iat": "1494702905",
"auth_time": "1494323431"
}
7. at_hash - verify that
you are using the correct
access token. Required
for implicit.
8. s_hash - in lieu of the
state param, verifies the
state without leaking it.
![Page 14: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/14.jpg)
OpenID Connect Implementer’s Guides
Basic Client:
http://openid.net/specs/openid-connect-basic-1_0.html
Implicit Client
http://openid.net/specs/openid-connect-implicit-1_0.html
![Page 15: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/15.jpg)
Advanced Client Hygiene
![Page 16: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/16.jpg)
Hybrid Flow
“response_type”: “code id_token”
Returns id_token from authorization endpoint in addition to code
Adds c_hash, enables verification you got the right code.
Send code only to the token endpoint of the issuer to prevent IDP mix-up attack.
You can also request a token, but why?
Don’t ask for an access token unless you can answer that.
(And please come see me after and tell me your use case…)
![Page 17: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/17.jpg)
Request Object or Request URI
Prevents attacker from tampering with your request parameters.
Examples of this attack are the Malicious Endpoint Attack and the IDP
Confusion Attack
Some OP’s may provide a Request URI endpoint, where the request can be
registered (enables state and nonce to be dynamic)
![Page 18: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/18.jpg)
Distinct redirect_uri per OP
Check to make sure the response was received at the endpoint intended for this
issuer.
Cross reference with the state and nonce
![Page 19: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/19.jpg)
Do you need to protect the id_token from the browser (hybrid flow)?
Will a JWT be passed to parties that you don’t want to see it?
id_token_encrypted_response_alg
id_token_encrypted_response_enc
userinfo_encrypted_response_alg
Userinfo_encrypted_response_enc
Do you want to protect the request from the browser?
request_object_encryption_alg
request_object_encryption_enc
Encryption
![Page 20: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/20.jpg)
PKCE
Use for all public clients to prevent Authorization Code
Interception Attack
Require this if third parties use your OP from mobile apps
Use SHA 256 as the code challenge method
![Page 21: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/21.jpg)
Mutual TLS
Protection for the token endpoint
TLS 1.2 or later as defined in RFC 5246 following best
practices from RFC 7525.
IETF Draft: “Mutual TLS Profiles for OAuth Clients”
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
![Page 22: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/22.jpg)
Token Binding to TLS
TLS
Channel 1
TLS
Channel 2
OAuth 2.0 Token Binding: add SH256 hash of TLS Channel ID to id_token
![Page 23: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/23.jpg)
Specifying ACR (authn context class reference)
acr_values param can be sent in the OpenID Connect authentication
request
default_acr_values can be registered for a client
Verify id_token for acceptable acr claim
RECOMMENDATION: Use FIDO U2F USB tokens to prevent MITM
attacks--authentication stops if the browser and server are not directly
connected!
![Page 24: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/24.jpg)
Crypto guidelines
RSA keys with a minimum 2048 bits if using RSA cryptography;
Elliptic Curve keys with a minimum of 160 bits if using Elliptic Curve
cryptography
Client secret should have a minimum of 128 bits if using symmetric key
cryptography
Sign with PS256 (RSASSA-PSS using SHA-256 and MGF1 with SHA-256) or
ES256 (ECDSA using P-256 and SHA-256)
![Page 25: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/25.jpg)
Trust: how do I know the public key is authentic?
OpenID Connect Federation Draft Spec:
http://openid.net/specs/openid-connect-federation-1_0.html
Client can download the signing_keys ahead of time, or obtain
them from a trusted source like a multi-party federation
(check out Kantara OTTO…)
Signature enables client to detect if jwks_uri is not authentic
![Page 26: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/26.jpg)
Software statements
Restrict client registration...
“JWT that asserts metadata values about the client software as a bundle”
https://tools.ietf.org/html/rfc7591#section-2.3
Use OpenID Connect RP Metadata Statement as software statement
during registration?
Extra claims: scopes and claims
Signed by federation
![Page 27: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/27.jpg)
OIDC Client Hall of Fame
Mod_auth_openidc
https://github.com/pingidentity/mod_auth_openidc
OIDC-Client-JS
https://github.com/IdentityModel/oidc-client-js
OXD (Middleware)
https://oxd.gluu.org
App Auth (iOS / Android)
https://github.com/openid
Bias Warning… This is Gluu’s client software.
![Page 28: The Client is not always right! How to secure OAuth authentication from your app.](https://reader031.fdocuments.in/reader031/viewer/2022020301/5a6537337f8b9a45388b47b3/html5/thumbnails/28.jpg)
THANK YOU!
Questions? [email protected]
Schedule a follow up: https://gluu.org/booking
Try OXD client software for free: https://oxd.gluu.org