SlideShare a Scribd company logo

[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes

WSO2, profile picture
WSO2

This document summarizes OAuth 2.0 threat landscapes and best practices for mitigation. It discusses threats such as CSRF, session injection, token leakage, IDP mix-up, and token reuse/misuse. Recommended mitigations include using the state parameter, PKCE, short-lived tokens, TLS, white-listing callback URLs, scoped tokens, audience restriction, OpenID Connect, and throttling. The document provides technical details on various OAuth 2.0 flows and threats as well as references to relevant IETF draft specifications.

Technology
Related topics:
Identity and Access Management Cyber-Security
1 of 25
Downloaded 24 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
OAuth 2.0 Threat Landscapes Prabath Siriwardena (@prabath) Cloud Identity Summit, 2017.
ABOUT ME 2 ▪  The Senior Director of Security Architecture, WSO2 ▪  Authored the book Advanced API Security - and three more
OAUTH 2.0 RECAP
OAUTH 2.0 4
AUTHORIZATION CODE 5
IMPLICIT 6
CLIENT CREDENTIALS 7
RESOURCE OWNER PASSWORD 8
THREATS / MITIGATIONS / BEST PRACTICES
▪  CSRF (Cross Site Request Forgery) ○  The attacker tries to log into the target website (OAuth 2.0 client) with his account at the corresponding identity provider. ○  The attacker blocks the redirection to the target web site, and captures the authorization code. The target web site never sees the code. ○  The attacker constructs the callback URL for the target site - and lets the victim, clicks on it. ○  The victim logs into the target web site, with the account attached to the attacker - and adds credit card information. ○  The attacker too logs into the target website with his/her valid credentials and uses victim’s credit card to buy goods. 10 SESSION INJECTION THREATS
▪  Short-lived authorization code ▪  Use the state parameter as defined in the OAuth 2.0 specification. ○  Generate a random number and pass it to the authorization server along with the grant request. ○  Before redirecting to the authorization server, add the generated value of the state to the current user session. ○  Authorization server has to return back the same state value with the authorization code to the return_uri. ○  The client has to validate the state value returned from the authorization server with the value stored in the user’s current session - if mismatches - reject moving forward. 11 MITIGATIONS / BEST PRACTICES SESSION INJECTION
▪  Use Proof Key for Code Exchange (PKCE) ○  https://tools.ietf.org/html/rfc7636 12 MITIGATIONS / BEST PRACTICES SESSION INJECTION
▪  The OAuth 2.0 client app generates a random number (code_verifier) and finds the SHA256 hash of it - which is called the code_challenge ▪  Send the code_challenge along with the hashing method in the authorization grant request to the authorization server. ▪  Authorization server records the code_challenge and replies back with the code. ▪  The client sends the code_verifier along with the authorization code to the token endpoint. 13 PROOF KEY FOR CODE EXCHANGE
TOKEN LEAKAGE ▪  Attacker may attempt to eavesdrop authorization code/access token/ refresh token in transit from the authorization server to the client. ○  Malware installed in the browser (public clients) ○  Browser history (public clients / URI fragments) ○  Intercept the TLS communication between the client (confidential) and the authorization server (exploiting vulnerabilities at the TLS layer) ▪  Heartbleed ▪  Logjam ▪  Authorization Code Flow Open Redirector 14 THREATS
▪  A malicious app can register itself as a handler for the same custom scheme as of a legitimate OAuth 2.0 native app, can get hold of the authorization code. ▪  Attacker may attempt a brute force attack to crack the authorization code/access token. ▪  Attacker may attempt to steal the authorization code/access token/ refresh token stored in the authorization server. ▪  IdP Mix-Up / Malicious Endpoint 15 THREATS TOKEN LEAKAGE
▪  The OAuth 2.0 app provides multiple IdP options to login. ▪  The victim picks foo.idp from the browser - the attacker intercepts the request and change the selection to evil.idp. ▪  The client thinks it’s evil.idp and redirects the user to evil.idp. ▪  The attacker intercepts the redirection and modify the redirection to go to the foo.idp. ▪  The client gets either the code or the token (based on the grant type) and now will talk to the evil.idp to validate. ▪  The evil.idp gets hold of user’s access token or the authorization code from the foo.idp. 16 IDP MIXUP
▪  Always on TLS (use TLS 1.2 or later) ▪  Address all the TLS level vulnerabilities both at the client, authorization server and the resource server. ▪  The token value should be >=128 bits long and constructed from a cryptographically strong random or pseudo-random number sequence. ▪  Never store tokens in clear text - but the salted hash. ▪  Short-lived tokens. ○  LinkedIn has an expiration of 30 seconds for its authorization codes. 17 MITIGATIONS / BEST PRACTICES TOKEN LEAKAGE
▪  The token expiration time would depend on the following parameters. ○  Risk associated with token leakage ○  Duration of the underlying access grant ○  Time required for an attacker to guess or produce a valid token ▪  One-time authorization code ▪  One-time access token (implicit grant type) ▪  Use PKCE (proof key for code exchange) to avoid authorization code interception attack. ○  Have S256 as the code challenge method ▪  Enforce standard SQL injection countermeasures 18 MITIGATIONS / BEST PRACTICES TOKEN LEAKAGE
▪  Avoid using the same client_id/client_secret for each instance of a mobile app - rather use the Dynamic Client Registration API to generate a key pair per instance. ○  Most of the time the leakage of authorization code becomes a threat when the attacker is in hold of the client id and client secret. ▪  Restrict grant types by client. ○  Most of the authorization servers do support all core grant types. If unrestricted, leakage of client id/client secret gives the attacker the opportunity obtain an access token via client credentials grant type. 19 MITIGATIONS / BEST PRACTICES TOKEN LEAKAGE
▪  Enable client authentication via a much secured manner. ○  JWT client assertions ○  TLS mutual authentication ○  Have a key of size 2048 bits or larger if RSA algorithms are used for the client authentication ○  Have a key of size 160 bits or larger if elliptic curve algorithms are used for the client authentication ▪  White-list callback URLs (redirect_uri) ○  The absolute URL or a regEx pattern 20 MITIGATIONS / BEST PRACTICES TOKEN LEAKAGE
▪  IdP-Mixup ○  Use different callback URLs by IdP ○  https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01 ols.ietf.org/html/draft-ietf-oauth-mix-up-mitigaon-01 ▪  Token Binding ○  https://tools.ietf.org/html/draft-ietf-tokbind-protocol ○  https://tools.ietf.org/html/draft-ietf-tokbind-negotiation ○  https://tools.ietf.org/html/draft-ietf-tokbind-https ○  https://tools.ietf.org/html/draft-ietf-oauth-token-binding 21 MITIGATIONS / BEST PRACTICES TOKEN LEAKAGE
TOKEN REUSE/MISUSE ▪  A malicious resource (an API / Microservice) could reuse an access token used to access itself by a legitimate client to access another resource, impersonating the original client. ▪  An evil web site gets an access token from a legitimate user, can reuse it at another web site (which trusts the same authorization server) with the implicit grant type ○  https://target-app/callback?access_token=<access_token> ▪  A legitimate user misuses an access token (issued under implicit grant type/SPA) to access a set of backend APIs in a way, exhausting server resources. 22 THREATS
▪  Use scoped access tokens. Qualify the scope name, with a namespace unique to the resource (resource server). ▪  The client obtains the access token for a given audience - by passing the audience information (representing the resource server) to the token endpoint - as per https://tools.ietf.org/id/draft-tschofenig-oauth- audience-00.html. ▪  Use OAuth for authorization not for authentication. ○  Use OpenID Connect for authentication 23 MITIGATIONS / BEST PRACTICES TOKEN REUSE/MISUSE
▪  To avoid exhausting resources at the server side, enforce throttle limits by user by application. In case an attacker wants to misuse a token - the worst he/she can do is to eat his/her own quota. 24 MITIGATIONS / BEST PRACTICES TOKEN REUSE/MISUSE
OPEN TECHNOLOGY FOR YOUR AGILE DIGITAL BUSINESS THANK YOU

More Related Content

PDF
Identity Federation Patterns with WSO2 Identity Server​
WSO2
 
PPTX
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
ForgeRock
 
PDF
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
PDF
API Security Best Practices and Guidelines
WSO2
 
PDF
WSO2 Enterprise Integrator 101
WSO2
 
PDF
42Crunch Security Audit for WSO2 API Manager 3.1
WSO2
 
PDF
The Role of IAM in Microservices
WSO2
 
PDF
Identity Hub’s Role in Social Logins
WSO2
 
Identity Federation Patterns with WSO2 Identity Server​
WSO2
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
ForgeRock
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
API Security Best Practices and Guidelines
WSO2
 
WSO2 Enterprise Integrator 101
WSO2
 
42Crunch Security Audit for WSO2 API Manager 3.1
WSO2
 
The Role of IAM in Microservices
WSO2
 
Identity Hub’s Role in Social Logins
WSO2
 

What's hot (20)

PDF
7.Trust Management
phanleson
 
PPTX
OAuth and OpenID Connect for PSD2 and Third-Party Access
Nordic APIs
 
PPTX
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
 
PPTX
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
ForgeRock
 
PPTX
WSO2 IoT Server - Product Overview
WSO2
 
PPTX
A CONTEMPLATION OF OPENIG DEEP THOUGHTS
ForgeRock
 
PDF
[WSO2Con EU 2018] Blockchain in the Business API Ecosystem - API Consumption ...
WSO2
 
PPTX
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays
 
PDF
Pimping the ForgeRock Identity Platform for a Billion Users
ForgeRock
 
PDF
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
PDF
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
WSO2
 
PDF
Token vs Cookies (DevoxxMA 2015)
Markus Schlichting
 
PDF
Open Banking and PSD2: Are your APIs ready for external testing?
WSO2
 
PPTX
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays
 
PPTX
Webinar: Identity Wars: The Unified Platform Awakens
ForgeRock
 
PPTX
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
ForgeRock
 
PDF
Identiverse - Microservices Security
Bertrand Carlier
 
PDF
[WSO2Con EU 2018] A New Service Architecture for Effective Business Services
WSO2
 
PDF
Identity Server on Azure: A Reference Architecture
WSO2
 
PPTX
Provisioning IoT...Oh Baby You Know Meeee!
ForgeRock
 
7.Trust Management
phanleson
 
OAuth and OpenID Connect for PSD2 and Third-Party Access
Nordic APIs
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
 
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
ForgeRock
 
WSO2 IoT Server - Product Overview
WSO2
 
A CONTEMPLATION OF OPENIG DEEP THOUGHTS
ForgeRock
 
[WSO2Con EU 2018] Blockchain in the Business API Ecosystem - API Consumption ...
WSO2
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays
 
Pimping the ForgeRock Identity Platform for a Billion Users
ForgeRock
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
WSO2
 
Token vs Cookies (DevoxxMA 2015)
Markus Schlichting
 
Open Banking and PSD2: Are your APIs ready for external testing?
WSO2
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays
 
Webinar: Identity Wars: The Unified Platform Awakens
ForgeRock
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
ForgeRock
 
Identiverse - Microservices Security
Bertrand Carlier
 
[WSO2Con EU 2018] A New Service Architecture for Effective Business Services
WSO2
 
Identity Server on Azure: A Reference Architecture
WSO2
 
Provisioning IoT...Oh Baby You Know Meeee!
ForgeRock
 
Ad

Similar to [Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes (20)

PPTX
OAuth 2.0 Threat Landscape
Prabath Siriwardena
 
PDF
Oauth 2.0 Security Considerations for Client Applications
Kasun Dharmadasa
 
PDF
OAuth 2.0 Threat Landscapes
Priyanka Aash
 
PDF
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
PDF
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 
PPTX
Y U No OAuth?!?
Jason Robert
 
PDF
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
PDF
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
PPTX
OAuth2 and OpenID with Spring Boot
Geert Pante
 
PPTX
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
PDF
Access Management for Cloud and Mobile
ForgeRock
 
PPTX
OAuth 2
ChrisWood262
 
PPTX
O auth
Ashok Kumar N
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PPTX
WebHack #13 Web authentication essentials
昉达 王
 
PDF
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
Vladimir Bychkov
 
PDF
Full stack security
DPC Consulting Ltd
 
PPTX
OAuth 2.0
Mihir Shah
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
OAuth 2.0 Threat Landscape
Prabath Siriwardena
 
Oauth 2.0 Security Considerations for Client Applications
Kasun Dharmadasa
 
OAuth 2.0 Threat Landscapes
Priyanka Aash
 
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 
Y U No OAuth?!?
Jason Robert
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OAuth2 and OpenID with Spring Boot
Geert Pante
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
Access Management for Cloud and Mobile
ForgeRock
 
OAuth 2
ChrisWood262
 
O auth
Ashok Kumar N
 
Demystifying OAuth 2.0
Karl McGuinness
 
WebHack #13 Web authentication essentials
昉达 王
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
Vladimir Bychkov
 
Full stack security
DPC Consulting Ltd
 
OAuth 2.0
Mihir Shah
 
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
Ad

More from WSO2 (20)

PDF
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
PDF
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
PDF
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
PDF
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
PDF
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
PDF
Platformless Modernization with Choreo.pdf
WSO2
 
PDF
Application Modernization with Choreo for the BFSI Sector
WSO2
 
PDF
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
PDF
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
PPTX
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
PPTX
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
PPTX
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
PPTX
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
PPTX
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
PDF
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
PDF
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
PDF
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
Platformless Modernization with Choreo.pdf
WSO2
 
Application Modernization with Choreo for the BFSI Sector
WSO2
 
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 

Recently uploaded (20)

PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Cloud computing and distributed systems.
kkkkkhan
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
Approach and Philosophy of On baking technology
30anthuong17
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
KodekX | Application Modernization Development
KodekX
 
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 

[Cloud Identity Summit 2017] Oauth 2.0 Threat Landscapes

  • 1. OAuth 2.0 Threat Landscapes Prabath Siriwardena (@prabath) Cloud Identity Summit, 2017.
  • 2. ABOUT ME 2 ▪  The Senior Director of Security Architecture, WSO2 ▪  Authored the book Advanced API Security - and three more
  • 9. THREATS / MITIGATIONS / BEST PRACTICES
  • 10. ▪  CSRF (Cross Site Request Forgery) ○  The attacker tries to log into the target website (OAuth 2.0 client) with his account at the corresponding identity provider. ○  The attacker blocks the redirection to the target web site, and captures the authorization code. The target web site never sees the code. ○  The attacker constructs the callback URL for the target site - and lets the victim, clicks on it. ○  The victim logs into the target web site, with the account attached to the attacker - and adds credit card information. ○  The attacker too logs into the target website with his/her valid credentials and uses victim’s credit card to buy goods. 10 SESSION INJECTION THREATS
  • 11. ▪  Short-lived authorization code ▪  Use the state parameter as defined in the OAuth 2.0 specification. ○  Generate a random number and pass it to the authorization server along with the grant request. ○  Before redirecting to the authorization server, add the generated value of the state to the current user session. ○  Authorization server has to return back the same state value with the authorization code to the return_uri. ○  The client has to validate the state value returned from the authorization server with the value stored in the user’s current session - if mismatches - reject moving forward. 11 MITIGATIONS / BEST PRACTICES SESSION INJECTION
  • 12. ▪  Use Proof Key for Code Exchange (PKCE) ○  https://tools.ietf.org/html/rfc7636 12 MITIGATIONS / BEST PRACTICES SESSION INJECTION
  • 13. ▪  The OAuth 2.0 client app generates a random number (code_verifier) and finds the SHA256 hash of it - which is called the code_challenge ▪  Send the code_challenge along with the hashing method in the authorization grant request to the authorization server. ▪  Authorization server records the code_challenge and replies back with the code. ▪  The client sends the code_verifier along with the authorization code to the token endpoint. 13 PROOF KEY FOR CODE EXCHANGE
  • 14. TOKEN LEAKAGE ▪  Attacker may attempt to eavesdrop authorization code/access token/ refresh token in transit from the authorization server to the client. ○  Malware installed in the browser (public clients) ○  Browser history (public clients / URI fragments) ○  Intercept the TLS communication between the client (confidential) and the authorization server (exploiting vulnerabilities at the TLS layer) ▪  Heartbleed ▪  Logjam ▪  Authorization Code Flow Open Redirector 14 THREATS
  • 15. ▪  A malicious app can register itself as a handler for the same custom scheme as of a legitimate OAuth 2.0 native app, can get hold of the authorization code. ▪  Attacker may attempt a brute force attack to crack the authorization code/access token. ▪  Attacker may attempt to steal the authorization code/access token/ refresh token stored in the authorization server. ▪  IdP Mix-Up / Malicious Endpoint 15 THREATS TOKEN LEAKAGE
  • 16. ▪  The OAuth 2.0 app provides multiple IdP options to login. ▪  The victim picks foo.idp from the browser - the attacker intercepts the request and change the selection to evil.idp. ▪  The client thinks it’s evil.idp and redirects the user to evil.idp. ▪  The attacker intercepts the redirection and modify the redirection to go to the foo.idp. ▪  The client gets either the code or the token (based on the grant type) and now will talk to the evil.idp to validate. ▪  The evil.idp gets hold of user’s access token or the authorization code from the foo.idp. 16 IDP MIXUP
  • 17. ▪  Always on TLS (use TLS 1.2 or later) ▪  Address all the TLS level vulnerabilities both at the client, authorization server and the resource server. ▪  The token value should be >=128 bits long and constructed from a cryptographically strong random or pseudo-random number sequence. ▪  Never store tokens in clear text - but the salted hash. ▪  Short-lived tokens. ○  LinkedIn has an expiration of 30 seconds for its authorization codes. 17 MITIGATIONS / BEST PRACTICES TOKEN LEAKAGE
  • 18. ▪  The token expiration time would depend on the following parameters. ○  Risk associated with token leakage ○  Duration of the underlying access grant ○  Time required for an attacker to guess or produce a valid token ▪  One-time authorization code ▪  One-time access token (implicit grant type) ▪  Use PKCE (proof key for code exchange) to avoid authorization code interception attack. ○  Have S256 as the code challenge method ▪  Enforce standard SQL injection countermeasures 18 MITIGATIONS / BEST PRACTICES TOKEN LEAKAGE
  • 19. ▪  Avoid using the same client_id/client_secret for each instance of a mobile app - rather use the Dynamic Client Registration API to generate a key pair per instance. ○  Most of the time the leakage of authorization code becomes a threat when the attacker is in hold of the client id and client secret. ▪  Restrict grant types by client. ○  Most of the authorization servers do support all core grant types. If unrestricted, leakage of client id/client secret gives the attacker the opportunity obtain an access token via client credentials grant type. 19 MITIGATIONS / BEST PRACTICES TOKEN LEAKAGE
  • 20. ▪  Enable client authentication via a much secured manner. ○  JWT client assertions ○  TLS mutual authentication ○  Have a key of size 2048 bits or larger if RSA algorithms are used for the client authentication ○  Have a key of size 160 bits or larger if elliptic curve algorithms are used for the client authentication ▪  White-list callback URLs (redirect_uri) ○  The absolute URL or a regEx pattern 20 MITIGATIONS / BEST PRACTICES TOKEN LEAKAGE
  • 21. ▪  IdP-Mixup ○  Use different callback URLs by IdP ○  https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01 ols.ietf.org/html/draft-ietf-oauth-mix-up-mitigaon-01 ▪  Token Binding ○  https://tools.ietf.org/html/draft-ietf-tokbind-protocol ○  https://tools.ietf.org/html/draft-ietf-tokbind-negotiation ○  https://tools.ietf.org/html/draft-ietf-tokbind-https ○  https://tools.ietf.org/html/draft-ietf-oauth-token-binding 21 MITIGATIONS / BEST PRACTICES TOKEN LEAKAGE
  • 22. TOKEN REUSE/MISUSE ▪  A malicious resource (an API / Microservice) could reuse an access token used to access itself by a legitimate client to access another resource, impersonating the original client. ▪  An evil web site gets an access token from a legitimate user, can reuse it at another web site (which trusts the same authorization server) with the implicit grant type ○  https://target-app/callback?access_token=<access_token> ▪  A legitimate user misuses an access token (issued under implicit grant type/SPA) to access a set of backend APIs in a way, exhausting server resources. 22 THREATS
  • 23. ▪  Use scoped access tokens. Qualify the scope name, with a namespace unique to the resource (resource server). ▪  The client obtains the access token for a given audience - by passing the audience information (representing the resource server) to the token endpoint - as per https://tools.ietf.org/id/draft-tschofenig-oauth- audience-00.html. ▪  Use OAuth for authorization not for authentication. ○  Use OpenID Connect for authentication 23 MITIGATIONS / BEST PRACTICES TOKEN REUSE/MISUSE
  • 24. ▪  To avoid exhausting resources at the server side, enforce throttle limits by user by application. In case an attacker wants to misuse a token - the worst he/she can do is to eat his/her own quota. 24 MITIGATIONS / BEST PRACTICES TOKEN REUSE/MISUSE
  • 25. OPEN TECHNOLOGY FOR YOUR AGILE DIGITAL BUSINESS THANK YOU