OAuth 2.0 Security Reinforced
- 3. The OAuth 2.0 Success Story
● Tremendous adoption since publication as RFC 6749 in 2012
● Driven by large service providers and OpenID Connect
● Key success factors: simplicity & versatility
But: Is it secure?
- 5. Implementations …
● [Li et al., 2014]
60 chinese clients, more than half
vulnerable to CSRF
● [Yang et al., 2016]
Out of 405 clients, 55% do not handle
state (CSRF protection) correctly
● [Shebab et al., 2015]
25% of OAuth clients in Alexa Top 10000
vulnerable to CSRF
● [Chen et al., 2014]
89 of 149 mobile clients vulnerable to one
or more attacks
● [Wang et al., 2013]
Vulnerabilities in Facebook PHP SDK and
other OAuth SDKs
● [Sun et al., 2012]
96 Clients, almost all vulnerable to one or
more attacks
…
plus known hacks of
- 7. Challenge 1: Implementation Flaws
● We still see many implementation flaws
● Known anti-patterns are still used
○ Insufficient redirect URI checking (code/token is redirected to attacker)
○ state parameter is not used properly to defend against CSRF
○ …
- 8. Challenge 1: Implementation Flaws
● We still see many implementation flaws
● Known anti-patterns are still used
○ Insufficient redirect URI checking (code/token is redirected to attacker)
○ state parameter is not used properly to defend against CSRF
○ …
● Technological changes bring new problems
○ E.g., URI fragment handling in browsers changed
→ Vulnerability when used with open redirectors
Open Redirector: Parameterized, unchecked redirection. E.g.:
https://client.example/anything?resume_at=https://evil.example
Redirects to https://evil.example
- 9. Challenge 2: High-Stakes Environments
New Use Cases, e.g., Open Banking, require a very high level of security
Also: eIDAS/QES (legally binding electronic signatures) and eHealth
Far beyond the scope of the original security threat model!
- 10. Challenge 3: Dynamic and Complex Setups
Originally anticipated:
One trustworthy OAuth provider,
statically configured per client
Client
Resource ServerResource Server Authorization ServerResource Server
OAuth Provider
- 11. OAuth Provider B
Challenge 3: Dynamic and Complex Setups
Client
Resource ServerResource Server
Authorization Server
Resource Server
Resource Server
OAuth Provider C
Resource Server Authorization ServerResource Server
OAuth Provider A
Resource ServerResource Server
Authorization Server
Resource Server
Dynamic relationships
Multiple AS/RS per client
Today:
Not all entities
are trustworthy!
AS
M
ix-Up
Attack!
Found through formal analysis
- 13. OAuth 2.0 Security Best Current Practice RFC
● Currently under development at the IETF
● Refined and enhanced security guidance for OAuth 2.0 implementers
● Complements existing security guidance in RFCs 6749, 6750, and 6819
● Updated, more comprehensive Threat Model
● Description of Attacks and Mitigations
● Simple and actionable recommendations
- 14. The Seven Most Important
Recommendations
in the OAuth Security BCP
- 15. User
① Do not use the OAuth Implicit Grant any longer!
GET /authorize?…
Redirect to Authorization Server
AS/RS
User authenticates & consents
Redirect to rp.com/authok#access_token=foo23&…
Use access_token (Single-Page Apps)
Access token available in web application
Send access_token (Non-SPA)
Use access_token
Threat: Access token
leakage from web
application (XSS, browser
history, proxies, operating
systems, ...) Threat: Access token replay!
Threat: Access token injection!
Client
- 16. The Implicit Grant ...
● sends powerful and potentially long-lived tokens through the browser,
● lacks features for sender-constraining access tokens,
● provides no protection against access token replay and injection, and
● provides no defense in depth against XSS, URL leaks, etc.!
Why is Implicit even in RFC6749?
No Cross-Origin Resource Sharing in 2012!
⇒ No way of (easily) using OAuth in SPAs.
⇒ Not needed in 2019!
Recommendation
“Clients SHOULD NOT use the implicit grant [...]”
“Clients SHOULD instead use the response type code
(aka authorization code grant type) [...]”
- 17. AS/RSUser
Use the Authorization Code Grant!
GET /authorize?code_challenge=sha256xyz&...
Redirect to Authorization Server
...
Redirect to rp.com/authok?code=bar42&...
POST /token, code=bar42
&code_verifier=xyz...
Use access_token
Send code
Send access_token
Mitigation: Sender-Constrained Token
E.g., access token bound to mTLS certificate.
Mitigation: Single-use Code
Double use leads to access token invalidation!
Client
Mitigation: Proof Key for Code Exchange (PKCE)
- Code only useful with code_verifier
- Code replay/injection prevented by PKCE.
- 18. Authorization Code Grant with PKCE & mTLS …
● protects against code and token replay and injection,
● supports sender-constraining of access tokens,
● provides defense in depth!
Recommendation
“Clients utilizing the authorization grant type MUST use PKCE [...]”
“Authorization servers SHOULD use TLS-based methods for sender-constrained access tokens [...]”
- 19. ② Prevent Mix-Up Attacks!
● Clients must be able to see originator of authorization response
○ Clients should use a separate redirect URI for each AS
○ Alternative: issuer in authorization response for OpenID Connect
● Clients must keep track of desired AS (“explicit tracking”)
- 20. ③ Stop Redirects Gone Wild!
● Enforce exact redirect URI matching
○ Simpler to implement on AS side
○ Adds protection layer against open redirection
● Clients MUST avoid open redirectors!
○ Use whitelisting of target URLs
○ or authenticate redirection request
- 21. ④ Prevent CSRF Attacks!
● RFC 6749 and RFC 6819 recommend use of state parameter
● Updated advice (proposed):
○ If PKCE is used, state is not needed for CSRF protection
○ state can again be used for application state
- 22. ⑤ Limit Privileges of Access Tokens!
● Sender-constraining (mTLS or HTTP Token Binding)
● Receiver-constraining (only valid for certain RS)
● Reduce scope and lifetime and use refresh tokens - defense in depth!
- 23. AS/RSUser
Refresh Tokens
...
POST /token, code=...
Use access_token¹
Send code
access_token¹ refresh_token¹
Access Token: Narrow scope and limited lifetime!
Access Token expires.
POST /token, refresh_token¹
access_token² refresh_token²
Use access_token²
Client
- 24. ⑥ Protect Refresh Tokens!
● Attractive target since refresh tokens represent overall grant
● Requirement: Protection from theft and replay
○ Client Binding and Authentication
■ Confidential clients only
○ Sender-Constrained Refresh Tokens
■ mTLS now supports this even for public clients
○ Refresh Token Rotation
■ For public clients unable to use mTLS
- 25. ⑦ Do not use the R.O.P.C.G.* any longer!
*Resource Owner Password Credentials Grant
AS/RSUser
Username/Password for AS
Username/Password for AS
Use access_token
Send access_token
● Client sees username/password of user
● Complicated or impossible to integrate 2-factor-authentication
● Stopgap solution for migrating to OAuth flows
● Grant name too long, even for Germans ;-)
Client
- 26. Summary
● OAuth 2.0 implementations often vulnerable
● Protocol needs updated security guidance
○ Protection against new attacks
○ Adaptations to evolving web environment
○ Accounting for new use cases
● New IETF OAuth Security BCP
(https://tools.ietf.org/html/draft-ietf-oauth-security-topics)
○ Addresses new and old security vulnerabilities
○ Provides actionable solutions
- 27. Q&A!
Latest Drafts & Publications
OAuth 2.0 Security BCP
https://tools.ietf.org/html/draft-ietf-oauth-security-topics
OpenID Connect 4 Identity Assurance
https://openid.net/specs/openid-connect-4-identity-assurance.html
Transaction Authorization or why we need to re-think OAuth scopes
https://cutt.ly/oauth-transaction-authorization
Cross-Browser Payment Initiation Attack
https://cutt.ly/cross-browser-payment-initation
JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
https://openid.net/specs/openid-financial-api-jarm-ID1.html
OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer
https://tools.ietf.org/html/draft-fett-oauth-dpop
Dr. Torsten Lodderstedt
CTO, yes.com
torsten@yes.com
@tlodderstedt
yes®
Talk to me about
- Details on attacks and mitigations
- The OAuth Security Workshop
- Other emerging OAuth & OpenID stuff
- Working at yes.com