Академический Документы
Профессиональный Документы
Культура Документы
@baaz @PhilippeDeRyck
https://balinterdi.com/
@baaz / @PhilippeDeRyck https://www.websec.be
WHO HERE FULLY UNDERSTANDS OAUTH 2.0?
@baaz / @PhilippeDeRyck
OAUTH 2.0 IS A MESS
@baaz / @PhilippeDeRyck
ABOUT US – BALINT ERDI
§ Balint is a total Ember enthusiast
− Regularly consults with large companies on building Ember apps
− Numerous screencasts and blog posts about Ember concepts
− Organizes workshops on various Ember topics, including authentication
− Gives another talk here at EmberConf!
− More info on https://balinterdi.com/
@baaz / @PhilippeDeRyck
ABOUT US – PHILIPPE DE RYCK
§ My goal is to help you build secure web applications
− Hosted and customized in-house training
− Specialized security assessments of critical systems
− Threat landscape analysis and prioritization of security efforts
− More information and resources on https://www.websec.be
@baaz / @PhilippeDeRyck 5
WE WILL FOCUS ON AUTHENTICATION WITH OAUTH 2.0
§ OAuth 2.0 is a very versatile framework, used for various purposes
− In this workshop, we explicitly limit the scope to authentication
− The advice given here therefore applies to authentication scenarios
@baaz / @PhilippeDeRyck
WHAT YOU WILL LEARN IN THIS WORKSHOP
§ In-depth understanding of the subtleties of OAuth 2.0
− The difference between the four main OAuth 2.0 flows
− Practical advice which flow you should be using, and why
− The relation of OpenID Connect with OAuth 2.0 and authentication
@baaz / @PhilippeDeRyck
@baaz / @PhilippeDeRyck
OAUTH 2.0 AND AUTHENTICATION
@baaz / @PhilippeDeRyck
WHAT IS OAUTH 2.0 ALL ABOUT?
Delegation
@baaz / @PhilippeDeRyck
WHAT DELEGATION IS ALL ABOUT …
account X
5 Show me the balance of
$ 50 6
account X
@baaz / @PhilippeDeRyck
A PRACTICAL EXAMPLE OF DELEGATION
@baaz / @PhilippeDeRyck
SO WE CAN USE THIS FOR AUTHENTICATION?
No
@baaz / @PhilippeDeRyck
BUT AUTHENTICATION WITH OAUTH 2.0 SEEMS SIMPLE …
1 I want to login with Facebook
4 Welcome “PhilDR”
User info 3
2 Who is this guy?
user philippe.deryck@cs.kuleuven.be
Facebook
@baaz / @PhilippeDeRyck
WHY AUTHENTICATION WITH OAUTH 2.0 IS NOT SIMPLE
§ Authenticating a user is about getting verifiable user information
− But we need to know who we are getting that information for
− The authentication provider probably does not just share anybody’s information
@baaz / @PhilippeDeRyck
IN PRACTICE, IT’S A BIT MORE COMPLICATED …
1 I want to login with Facebook
@baaz / @PhilippeDeRyck
FLOW 1: RESOURCE OWNER PASSWORD CREDENTIALS
User Agent
(resource owner)
6
1 Login with FB Hello “PhilDR”
user: philippe
pass: qwerty12345
9 User info
Resource philippe.deryck@cs.kuleuven.be Client Authorization
server Server
@baaz / @PhilippeDeRyck
FLOW 3: AUTHORIZATION CODE
5 Credentials for FB
3 I want to give R&R access
11 User info
Resource philippe.deryck@cs.kuleuven.be Client 9 Here you go Authorization
server Server
@baaz / @PhilippeDeRyck
FLOW 4: CLIENT CREDENTIALS
@baaz / @PhilippeDeRyck
MAKING SENSE OF OAUTH 2.0 FLOWS
§ Resource owner password credentials
− Only relevant if the client and the resource owner trust each other 100%
• E.g. when Facebook builds a Facebook client
§ Implicit Grant
− Directly exposes the access token to the frontend application
• Mainly useful for direct API access from within JavaScript
§ Authorization code
− Preferred flow to ensure the security of the access token
• The flow to use for when the backend needs to access an API
§ Client credentials
− Useful for when the application needs access to an API
@baaz / @PhilippeDeRyck
WHICH FLOW CAN WE USE TO SUPPORT AUTHENTICATION?
§ In this case, the only right answer is the authorization code flow
− This flow offers the strongest security benefits
− It looks more complex than the implicit grant flow, but in practice it is not
§ This workshop will focus on the implicit grant and authorization code flow
− We will show you the differences and security benefits
− The lab sessions cover both implementation and security aspects
@baaz / @PhilippeDeRyck
SUPPORTING OAUTH 2.0 IN EMBER
@baaz / @PhilippeDeRyck
AUTHENTICATION IN EMBER
§ Ember Simple Auth (ESA) is a popular authentication library for Ember
− It offers abstractions for authentication and authorization
− It offers session management features to keep track of authentication state
@baaz / @PhilippeDeRyck
EMBER SIMPLE AUTH CODE EXAMPLE
@baaz / @PhilippeDeRyck
RUNNING OAUTH 2.0 FLOWS WITH TORII
§ Torii is another popular Ember library to integrate authentication
− It mainly focuses on complex OAuth 2.0 flows
− But also offers support for authorization and session management
§ Torii already supports numerous OAuth 2.0 flows out of the box
− Support for Google, Facebook, Github, …
− Support for both implicit grant and authorization code flows
@baaz / @PhilippeDeRyck
TORII CODE EXAMPLE
@baaz / @PhilippeDeRyck
INTEGRATING TORII WITH EMBER SIMPLE AUTH
§ The power of Torii is that it easily integrates with existing applications
− Existing authentication mechanisms can easily call a Torii provider
@baaz / @PhilippeDeRyck
BACKEND SUPPORT FOR TORII AND ESA
§ The backend is responsible for processing the OAuth 2.0 results
− This can either be an access token or authorization code
− With this information, the backend fetches associated identity information
§ Contacting the backend can easily be done from within the authenticator
− After the OAuth 2.0 flow has completed, the result is sent to the server with AJAX
− The server returns a session token after a successful authentication
− This is the token that ESA stores in localStorage
@baaz / @PhilippeDeRyck
AUTHENTICATION WITH OAUTH 2.0
Lab session
@baaz / @PhilippeDeRyck
PRACTICAL INFO FOR THE LAB SESSIONS
§ You will be working on the frontend of the Rock & Roll application
− You should have cloned the repo by now
• If not, check your email for instructions, or call one of the us in a minute
− We will add authentication with OAuth 2.0 by using Google, Facebook and Github
@baaz / @PhilippeDeRyck
PRACTICAL INFO FOR THE LAB SESSIONS
Slides
http://bit.ly/2n9NzC5
Slack Channel
https://balinterdi.slack.com/, #emberconf17-workshop
@baaz / @PhilippeDeRyck
WHAT YOU SHOULD TAKE AWAY FROM THIS LAB SESSION
§ Torii and ESA provide a clean set of abstractions for authentication
− Ties in real nice with existing concepts in your Ember application
− Do separate your session management from the OAuth 2.0 authentication
@baaz / @PhilippeDeRyck
SECURITY IN OAUTH 2.0
@baaz / @PhilippeDeRyck
OAUTH 2.0 FLOWS ARE ALL ABOUT ACCESS TOKENS
§ In every flow, the client gets an access token to access protected resources
− The access token is a bearer token, so whoever possesses it can use it
§ During the flows, the access tokens need to be adequately protected as well
− All traffic should happen over a secure HTTPS channel
− Exposure of the access token should be limited
− The integrity of the OAuth 2.0 flow should be ensured
@baaz / @PhilippeDeRyck
NETWORK ATTACKS ARE EASIER THAN EVER TO EXECUTE
@baaz / @PhilippeDeRyck
ACCESS TOKENS TRAVEL ACROSS THE NETWORK
5 Credentials for FB
3 I want to give R&R access
9 User info
Resource philippe.deryck@cs.kuleuven.be Client Authorization
server Server
@baaz / @PhilippeDeRyck
LIMITING THE EXPOSURE OF THE ACCESS TOKEN IS CRUCIAL
@baaz / @PhilippeDeRyck
ACCESS TOKENS TRAVEL THROUGHOUT THE APPLICATION
5 Credentials for FB
3 I want to give R&R access
9 User info
Resource philippe.deryck@cs.kuleuven.be Client Authorization
server Server
@baaz / @PhilippeDeRyck
ACCESS TOKENS TRAVEL THROUGHOUT THE APPLICATION
5 Credentials for FB
3 I want to give R&R access
11 User info
Resource philippe.deryck@cs.kuleuven.be Client 9 Here you go Authorization
server Server
@baaz / @PhilippeDeRyck
LIMITING THE EXPOSURE OF THE ACCESS TOKEN IN THE BACKEND
§ For authentication purposes, the access token can be discarded after use
− At that point, the backend has fetched the user’s identity information
− Discarding the token limits the risk of theft in a data breach
@baaz / @PhilippeDeRyck
THE HIDDEN PARTS OF SETTING UP OAUTH 2.0
§ The resource owner needs to grant the client access to the resources
− This requires the registration of a client application with the resource provider
− You need to provide client information, including specific redirect URIs
− During registration, you get a client ID and a client secret
@baaz / @PhilippeDeRyck
THE HIDDEN PARTS OF SETTING UP OAUTH 2.0
§ The resource owner needs to grant the client access to the resources
− This requires the registration of a client application with the resource provider
− You need to provide client information, including specific redirect URIs
− During registration, you get a client ID and a client secret
@baaz / @PhilippeDeRyck
IDENTIFYING THE CLIENT IN THE IMPLICIT GRANT FLOW
5 Credentials for FB
3 I want to give R&R access
9 User info
Resource philippe.deryck@cs.kuleuven.be Client Authorization
server Server
@baaz / @PhilippeDeRyck
THE IMPORTANCE OF PROPER CLIENT IDENTIFICATION
§ Client identification in the implicit grant flow is difficult
− The flow runs entirely in the browser, which is considered to be untrusted
− The client secret cannot be shared with the browser
@baaz / @PhilippeDeRyck
THE IMPORTANCE OF PROPER CLIENT IDENTIFICATION
11 9 User info
8 Access API
User Agent Bad client Resource
(attacker) server
1 Login with FB
7 FB token 10 Hello “PhilDR”
12 Token 2 Go to FB
Hello
15
“PhilDR” OK, here’s a token
6
13 Access API
4 Please login
@baaz / @PhilippeDeRyck
THE IMPORTANCE OF PROPER CLIENT IDENTIFICATION
§ Client identification in the implicit grant flow is difficult
− The flow runs entirely in the browser, which is considered to be untrusted
− The client secret cannot be shared with the browser
@baaz / @PhilippeDeRyck
REDIRECT URIS HELP ENSURE THE INTEGRITY OF A FLOW
5 Credentials for FB
The redirect URI will be 3 I want to give R&R access
propagated along steps 3,
4 and 5 User Agent 4 Please login
(resource owner) 6 OK, here’s a token
1 Login with FB
7 Here’s the FB token
2 OK, go to FB please
2
10 Hello “PhilDR”
I want to access the
8 user info
Redirect the browser to Facebook, and include
the URI to redirect to in step 6
9 User info
Resource philippe.deryck@cs.kuleuven.be Client
https://accounts.google.com/o/oauth2/auth?client_id=…&redirect Authorization
_uri=http%3A%2F%2Flocalhost%3A4200%2Foauth2callback
server Server
@baaz / @PhilippeDeRyck
REDIRECT URIS HELP ENSURE THE INTEGRITY OF A FLOW
§ A malicious redirect can result in leaking the access token
− To prevent this, the authorization server needs to verify the validity of the URI
− That’s also why you need to specify the redirect URI up front
@baaz / @PhilippeDeRyck
REDIRECT URIS HELP ENSURE THE INTEGRITY OF A FLOW
§ A malicious redirect can result in leaking the access token
− To prevent this, the authorization server needs to verify the validity of the URI
− That’s also why you need to specify the redirect URI up front
http://example.com/login?src=http://www.example.com/secretCats
§ Make sure your backend does not have a redirect with a controllable URI
@baaz / @PhilippeDeRyck
WHY THE AUTHORIZATION CODE FLOW IS BETTER
§ By now, you probably realize that the implicit grant flow is not very secure
− There is no client authentication, only identification with a public identifier
− It requires additional effort to ensure the validity of the tokens
− Tokens pass through the browser, making them more vulnerable to exposure
@baaz / @PhilippeDeRyck
IDENTIFYING THE CLIENT IN THE AUTHORIZATION CODE FLOW
2 5 Credentials for FB
Redirect the browser to Facebook with the client ID
3 I want to give R&R access
11 User info
Resource philippe.deryck@cs.kuleuven.be Client 9 Here you go Authorization
server Server
@baaz / @PhilippeDeRyck
THE HIDDEN PARTS OF USING AN OAUTH 2.0 FLOW
§ An OAuth 2.0 flow starts with a redirect to the authorization server
− This first request contains parameters to set the properties of the flow
− We already covered the client ID and redirect URI, but there are more
§ These parameters have been hidden so far, because Torii took care of this
− This becomes extremely relevant if you have to write your own provider some day
@baaz / @PhilippeDeRyck
SCOPE AND PERMISSIONS
@baaz / @PhilippeDeRyck
SCOPE AND PERMISSIONS
§ The scope parameter allows the client to request specific permissions
− These permissions are shown to the user during authorization of the application
− The list of available permissions is specific to each provider
§ Note that the granted permissions can differ from the requested permissions
− Check the granted permissions to see if you have all you need
@baaz / @PhilippeDeRyck
VIOLATING FLOW INTEGRITY THROUGH CSRF
§ Cross-Site Request Forgery allows an attacker to disrupt the OAuth 2.0 flow
− The attack is to stop the flow in one browser and resuming it in the other browser
− This results in the successful authentication as a different user
@baaz / @PhilippeDeRyck
VIOLATING FLOW INTEGRITY THROUGH CSRF
@baaz / @PhilippeDeRyck
LINKING INITIALIZATION AND FINALIZATION WITH STATE
2 5 Credentials for FB
The client includes a random 3 I want to give R&R access
state parameter in the URI
User Agent 4 Please login
(resource owner) 6 OK, here’s a token
1 Login with FB
7 Here’s the FB token
2 OK, go to FB please
10 Hello “PhilDR”
I want to access the
8 user info State parameter is propagated
through steps 3, 4, 5, 6 and 7
9 7User info
Resource Client Authorization
Client compares state parameter with the stored value
philippe.deryck@cs.kuleuven.be
server Server
@baaz / @PhilippeDeRyck
VIOLATING FLOW INTEGRITY THROUGH CSRF
7
State in step 7 does not
match any stored state
User Agent Authorization
(resource owner) Server
4 Please login 5 Credentials
7 Here’s the FB token 6 Token 3 Authorizate R&R
10 Hello “Balint”
I want to access the
8 user info 1 Login with FB
@baaz / @PhilippeDeRyck
SECURING OAUTH 2.0 FLOWS
Lab session
@baaz / @PhilippeDeRyck
PRACTICAL INFO FOR THE LAB SESSIONS
§ For this lab session, we need a working implementation of OAuth 2.0 flows
− You can continue on your own implementation
− Alternatively, you can check out the facebook-authentication-code branch
@baaz / @PhilippeDeRyck
PRACTICAL INFO FOR THE LAB SESSIONS
Guides for the lab sessions
http://bit.ly/2nEAdRj
Slides
http://bit.ly/2n9NzC5
Token Inspector
http://bit.ly/2nsybU7
@baaz / @PhilippeDeRyck
OAUTH 2.0 AND OPENID CONNECT
@baaz / @PhilippeDeRyck
AUTHENTICATION WITH OAUTH 2.0 IS MESSY
§ Fetching user information with OAuth 2.0 highly depends on the provider
− Every provider has different endpoints for all kinds of data
− Some providers have custom settings (e.g. the email address on Github)
§ Things become even worse when you need to rely on third party services
− In this workshop, we had our own independent session management
− This is not always the case, and propagating that info across the backend is difficult
@baaz / @PhilippeDeRyck
OPENID CONNECT TO THE RESCUE
§ OpenID Connect (OIDC) aims to solve these issues
− A standardized way to exchange identity information between services
− Heavily based on JSON Web Tokens (JWT)
§ OIDC still uses the OAuth 2.0 flows we covered here today
− First, the client uses an authorization code flow to get an authorization code
− Next, the authorization code is exchanged for an identity token
@baaz / @PhilippeDeRyck
FLOW 3: AUTHORIZATION CODE
5 Credentials for FB
3 I want to give R&R access
11 User info
Resource philippe.deryck@cs.kuleuven.be Client 9 Here you go Authorization
server Server
@baaz / @PhilippeDeRyck
OPENID CONNECT WITH THE AUTHORIZATION CODE FLOW
5 Credentials for Google
3 I want to give R&R access
@baaz / @PhilippeDeRyck
@baaz / @PhilippeDeRyck http://jwt.io/ 74
A JWT IS A BASE64-ENCODED DATA OBJECT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkaXN0cmluZXQuY3Mua3VsZXV2
ZW4uYmUiLCJleHAiOjI0MjUwNzgwMDAwMDAsIm5hbWUiOiJwaGlsaXBwZSIsImFkbWluIjp0c
nVlfQ.dIi1OguZ7K3ADFnPOsmX2nEpF2Asq89g7GTuyQuN3so
{
HMACSHA256(
"iss": ”distrinet.cs
{ base64UrlEncode(header)
.kuleuven.be",
"alg": "HS256", + "." +
"exp": 1425078000000,
"typ": "JWT" base64UrlEncode(payload),
"name": "philippe",
} “secret”
"admin": true
)
}
@baaz / @PhilippeDeRyck 76
OPENID CONNECT WITH THE AUTHORIZATION CODE FLOW
5 Credentials for Google
3 I want to give R&R access
@baaz / @PhilippeDeRyck
THE DETAILS BEHIND AN OPENID CONNECT FLOW
§ The scope of the OAuth 2.0 flow should be openid
− This tells the provider that the goal is to get an identity token
− Additional scopes can be added alongside openid (e.g. email, …)
@baaz / @PhilippeDeRyck
OPENID CONNECT WITH THE AUTHORIZATION CODE FLOW
2
5 Credentials for Google
3 I want to give R&R access
Scope should be openid
but can also include others User Agent 4 Please login
(e.g. openid email) (resource owner) 6 OK, here’s an authorization
code
§ Claims returned by an OIDC service use the JSON Web Token (JWT) format
− A standardized JSON format which supports integrity validation through signatures
@baaz / @PhilippeDeRyck
SUPPORTING OPENID CONNECT IN TORII
§ By default, Torii does not come with providers for OIDC
− Only OAuth 2.0 implicit grant and authorization code flows are supported
− However, implementing support can be done with a custom provider
@baaz / @PhilippeDeRyck
WRAPPING THINGS UP
@baaz / @PhilippeDeRyck
AUTHENTICATION WITH OAUTH 2.0
§ We have covered how to use OAuth 2.0 flows for authentication
− There is a lot more to OAuth 2.0, that we have not covered
− When you need to continuously access APIs, things become even more tricky
@baaz / @PhilippeDeRyck
IMPLEMENTING OAUTH 2.0 FLOWS IN EMBER
§ Torii and ESA are a winning combination
− They integrate nicely into your Ember application
− Torii handles the OAuth 2.0 flows, and ESA handles the session management
@baaz / @PhilippeDeRyck
SECURITY BEST PRACTICES
§ Use the authorization code flow
− By know you should know why
− Run it over HTTPS, no excuses
§ Take care of the little details when implementing an OAuth 2.0 flow
− Verify all data coming from the client before using it
− Limit the scope to what you need
@baaz / @PhilippeDeRyck
NOW IT’S UP TO YOU …