AUTH GONE SOUTH

César Silva

BSides Lisbon

{
  "alg": "none",
  "typ": "JWT"
}.
{
  "name": "César Silva",
  "email": "mail@apl3b.com",
  "role": "AppSec Guy",
  "twitter": "Apl3b",
  "company": "Farfetch",
  "location": "Porto"
}

OAuth 2.0 & OIDC

AuthN & AuthZ

Common Pitfalls

Scenarios

Authentication

(AuthN)

The act of confirming the truth of an attribute of a single piece of data claimed true by an entity

Factors

Knowledge (ex.: password)
Ownership (ex.: key)
Inherence (ex.: fingerprint)

Authorization

(AuthZ)

The function of specifying access rights/privileges to resources

Access Control Models

Role-based (RBAC)
Attribute-based (ABAC)

OAUTH 2.0

Open Authorization (v2)

OIDC

Open ID Connect

(Authentication)

     +--------+                               +---------------+
     |        |--(A)- Authorization Request ->|   Resource    |
     |        |                               |     Owner     |
     |        |<-(B)-- Authorization Grant ---|               |
     |        |                               +---------------+
     |        |
     |        |
     |        |
     | Client |
     |        |
     |        |
     |        |
     |        |
     |        |
     |        |
     |        |
     +--------+

Protocol Flow

                               +---------------+
--(C)-- Authorization Grant -->| Authorization |
                               |     Server    |
<-(D)----- Access Token -------|               |
                               +---------------+

                               +---------------+
--(E)----- Access Token ------>|    Resource   |
                               |     Server    |
<-(F)--- Protected Resource ---|               |
                               +---------------+

Roles

Resource Owner
Authorization Server
Resource Server

Clients

An application making protected resource requests on behalf of the resource owner* and with its authorization.

* aka User (or Customer)

Client Types

Confidential
Public

Clients capable of maintaining the confidentiality of their credentials

Confidential Clients

Clients incapable of maintaining the confidentiality of their credentials

Public Clients

Public

Confidential

Tokens

Types

Reference
Self-Contained

identifiers for a token stored on the token service

Reference Tokens

The recipient needs to open a back-channel to the token service

protected, time-limited data structure that contains metadata and claims

Self-Contained Tokens

The recipient of a self-contained token can validate the token locally by checking the signature

Roles

Access Tokens
Refresh Tokens
Id Tokens

OAuth 2.0

OIDC

Access tokens are credentials used to access protected resources

Access Tokens

Refresh tokens are credentials used to obtain access tokens.

Refresh Tokens

Issuing a refresh token is optional at the discretion of the authorization server.

a security token that contains Claims about the Authentication of an End-User

ID Tokens

Claims

Piece of information asserted about an Entity.

Standard Claims

sb (subject identifier)
name
given_name
family_name
middle_name
nickname
preferred_username
profile
picture
website

email
email_verified
gender
birthdate
zoneinfo
locale
phone_number
phone_number_verified
address
updated_at

Scopes

Scope is a mechanism in OAuth 2.0 to limit an application's access to a user's account

The access token issued to the application will be limited to the scopes grants

Recap

Tokens
- Types
  - Reference
  - Self-Contained
- Roles
  - Access
  - Refresh
  - ID

Claims
- Pre-Defined
- Custom

Flows

Authorization Grant

A credential representing the resource owner's authorization used by the client to obtain an access token.

Implicit
Authorization Code
Client Credentials
Resource Owner Password Credentials
Device Authorization Grant

Grant Types

(grant_type)

Implicit
Authorization Code
Hybrid

Flows

(response_type)

Implicit

    
    
    
    
    
     
     
     
     +----------+
     |          |
     |  User-   |
     |  Agent   |
     |          |
     |          |
     |          |
     |          |
     |          |
     |          |
     |          |
     |          |
     |          |
     |          |
     +----------+
       | 
      (A)
       | 
       ^ 
     +---------+
     |         |
     |  Client |
     |         |
     +---------+

          Client Identifier     +---------------+
----(A)-- & Redirection URI --->|               |
                                | Authorization |
                                |     Server    |
                                |               |
                                |               |
                                +---------------+

 +----------+
 | Resource |
 |  Owner   |
 |          |
 +----------+
      ^
      |
     (B)

----(B)-- User authenticates -->

<---(C)--- Redirection URI ----<
          with Access Token     
            in Fragment

                                +---------------+
----(D)--- Redirection URI ---->|   Web-Hosted  |
          without Fragment      |     Client    |
                                |    Resource   |
                                |               |
                                +---------------+

<---(E)------- Script ---------<

(F)

 |
(G) Access Token (+ ID Token for OIDC)
 |
 v

PROS/CONS

Users credentials in a trusted Application
Tokens in the browser
Deprecated in favor of Auth Code

Authorization Code

    
    
    
    
    
     
     
     
     +----------+
     |          |
     |  User-   |
     |  Agent   |
     |          |
     |          |
     +----------+
       | 
      (A)
       | 
       ^ 
     +---------+
     |         |
     |  Client |
     |         |
     +---------+

          Client Identifier     +---------------+
----(A)-- & Redirection URI --->|               |
               (+PKCE)          | Authorization |
                                |     Server    |
                                |               |
                                |               |
                                +---------------+

 +----------+
 | Resource |
 |  Owner   |
 |          |
 +----------+
      ^
      |
     (B)

----(B)-- User authenticates -->

---(C)-- Authorization Code ---<

                                      ^ 
                                      | 
                                      | 
                                      | 
                                      | 
>---(D)-- Authorization Code ---------' 
          & Redirection URI (+PKCE*)

 | 
(C)
 | 
 v

                                             v
                                             |
                                             |
                                             |
                                             |
                                             |
                                             |
                                             |
<---(E)----- Access Token (+ ID Token)-------'
       (w/ Optional Refresh Token)

*PKCE is optional but recommended

PROS/CONS

Users Credentials in a trusted Application
No tokens in the browser
Protections agains code injection and replay attacks with PKCE

Client Credentials

     +---------+
     |         |
     |         |
     | Client  |
     |         |
     |         |
     +---------+

                                  +---------------+
                                  |               |
>--(A)- Client Authentication --->| Authorization |
                                  |     Server    |
                                  |               |
                                  |               |
                                  +---------------+

<--(B)---- Access Token ---------<

Resource Owner Password Credentials

     +----------+
     | Resource |
     |  Owner   |
     |          |
     +----------+
          v
          |    Resource Owner
         (A) Password Credentials
          |
          v
     +---------+
     |         |
     |         |
     | Client  |
     |         |
     |         |
     +---------+

                                  +---------------+
>--(B)---- Resource Owner ------->|               |
         Password Credentials     | Authorization |
                                  |     Server    |
                                  |               |
                                  |               |
                                  +---------------+

<--(C)---- Access Token ---------<
    (w/ Optional Refresh Token)

PROS/CONS

Users credentials in untrusted Applications
Tokens in the browser/application
Deprecated in favor of Auth Code

Device Authorization Grant

      +----------+                                +----------------+
      |          |>---(A)-- Client Identifier --->|                |
      |          |                                |                |
      |          |                                |                |
      |          |                                |                |
      |  Device  |                                |                |
      |  Client  |                                |                |
      |          |                                |                |
      |          |                                |                |
      |          |                                |                |
      |          |                                |  Authorization |
      |          |                                |     Server     |
      +----------+                                |                |
                                                  |                |
                                                  |                |
                                                  |                |
                                                  |                |
                                                  |                |
                                                  |                |
                                                  |                |
                                                  |                |
                                                  |                |
                                                  +----------------+

<---(B)-- Device Code, --------<
          User Code,            
          & Verification URI

      v
      : 
     (C) User Code & Verification URI
      :  
      v  
+----------+
| End User |
|    at    |
|  Browser |
+----------+

<---(D)-- End user reviews  --->
          authorization request

  [polling]                     
>---(E)-- Device Code --------->
          & Client Identifier

<---(F)-- Access Token --------<
   (& Optional Refresh Token)

PROS/CONS

Authentication on devices without input/browser capabilities
More reliable (no credentials inserted)

Hybrid

    
    
    
    
    
     
     
     
     +----------+
     |          |
     |  User-   |
     |  Agent   |
     |          |
     |          |
     +----------+
       | 
      (A)
       | 
       ^ 
     +---------+
     |         |
     |  Client |
     |         |
     +---------+

          Client Identifier     +---------------+
----(A)-- & Redirection URI --->|               |
                                | Authorization |
                                |     Server    |
                                |               |
                                |               |
                                +---------------+

 +----------+
 | Resource |
 |  Owner   |
 |          |
 +----------+
      ^
      |
     (B)

----(B)-- User authenticates -->

---(C)-- Authorization Code ---<
           (+ ID Token)

                                      ^ 
                                      | 
                                      | 
                                      | 
                                      | 
>---(D)-- Authorization Code ---------' 
          & Redirection URI

 | 
(C)
 | 
 v

                                             v
                                             |
                                             |
                                             |
                                             |
                                             |
                                             |
                                             |
<---(E)----- Access Token (+ ID Token)-------'
       (w/ Optional Refresh Token)

PROS/CONS

Users Credentials in a trusted Application
No access tokens in the browser
Protections agains code injection and replay attacks with PKCE
ID token in the browser, could be leaked

Recap

OAuth 2.0
- Grant Types
OIDC
- Flows

~~Implicit~~
Authorization Code
Client Credentials
~~Resource Owner~~
Device Authorization Grant
Hybrid

Pitfalls

Weak Credentials

123456

password

qwerty

secret

qazwsx!"#

Hardcoded Secrets

If Request.QueryString("key") = "██████" AndAlso Request.QueryString("key2") = "██████" Then
	unlocked.Visible = True
Else
	unlocked.Visible = False
End IF

Too Permissive Access Control

Scopes are the OAuth way of explicitly manage the power associated with an access token.

Session Fixation

(Attacker)

(Victim)

(Authorization Server)

(Application A)

(fixates session)

(attacker's session)

(sends crafted URL to AS)

(users already had account)

(goes to AS and accepts consent)

(attacker's tokens returned)

(sends tokens to application, previous account associated)

(uses account to access victim's account)

Leaked Tokens to Third-Parties

GET /code.js HTTP/1.1
Host: a.third.party
User-Agent: browser-os
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://mysite.com/reset_password?token=123456789abcdef
Connection: keep-alive

CSRF

(Authorization Server)

(Victim)

(Malicious App)

(API)

(navigates to malicious site)

(tells the browser to perform consent)

(commands AS to accept consent)

(steals victim's info)

Open-Redirect

(Attacker)

(Authorization Server)

(Victim)

(Application)

(Malicious App)

(maliciouly crafted URL)

(goes to AS and Authenticates)

(AS tells to be redirected to Malicious APP)

(expected landing)

(malicious redirect)

https://identity.provider/login?returnUrl=/connect/authorize/callback?

client_id=CLIENT

&redirect_uri=https://url.com/
&response_mode=form_post
&response_type=id_token token
&scope=openid
&state=OpenIdConnect.AuthenticationProperties=metadata
&nonce=number_used_once

https://url.com.malicious.domain/

https://url.com*

Replay Attacks

https://identity.provider/login?returnUrl=/connect/authorize/callback?

client_id=CLIENT

&redirect_uri=https://url.com/
&response_mode=form_post
&response_type=id_token token
&scope=openid
&state=metadata
&nonce=number_used_once

Improper Client Usage

Public

Confidential

client_id

client_secret

client_id

client_secret

Clickjacking

~~X-Frame-Options~~

Logged Tokens

Bearer tokens should not be passed in page URLs. If bearer tokens are passed in page URLs, attackers might be able to steal them from the browser history data, logs, or other unsecured locations.

Improper Token TTL

Token servers should issue short-lived (one hour or less) bearer tokens, particularly when issuing tokens to clients that run within a web browser or other environments where information leakage may occur.

Insecure Channels

Clients must always use TLS or equivalent transport security when making requests with bearer tokens.

Improper Token usage

If the token leaves the company infrastructure, use reference tokens to be in complete control over lifetime. If the token is used internally only, self-contained tokens are fine.

Scenarios

Single Front-End
Single Back-End
No Federation

Assumptions

(Front-End)

(Back-End)

Conclusions

Too Complicated
No benefits

Multiple Front-End with Back-Ends
Multiple APIs
May use Federation

Assumptions

(Front-End)

(Back-End)

Conclusions

Users' credentials in the same App
Keep self-contained tokens in your private infrastructure
Use short time to live

Multiple Front-Ends
No Back-Ends
Multiple APIs
May use Federation

Assumptions

(SPA)

(Mobile)

Conclusions

Go for flows that don't need client credentials
Users' credentials in the same App
Keep self-contained tokens in your private infrastructure
Use short time to live
Out of your infrastructure, use reference tokens

AUTH GONE SOUTH

OAuth 2.0 & OIDC

AuthN & AuthZ

Common Pitfalls

Scenarios

Authentication

The act of confirming the truth of an attribute of a single piece of data claimed true by an entity

Factors

Authorization

The function of specifying access rights/privileges to resources

Access Control Models

OAUTH 2.0

Open Authorization (v2)

OIDC

Open ID Connect

Protocol Flow

Roles

Clients

Client Types

Confidential Clients

Public Clients

Tokens

Types

Reference Tokens

Self-Contained Tokens

Roles

Access Tokens

Refresh Tokens

ID Tokens

Claims

Standard Claims

Scopes

Recap

Flows

Authorization Grant

Grant Types

Flows

Implicit

PROS/CONS

Authorization Code

PROS/CONS

Client Credentials

Resource Owner Password Credentials

PROS/CONS

Device Authorization Grant

PROS/CONS

Hybrid

PROS/CONS

Recap

Pitfalls

Weak Credentials

123456

password

qwerty

secret

qazwsx!"#

Hardcoded Secrets

Too Permissive Access Control

Session Fixation

Leaked Tokens to Third-Parties

CSRF

Open-Redirect

Replay Attacks

Improper Client Usage

Clickjacking

Logged Tokens

Improper Token TTL

Insecure Channels

Improper Token usage

Scenarios

Assumptions

Conclusions

Assumptions

Conclusions

Assumptions

Conclusions

?

Thank you