GNAP

The future of oauth

@chalas_r

Robin Chalas

@chalas_r
chalasr
Les-Tilleuls.coop
Core Team
@chalas_r

DISCLAIMER

I'm NOT A SEcuRITY EXPERT

@chalas_r

DISCLAIMER 2

I MAY PRONOUNCE

OAUTH

INCORRECTLY

@chalas_r

REMINDER

What IS OAUTH?

@chalas_r

OAUTH?

industry-standard AUTHORIZATION protocol

for web, desktop, mobile & iOt.

@chalas_r

OAUTH WINS

  • Successful as a standard
     
  • Better than prior art
     
  • Continuously improving
@chalas_r

A BIT OF HISTORY

OAuth 1.0?

  • For browser-based clients only
     
  • Based on Flickr’s authorization API & Google’s AuthSub
     
  • Security concerns on the clients' shoulders
@chalas_r

OAUTH 1.0

Spring Security Docs
@chalas_r

A BIT OF HISTORY

OAuth 2.0?

  • Complete rewrite of OAuth 1
     
  • For anything that builds on HTTP(S)
     
  • Relies on TLS (& eventually JOSE)
@chalas_r

OAuth 2.0

Spring Security Docs
@chalas_r

OAuth 2.0

BUILT-IN Grant types

  • Resource Owner Password Credentials
  • Implicit
  • Client Credentials
  • Authorization Code
@chalas_r

OAuth 2.1

BUILT-IN Grant types

  • Resource Owner Password Credentials
  • Implicit
  • Client Credentials
  • Authorization Code + Proof Key for Code exchange (PKCE)
@chalas_r

OAuth 2.1

OTHER MAJOR CHANGES

  • No more Bearer tokens in the query string (URL)
     
  • Refresh tokens must either be one-time use or sender-constrained
     
  • Simplified "Public VS Confidential clients" concept
     
  • Identification/authentication concept is mentioned
oauth2.net/2.1
@chalas_r

WHAt's WRONG WITH OAUTH2?

@chalas_r

OAuth2 FLAWS

OVERLY Complex

28 RFC + 10 ACTIVE DRAFTS

SaaS solutions exist e.g. Keycloak

@chalas_r

OAuth2 FLAWS

AUTHENTICATION

LEFT ASIDE

🎁 You've got 10+ more specifications to read!

Welcome OpenID Connect

openid.net/developers/specs/

@chalas_r

OAuth2 FLAWS

STILL TIED TO REDIRECTS

therefore to BROWSERS

@chalas_r

OAuth2 FLAWS

proof of possession

LATE to THE GAME

Welcome Mutual-TLS & DPoP

@chalas_r

OAuth2 FLAWS

CRYPTO KEYS ROTATION

NOT COVERED

@chalas_r

OAuth2 FLAWS

PAINFUL ON MOBILE

Better with RFC8252 - OAuth 2.0 for Native Apps

@chalas_r

OAuth2 FLAWS

OLD-FASHIONED

UX/DX

@chalas_r

👋 GNAP

@chalas_r

Grant

Negotiation &

Authorization Protocol

@chalas_r

GNAP

FOR MODERN APPLICATIONS' SECURITY NEEDS

@chalas_r

FOR ANY CLIENT/PLATFORM

GNAP: KEY POINTS

@chalas_r

INTERACTIONS

AS

FIRST-CLASS CONCEPTS

GNAP: KEY POINTS

@chalas_r

NO PRE-FLIGHT DISCOVERY NEEDED

GNAP: KEY POINTS

@chalas_r

GNAP: KEY POINTS

CRYPTO Keys everywhere

+ (EXTENSIBLE) rotation MECHANISMs

@chalas_r

GNAP: KEY POINTS

Bearer TOKENS

AND MORE

@chalas_r

GNAP: KEY POINTS

Multiple Access Tokens
PER GRANT REQUEST

@chalas_r

GNAP: KEY POINTS

Built-in identity!

{
  "user": {
    "sub_ids": [ {
      "subject_type": "email",
      "email": "user@example.com"
    } ],
    "assertions": {
      "id_token": "eyj..."
    }
  }
}
@chalas_r

GNAP: KEY POINTS

BETTER DEVELOPER ERGONOMICS

@chalas_r

GNAP: OVERALL PROTOCOL SEQUENCE

datatracker.ietf.org/doc/html/draft-ietf-gnap-core-protocol#section-1.1

NOT

BACKWARDS-COMPATIBLE

WITH OAUTH2

@chalas_r

OAUTH GRANT TYPES EQUIVALENTS

  • Auth Code Grant =>
    redirect interaction mode (with automatic PKCE)
     
  • Device Grant =>
    user_code interaction mode
     
  • Client Credentials Grant  =>
    Just a Grant request with no interaction
@chalas_r

RELATIONSHIP TO OTHER SPECS

  • OpenID Connect (OIDC) =>
    Identity is part of GNAP Core & Resource Server.
     
  • User-Managed Access (UMA) =>
    Same can be achieved with only GNAP Core.
     
  • Proof Of Posssesion (PoP, M-TLS & DPOP)  =>
    All tokens are key-bound by default in GNAP
@chalas_r

CURRENT STATE

WG STARTED IN OCTOBER 2020,
LED BY JUSTIN RICHER.

PROTOCOL IMPROVED A LOT SINCE THEN.

@chalas_r

It's MOSTLY Getting stable

LAST WG MEETING hAPPENED IN NOVEMBER 2022

NO PROTOCOL CHANGES.

 datatracker.ietf.org/meeting/114/materials/slides-114-gnap-protocol-slides-00

@chalas_r

NEXT STEPS?

@chalas_r

GET INVOLVED

@chalas_r

WHAT ABOUT SYMFONY?

@chalas_r

THANK YOU!

@chalas_r
@chalas_r

GNAP: The future of OAuth

By Robin Chalas

GNAP: The future of OAuth

OAuth 2 is an industry-standard for authorization that every developer probably heard about. As hinted by its name, it is the evolution of OAuth 1 and as such; it aims to address most of its known issues. But, just like OAuth 1, OAuth 2 now has a lot of known issues. Fortunately, a lot of these issues have been already fixed by extending the specification. The drawback of this is that today, in order to get OAuth2 right, one needs to read a dozen of RFCs and make sure they are relevant to the use case. This hurts developer experience as it increases the complexity of the protocol, which goes against its main focus: simplicity for client developers. Here comes GNAP (Grant Negotiation and Authorization Protocol): an in-progress effort to develop the next-generation authorization protocol by learning from the past. In this talk, we'll have a deep look into the GNAP protocol, passing by a review of the known OAuth2 flaws that it aims to fix, how it plays with authentication protocols such as Open ID Connect or WebAuthN, what is its current state and more. Delivered in English Room: The Symfony room Thursday, December 8, 2022 at 10:05 AM – 10:40 AM

  • 1,303

More from Robin Chalas