@JulienTopcu

beyondxscratch.com

julien.topcu@owasp.org

Julien Topçu

Tech Coach

@JulienTopcu

Chapter 1: The Squatters

@JulienTopcu

@JulienTopcu

A small problem of revocation?

@JulienTopcu

What is the revocation problem?

@JulienTopcu

@JulienTopcu

Rooms: Resources

Grand Budapest Hotel (Company): Resource Owner

Hotel (Building): Resource Server

Guests: Client(s)

 

@JulienTopcu

Distribute temporary and personalized access codes

@JulienTopcu

Booking Reference Number

@JulienTopcu

Booking Reference Number

=

Authorization Code

@JulienTopcu

... Until then

Chapter 2: The Bar Tab Embezzlement

@JulienTopcu

@JulienTopcu

Dmitri (VIP)

???

I'd like to order

Give me your account number

and your password
at the Grand Budapest Hotel

 

here they are!

@JulienTopcu

👿

Hello, that's Dmitri

I'd like to place a huge order

Give me your account number
and your password please,

so I can check this is you

Here they are!

@JulienTopcu

👿

@JulienTopcu

A small imposter problem?

@JulienTopcu

Stop divulging the username and password of the user

Dmitri (VIP)

I'd like to order

Do you know him ?

I'm transfering him to you and
call me back at

+33 123456789
 

Give me your account number
and your password please

Here they are!

That's really him

Authentication

1

@JulienTopcu

Authorization Server

Authenticates and Protects the End User (Dmitri)

Confirms the access of the End User to Robert Hits

 

@JulienTopcu

Dmitri (VIP)

I'd like to order

Do you know him ?

I'm transfering him to you and
call me back at

+33 123456789
 

Give me your account number
and your password please

Here they are!

That's really him

1

@JulienTopcu

Dmitri (VIP)

2

What would you like ?

A courtesan

I'm looking for Dmitri's order (code)

Here is the order number
(
authorization code)

for the bakery,
I'm transfering back
Dmitri to you

@JulienTopcu

Authorization Server

Distributes the temporary accesses

(Authorization Code)

 

@JulienTopcu

Bar Tab, Pastry: Resources

Dmitri: Resource Owner & End User

Hotel: Resource Server

Order Number: Authorization Code

Gustave: Authorization Server

Robert Hits: Client

@JulienTopcu

End User delegates the handling of

Resources to a third party (Client)

@JulienTopcu

Client of Resources

from the Resource Server

on behalf of the End User

to offer him a service

@JulienTopcu

@JulienTopcu

You

End User

Resource Server

Client

Import my contacts!!!

Does he have an account ?

/authorize

Who are you?

Authorization Server

Here are my credentials

Give me the contacts !!!!

Authorization Code ???

You can access his Gmail

Authorization Code

Contacts

Resources

@JulienTopcu

And then...

Chapter 3:

The Scammers

Dmitri (VIP)

Oh yes!

It's Robert Hits

Do you know  him?

call me back at +33 1666666 👿

 

Give me your credentials, please

 

Here they are

Here is the order number

(code)

@JulienTopcu

Hello, it's Robert Hits 👿,
Would you like a pastry?

@JulienTopcu

Reference the Clients with their contact addresses

Robert Hits +33 123456789
Robert Hits +33 123456790

It's Robert Hits

Call me back at +33 1666666 👿

 

I don't know this number, bye

@JulienTopcu

Phone Number: Redirect URI

Robert Hits: Client ID

@JulienTopcu

Authorization Server

Keeps a list of authorized Redirect URI 
(exact match) per
Client ID

 

@JulienTopcu

You

End User

Resource Server

Client

Import my contacts!!!

Does he have an account ?

/authorize

Who are you?

Authorization Server

Here are my credentials

Give me the contacts !!!!

Authorization Code ???

You can access his Gmail

Authorization Code

@JulienTopcu

@JulienTopcu

@JulienTopcu

Again !?

Chapter 4: The prying eyes

@JulienTopcu

Sending by mail: Front Channel

@JulienTopcu

@JulienTopcu

Hand-delivered accesses

@JulienTopcu

@JulienTopcu

Here is my booking reference number

Hi Dmitri,

Here is your access card

Delivered by hand

Authorization Code

Access Token

Back Channel

@JulienTopcu

Booking Reference Number: Authorization Code

Card: Access Token

Mail: Front Channel

Delivered by hand: Back Channel

@JulienTopcu

You

End User

Resource Server

Client

Import my contacts!!!

Does he have an account ?

/authorize

Who are you?

Authorization Server

Here are my credentials

Give me the contacts !!!!

Authorization Code ???

You can access his Gmail

Authorization Code

Resource Server

Client

Authorization Server

I'm changing the browser address to redirect_uri?code =Authorization Code

facebook.com?code=XXXX

Front Channel 🧐

Can I have an Access Token, then?

Authorization Code + Client ID in the HTTPS payload

Back Channel

Give me the contacts!!!!

Access Token

Access Token

Implicit Flow

@JulienTopcu

Implicit Flow

@JulienTopcu

Chapter 5: The Spies

@JulienTopcu

@JulienTopcu

Make sure it is the initiator of the request who is granted access

@JulienTopcu

@JulienTopcu

f(x)=y

Hashing function

Code Challenge Method

Hash

Code Challenge

Secret Random Number
Code Verifier

You

End User

Resource Server

Client

Import my contacts!!!

Does he have an account ?

/authorize

Who are you?

Authorization Server

Here are my credentials

Code Challenge (CC) y

Code Challenge Method (CCM) f

Resource Server

Client

Authorization Server

I'm changing the browser address to redirect_uri?code =Authorization Code

facebook.com?code=XXXX

Back Channel

Give me the contacts!!!!

Access Token

Access Token

CC = CCM(CV) ???
y = f(x) ???

Can I have an Access Token, then?

Authorization Code + Client ID + Code Verifier (CV)

x

@JulienTopcu

Authorization Code Flow

with PKCE

OAUTH 2.1 best practice

Bonus: The Thief

... Oh No !

@JulienTopcu

@JulienTopcu

@JulienTopcu

Dmitri (VIP)

I'd like to order

Do you know him?

Call me back at

+33 123456789
 

Give me your credentials

Here they are

@JulienTopcu

Dmitri (VIP)

They would like to access your room.

Do you consent them to pick up your pastry?

Of Cource

Here is the Order Number

The card you will have in exchange

will only have access to the bakery

@JulienTopcu

The Access Card is Scoped to the consents of Dmitri

@JulienTopcu

You

End User

Resource Server

Client

Who are you?

Authorization Server

Here are my credentials

Do you consent Facebook to access your contacts?

Yes !

Authorization Code

Can I have an Access Token ?

The  Access Token with the Contact Scope

Give me the contacts, I have the Access Token!!

@JulienTopcu

The Scopes only grant access to a 
Client (an application) on Resources

They do NOT let you grant access to

an End User on some Resources

@JulienTopcu

@JulienTopcu

https://oauth.net/2.1/

OAUTH 2.1 explained simply (even if you are not a developer) !

By Julien Topçu

OAUTH 2.1 explained simply (even if you are not a developer) !

It is very difficult today to deploy an application on the web without dealing with OAuth2. Designed to better protect users, this authorization delegation protocol has become a standard in the industry. However, haven't you cried trying to understand the concepts of OAuth2? Let's be honest, this is quite easy to get lost between the different roles and the multitude of flows of this protocol. And its complexity has discouraged more than one! However we can't deliver without it, so we try to setup some OAuth flow and usually... this is really painful. But don't worry, whether you have a tech profile or not, this talk will help you to finally understand the intricacies of OAuth simply, including the new version 2.1, using analogies from everyday life!

  • 734