@JulienTopcu
beyondxscratch.com
julien.topcu@owasp.org
Julien Topçu
Tech Coach
@JulienTopcu
Chapter 1: The Squatters
@JulienTopcu
@JulienTopcu
A small problem of revocation?
@JulienTopcu
What is the revocation problem?
@JulienTopcu
@JulienTopcu
Rooms: Resources
Grand Budapest Hotel (Company): Resource Owner
Hotel (Building): Resource Server
Guests: Client(s)
@JulienTopcu
Distribute temporary and personalized access codes
@JulienTopcu
Booking Reference Number
@JulienTopcu
Booking Reference Number
=
Authorization Code
@JulienTopcu
... Until then
Chapter 2: The Bar Tab Embezzlement
@JulienTopcu
@JulienTopcu
Dmitri (VIP)
???
I'd like to order
Give me your account number
and your password
at the Grand Budapest Hotel
here they are!
@JulienTopcu
👿
Hello, that's Dmitri
I'd like to place a huge order
Give me your account number
and your password please,
so I can check this is you
Here they are!
@JulienTopcu
👿
@JulienTopcu
A small imposter problem?
@JulienTopcu
Stop divulging the username and password of the user
Dmitri (VIP)
I'd like to order
Do you know him ?
I'm transfering him to you and
call me back at
+33 123456789
Give me your account number
and your password please
Here they are!
That's really him
Authentication
1
@JulienTopcu
Authorization Server
Authenticates and Protects the End User (Dmitri)
Confirms the access of the End User to Robert Hits
@JulienTopcu
Dmitri (VIP)
I'd like to order
Do you know him ?
I'm transfering him to you and
call me back at
+33 123456789
Give me your account number
and your password please
Here they are!
That's really him
1
@JulienTopcu
Dmitri (VIP)
2
What would you like ?
A courtesan
I'm looking for Dmitri's order (code)
Here is the order number
(authorization code)
for the bakery,
I'm transfering back
Dmitri to you
@JulienTopcu
Authorization Server
Distributes the temporary accesses
(Authorization Code)
@JulienTopcu
Bar Tab, Pastry: Resources
Dmitri: Resource Owner & End User
Hotel: Resource Server
Order Number: Authorization Code
Gustave: Authorization Server
Robert Hits: Client
@JulienTopcu
End User delegates the handling of
Resources to a third party (Client)
@JulienTopcu
Client of Resources
from the Resource Server
on behalf of the End User
to offer him a service
@JulienTopcu
@JulienTopcu
You
End User
Resource Server
Client
Import my contacts!!!
Does he have an account ?
/authorize
Who are you?
Authorization Server
Here are my credentials
Give me the contacts !!!!
Authorization Code ???
You can access his Gmail
Authorization Code
Contacts
Resources
@JulienTopcu
And then...
Chapter 3:
The Scammers
Dmitri (VIP)
Oh yes!
It's Robert Hits
Do you know him?
call me back at +33 1666666 👿
Give me your credentials, please
Here they are
Here is the order number
(code)
@JulienTopcu
Hello, it's Robert Hits 👿,
Would you like a pastry?
@JulienTopcu
Reference the Clients with their contact addresses
| Robert Hits | +33 123456789 |
|---|---|
| Robert Hits | +33 123456790 |
It's Robert Hits
Call me back at +33 1666666 👿
I don't know this number, bye
@JulienTopcu
Phone Number: Redirect URI
Robert Hits: Client ID
@JulienTopcu
Authorization Server
Keeps a list of authorized Redirect URI
(exact match) per Client ID
@JulienTopcu
You
End User
Resource Server
Client
Import my contacts!!!
Does he have an account ?
/authorize
Who are you?
Authorization Server
Here are my credentials
Give me the contacts !!!!
Authorization Code ???
You can access his Gmail
Authorization Code
@JulienTopcu
@JulienTopcu
@JulienTopcu
Again !?
Chapter 4: The prying eyes
@JulienTopcu
Sending by mail: Front Channel
@JulienTopcu
@JulienTopcu
Hand-delivered accesses
@JulienTopcu
@JulienTopcu
Here is my booking reference number
Hi Dmitri,
Here is your access card
Delivered by hand
Authorization Code
Access Token
Back Channel
@JulienTopcu
Booking Reference Number: Authorization Code
Card: Access Token
Mail: Front Channel
Delivered by hand: Back Channel
@JulienTopcu
You
End User
Resource Server
Client
Import my contacts!!!
Does he have an account ?
/authorize
Who are you?
Authorization Server
Here are my credentials
Give me the contacts !!!!
Authorization Code ???
You can access his Gmail
Authorization Code
Resource Server
Client
Authorization Server
I'm changing the browser address to redirect_uri?code =Authorization Code
facebook.com?code=XXXX
Front Channel 🧐
Can I have an Access Token, then?
Authorization Code + Client ID in the HTTPS payload
Back Channel
Give me the contacts!!!!
Access Token
Access Token
Implicit Flow
@JulienTopcu
Implicit Flow
⛔
@JulienTopcu
Chapter 5: The Spies
@JulienTopcu
@JulienTopcu
Make sure it is the initiator of the request who is granted access
@JulienTopcu
@JulienTopcu
f(x)=y
Hashing function
Code Challenge Method
Hash
Code Challenge
Secret Random Number
Code Verifier
You
End User
Resource Server
Client
Import my contacts!!!
Does he have an account ?
/authorize
Who are you?
Authorization Server
Here are my credentials
Code Challenge (CC) y
Code Challenge Method (CCM) f
Resource Server
Client
Authorization Server
I'm changing the browser address to redirect_uri?code =Authorization Code
facebook.com?code=XXXX
Back Channel
Give me the contacts!!!!
Access Token
Access Token
CC = CCM(CV) ???
y = f(x) ???
Can I have an Access Token, then?
Authorization Code + Client ID + Code Verifier (CV)
x
@JulienTopcu
Authorization Code Flow
with PKCE
OAUTH 2.1 best practice
Bonus: The Thief
... Oh No !
@JulienTopcu
@JulienTopcu
@JulienTopcu
Dmitri (VIP)
I'd like to order
Do you know him?
Call me back at
+33 123456789
Give me your credentials
Here they are
@JulienTopcu
Dmitri (VIP)
They would like to access your room.
Do you consent them to pick up your pastry?
Of Cource
Here is the Order Number
The card you will have in exchange
will only have access to the bakery
@JulienTopcu
The Access Card is Scoped to the consents of Dmitri
@JulienTopcu
You
End User
Resource Server
Client
Who are you?
Authorization Server
Here are my credentials
Do you consent Facebook to access your contacts?
Yes !
Authorization Code
Can I have an Access Token ?
The Access Token with the Contact Scope
Give me the contacts, I have the Access Token!!
@JulienTopcu
The Scopes only grant access to a
Client (an application) on Resources
They do NOT let you grant access to
an End User on some Resources
@JulienTopcu
@JulienTopcu
https://oauth.net/2.1/
OAUTH 2.1 explained simply (even if you are not a developer) !
By Julien Topçu
OAUTH 2.1 explained simply (even if you are not a developer) !
It is very difficult today to deploy an application on the web without dealing with OAuth2. Designed to better protect users, this authorization delegation protocol has become a standard in the industry. However, haven't you cried trying to understand the concepts of OAuth2? Let's be honest, this is quite easy to get lost between the different roles and the multitude of flows of this protocol. And its complexity has discouraged more than one! However we can't deliver without it, so we try to setup some OAuth flow and usually... this is really painful. But don't worry, whether you have a tech profile or not, this talk will help you to finally understand the intricacies of OAuth simply, including the new version 2.1, using analogies from everyday life!
