oauth 2.0 & security considerations
TRANSCRIPT
![Page 1: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OAuth 2.0 & Security Considerations
Vaibhav GuptaTwitter: @VaibhavGupta_1
Blog: exploits.workDelhi Chapter Meet – 30 July 2016
![Page 2: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/2.jpg)
OWASP 2
Agenda
Agenda (recursion! #GeekHumour :-P)
Problem Statement: Why OAuth?
What is OAuth? Typical OAuth Dance Lets talk security!
![Page 3: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/3.jpg)
OWASP
Disclaimer!
OAuth has a lot of stuff to cover and given the time constraints, I will stick to the
important ones
3
![Page 4: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/4.jpg)
OWASP
Problem Statement: Why OAuth?
Password sharing anti-pattern
4
Resource owner (You!)
Client (Photo Printing Service)
Protected Resource(facebook.com)
Aim: To give client access to theprotected resource on behalf
of resource owner
![Page 5: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/5.jpg)
OWASP
What is OAuth
Authorization (not authentication!) framework Security delegation protocol Based on token How to “get token” and how to “use token”
5
![Page 6: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/6.jpg)
OWASP 6
So you think I am understanding it !!
![Page 7: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/7.jpg)
OWASP
Typical OAuth 2.0 Dance Party!
Here are the invitees: Resource owner
Protected resource
Client
Authorization server
7
![Page 8: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/8.jpg)
OWASP 8
Image: OAuth 2 in action
![Page 9: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/9.jpg)
OWASP 9
![Page 10: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/10.jpg)
OWASP 10
Image: OAuth 2 in action
![Page 11: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/11.jpg)
OWASP
Let’s Talk Security!
CSRF – “state” parameter [Client Vuln]<img src=“
https://photoprinting.local/callback?code=Attacker_Auth_Code”>
11
Image: OAuth 2 in action
![Page 12: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/12.jpg)
OWASP
“redirect_uri” mismatch [Auth Server Vuln.]
How about stealing auth code from referrer header?
A lot others!! Time constraint
12
![Page 13: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/13.jpg)
OWASP
References
OAuth 2.0 Specshttp://tools.ietf.org/html/rfc6749
OAuth 2.0 – Threat modelhttps://tools.ietf.org/html/rfc6819
Book: “OAuth 2 in Action” by Justin Richer and Antonio Sanso
13
![Page 14: OAuth 2.0 & Security Considerations](https://reader035.vdocuments.mx/reader035/viewer/2022062316/5871f20e1a28ab5c348b5b8f/html5/thumbnails/14.jpg)
OWASP 14
Questions?