oauth 2 und openid connect securing microservices … · oauth 2.0 101 rfc 6749: the oauth 2.0 a...

SECURING MICROSERVICES WITHSECURING MICROSERVICES WITHOAUTH 2 UND OPENID CONNECTOAUTH 2 UND OPENID CONNECT

OWASP Chapter Munich 30.4.2019 Slides: https://andifalk.github.io/owasp-chapter-munich-04-2019

Demos: https://github.com/andifalk/owasp-chapter-munich-04-2019

1 . 1

https://andifalk.github.io/owasp-chapter-munich-04-2019/

https://github.com/andifalk/owasp-chapter-munich-04-2019

ANDREAS FALKANDREAS FALK

Novatec Consulting GmbH

[email protected] / @andifalk (Twitter)

https://www.novatec-gmbh.de

1 . 2

https://www.novatec-gmbh.de/

AGENDAAGENDAIntro to OAuth 2.0 & OpenID Connect 1.0

4th OAuth Security Workshop 2019

OAuth 2 & OIDC with Spring Security (Live Demo)

Discussion

1 . 3

OAUTH 2.0OAUTH 2.0101101

RFC 6749: The OAuth 2.0 Authorization FrameworkRFC 6750: OAuth 2.0 Bearer Token Usage

RFC 6819: OAuth 2.0 Threat Model and SecurityConsiderations

2 . 1

https://tools.ietf.org/html/rfc6749



WHAT IS OAUTH 2.0?WHAT IS OAUTH 2.0?OAuth 2.0 is an authorization delegation framework

2 . 2

OAUTH 2.0 MODELOAUTH 2.0 MODEL

2 . 3

OAUTH 2.0 GRANT FLOWSOAUTH 2.0 GRANT FLOWSClient Type Flow Refresh

Tokens

Confidential Authorization Code X

Public (Native) Authorization Code(PKCE)

X

Public (SPA) Implicit --

Trusted RO Password Creds X

No ResourceOwner

Client Credentials --

2 . 4

AUTHORIZATION CODE GRANT FLOWAUTHORIZATION CODE GRANT FLOW

2 . 5

AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize

?response_type=code

&client_id=abcdefg

&redirect_uri=https://client.abc.com/callback

&scope=api.read api.write

&state=xyz

2 . 6

AUTHORIZATION RESPONSEAUTHORIZATION RESPONSEHTTP/1.1 302 Found

Location: https://client.abc.com/callback

?code=ab23bhW56Xb

&state=xyz

2 . 7

TOKEN REQUEST (BASIC AUTH)TOKEN REQUEST (BASIC AUTH)Client-Id=123, Client-Secret=456, Base64(123:456)="MTIzOjQ1Ng=="

POST https://authserver.example.com/token

Content-Type: application/x-www-form-urlencoded

Authorization: Basic MTIzOjQ1Ng==

grant_type=authorization_code&code=ab23bhW56X

&redirect_uri=https://client.abc.com/callback2 . 8

TOKEN REQUEST (BODY)TOKEN REQUEST (BODY)Client-Id=123, Client-Secret=456





&client_id=123&client_secret=4562 . 9

TOKEN RESPONSETOKEN RESPONSEHTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }

2 . 10

IMPLICIT GRANT FLOWIMPLICIT GRANT FLOW

2 . 11

AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize

?response_type=token

&client_id=abcdefg



&state=xyz

2 . 12

AUTHORIZATION RESPONSEAUTHORIZATION RESPONSEHTTP/1.1 302 Found

Location: https://client.abc.com/callback

#access_token=2YotnFZFEjr1zCsicMWpAA

&token_type=bearer

&expires_in=3600


&state=xyz

2 . 13

FURTHER OAUTH 2.0 STANDARDSFURTHER OAUTH 2.0 STANDARDSRFC 7636: Proof Key for Code Exchange (“Pixy”)

RFC 7662: Token Introspection

RFC 7009: Token Revocation

2 . 14

http://tools.ietf.org/html/rfc7636



OPENID CONNECT 1.0OPENID CONNECT 1.0(OIDC)(OIDC)

101101

OpenID Connect Core 1.0

OpenID Connect Dynamic Client Registration 1.0OpenID Connect Discovery 1.0

3 . 1

https://openid.net/specs/openid-connect-core-1_0.html

https://openid.net/specs/openid-connect-registration-1_0.html

https://openid.net/specs/openid-connect-discovery-1_0.html

OPENID CONNECT 1.0 IS FOROPENID CONNECT 1.0 IS FORAUTHENTICATIONAUTHENTICATION

OAuth 2.0 is not an authentication protocol

3 . 2

https://oauth.net/articles/authentication/

OIDC MODELOIDC MODEL

3 . 3

ADDITIONS TO OAUTH 2.0ADDITIONS TO OAUTH 2.0Id Token (JWT format)

User Info Endpoint

Standard Scopes

Hybrid Grant Flow

OpenID Provider Configuration Information

3 . 4

ID TOKENID TOKENJSON WEB TOKEN (JWT)JSON WEB TOKEN (JWT)

Base 64 Encoded JSON Formatted Value of...

GET / HTTP/1.1 Host: localhost:8080 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1N...

RFC 7519: JSON Web Token (JWT)JSON Web Token Best Current PracticesProof-of-Possession Key Semantics for JSON Web Tokens (JWTs)

3 . 5


https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp

https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession



...Header



3 . 5






...Header

...Payload



3 . 5






...Header

...Payload

...SignatureGET / HTTP/1.1 Host: localhost:8080 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1N...


3 . 5




JSON WEB TOKEN (JWT)JSON WEB TOKEN (JWT)Header

Payload

{ typ: "JWT", alg: "RS256" }

{ iss: "https://identity.example.com", aud: "my-client-id", exp: 1495782385, nonce: "N0.46824857243233511495739124749", iat: 1495739185, at_hash: "hC1NDSB8WZ9SnjXTid175A", sub: "mysubject", auth_time: 1495739185, email: "[email protected]" }

3 . 6

ID TOKEN CLAIMSID TOKEN CLAIMSScope Required Description

iss X Issuer Identifier

sub X Subject Identifier

aud X Audience(s) of this ID Token

exp X Expiration time

iat X Time at which the JWT was issued

auth_time (X) Time of End-User authentication

nonce -- Associate a client with an ID Token

3 . 7

TOKEN VALIDATIONTOKEN VALIDATION

3 . 8

USER INFO ENDPOINTUSER INFO ENDPOINTGET /userinfo HTTP/1.1 Host: identityserver.example.com Authorization: Bearer SlAV32hkKG

HTTP/1.1 200 OK Content-Type: application/json { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "email": "[email protected]", "picture": "http://example.com/janedoe/me.jpg" }

3 . 9

OIDC FLOWSOIDC FLOWSAuthorization Code (w/ or w/o PKCE)ImplicitHybrid

3 . 10

OPENID CONNECT 1.0 CONFIGURATIONOPENID CONNECT 1.0 CONFIGURATIONhttps://example.com/.well-known/openid-

configuration{ "authorization_endpoint": "https://idp.example.com/auth", "grant_types_supported": [ "authorization_code", "implicit", "refresh_token" ], "issuer": "https://idp.example.com", "jwks_uri": "https://idp.example.com/keys", "token_endpoint": "https://idp.example.com/token", "userinfo_endpoint": "https://idp.example.com/userinfo", ... }

OpenID Connect Discovery 1.0

3 . 11


4TH OAUTH SECURITY WORKSHOP 20194TH OAUTH SECURITY WORKSHOP 2019

Stuttgart

https://sec.uni-stuttgart.de/events/osw20194 . 1

https://sec.uni-stuttgart.de/events/osw2019

https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-

2436ced1c9264 . 2

https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926

Lots of discussions and comments

4 . 3

OAUTH 2.0 SECURITY BEST CURRENTOAUTH 2.0 SECURITY BEST CURRENTPRACTICEPRACTICE

Torsten Lodderstedt and Daniel Fett

OAuth 2.0 Security Best Current Practice

4 . 4

https://tools.ietf.org/html/draft-ietf-oauth-security-topics

IMPLICIT FLOW ATTACKSIMPLICIT FLOW ATTACKS

Source: Torsten Lodderstedt and Daniel Fett

4 . 5

OAUTH 2.0 FOR BROWSER-BASED APPSOAUTH 2.0 FOR BROWSER-BASED APPSDavid Waite (PingFederate)

OAuth 2.0 for Browser-Based Apps

4 . 6

https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps

OAUTH 2.0 FOR BROWSER-BASED APPSOAUTH 2.0 FOR BROWSER-BASED APPSContent-Security Policy

Use a unique redirect URI

NOT issue refresh tokensOAuth 2.0 for Browser-Based Apps

4 . 7

https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps

OTHER KNOWN OAUTH 2.0 ATTACKSOTHER KNOWN OAUTH 2.0 ATTACKSLack of CSRF protectionAuthorization code leakage and replayAuthorization code injectionOpen Re-directorsState leakage and replayInsufficient Redirect URI matchingToo powerful access tokensMix-Up Attacks

4 . 8

OPEN REDIRECT !!OPEN REDIRECT !!

4 . 9

“OAUTH 2.1” GRANT FLOWS“OAUTH 2.1” GRANT FLOWSClient Type Flow Refresh

Tokens

Confidential Authorization Code(PKCE)

X

Public (Native) Authorization Code(PKCE)

X

Public (SPA) Authorization Code(PKCE)

--

Trusted RO Password Creds X

No ResourceOwner

Client Credentials --4 . 10

PROOF KEY FOR CODEPROOF KEY FOR CODEEXCHANGE BY OAUTH PUBLICEXCHANGE BY OAUTH PUBLIC

CLIENTS (PKCE)CLIENTS (PKCE)(“Pixy”)

Mitigates authorization code attacks

Mitigates token leakage in SPAsProof Key for Code Exchange by OAuth Public Clients

4 . 11


PKCE - AUTHORIZATION REQUESTPKCE - AUTHORIZATION REQUESTGET https://authserver.example.com/authorize

?response_type=code

&client_id=abcdefg



&state=xyz

&code_challenge=xyz...&code_challenge_method=

4 . 12

PKCE - TOKEN REQUESTPKCE - TOKEN REQUESTClient-Id=123, Client-Secret=456





&client_id=123&client_secret=456

&code_verifier=4gth4jn78k_84 . 13

STEAL TOKENS VIA XSSSTEAL TOKENS VIA XSS“XSS is Game-Over for OAuth 2” (Jim Manico)

4 . 14

OAUTH 2 ACCESS TOKEN JWT PROFILEOAUTH 2 ACCESS TOKEN JWT PROFILEVittorio Bertocci (Auth0)

JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens4 . 15

https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt

OAUTH 2 ACCESS TOKEN JWT PROFILEOAUTH 2 ACCESS TOKEN JWT PROFILERequired claims: iss, exp, aud, sub, client_id

Consider privacy restrictions for identity claims

Authorization claims according to SCIM Core(RFC7643):

GroupsEntitlementsRoles

System for Cross-domain Identity Management (SCIM)

4 . 16

https://tools.ietf.org/pdf/rfc7643.pdf

TOKEN BINDINGTOKEN BINDINGRFC8471: The Token Binding Protocol Version 1.0

RFC8472: (TLS) Extension for Token Binding ProtocolNegotiation

RFC8473: Token Binding over HTTP

OAuth 2.0 Mutual TLS Client Authentication andCertificate-Bound Access Tokens

Google - Intent to Remove: Token Binding

4 . 17




https://tools.ietf.org/html/draft-ietf-oauth-mtls

https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/OkdLUyYmY1E/w2ESAeshBgAJ

FURTHER INTERNET-DRAFTS FORFURTHER INTERNET-DRAFTS FOROAUTH 2OAUTH 2

List of OAuth 2 Internet-Dra�s (by date)

4 . 18

https://tools.ietf.org/id/draft-*-oauth-?maxhits=100&key=date&dir=desc

DEMO TIMEDEMO TIMEOAUTH 2.0 & OPENID CONNECT 1.0OAUTH 2.0 & OPENID CONNECT 1.0

WITH SPRING SECURITY 5WITH SPRING SECURITY 5

5 . 1

“LEGACY” SPRING SECURITY“LEGACY” SPRING SECURITYOAUTH 2 STACKOAUTH 2 STACK

5 . 2

“NEW” SPRING SECURITY “NEW” SPRING SECURITY OAUTH 2 STACKOAUTH 2 STACK

5 . 3

DEMO APPLICATIONDEMO APPLICATION

5 . 4

WHAT'S NEW INWHAT'S NEW INSPRING SECURITY 5.2 & 5.3SPRING SECURITY 5.2 & 5.3

5 . 5

SPRING SECURITY 5.2SPRING SECURITY 5.2

Client Support for PKCEOpenID Connect RP-Initiated LogoutSupport for OAuth 2.0 Token IntrospectionSupport for Resource Server Multi-tenancy

Spring Security 5.2.0 M2 GitHub IssuesSpring Security 5.2.0 RC1 GitHub Issues

5 . 6

https://github.com/spring-projects/spring-security/issues/6446




https://github.com/spring-projects/spring-security/milestone/132

https://github.com/spring-projects/spring-security/milestone/141

BOOK REFERENCESBOOK REFERENCES

6 . 1

Q&AQ&A

[email protected] Twitter: @andifalk

https://www.novatec-gmbh.dehttps://blog.novatec-gmbh.de

6 . 2

https://www.novatec-gmbh.de/

https://blog.novatec-gmbh.de/

ONLINE REFERENCESONLINE REFERENCES

All images used are from and are published under

All used logos are trademarks of respective companies

RFC 6749: The OAuth 2.0 Authorization FrameworkRFC 6750: OAuth 2.0 Bearer Token UsageRFC 6819: OAuth 2.0 Threat Model and Security ConsiderationsRFC 7636: Proof Key for Code Exchange (“Pixy”)OpenID Connect Core 1.0OpenID Connect Dynamic Client Registration 1.0OpenID Connect Discovery 1.0RFC 7519: JSON Web Token (JWT)JSON Web Token Best Current Practices4. OAuth Security Workshop 2019 event web pageWhy you should stop using the OAuth implicit grantOAuth 2.0 Security Best Current PracticeOAuth 2.0 for Browser-Based AppsOAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access TokensJSON Web Token (JWT) Profile for OAuth 2.0 Access TokensSpring Security

Pixabay Creative Commons CC0 license.

6 . 3





https://openid.net/specs/openid-connect-core-1_0.html

https://openid.net/specs/openid-connect-registration-1_0.html




https://sec.uni-stuttgart.de/events/osw2019

https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926

https://tools.ietf.org/html/draft-ietf-oauth-security-topics

https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-01

https://tools.ietf.org/html/draft-ietf-oauth-mtls

https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt

https://spring.io/projects/spring-security

https://pixabay.com/

http://creativecommons.org/publicdomain/zero/1.0/deed.en

oauth 2 und openid connect securing microservices … · oauth 2.0 101 rfc 6749: the oauth 2.0 a...

Documents