Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
The OWASP Foundation
OWASP
http://www.owasp.org
Presentation of Authentication Concepts of Open Authorization 2
Flows in OAuth 2
Timo Pagel
OWASPTimo PagelTimo Pagel
About Me
● DevSecOps Consultant● Lecturer for Security in Web Applications at
University of Applied Sciences Kiel/Wedel● Open Source / Open Knowledge Enthusiast
OWASPTimo PagelTimo Pagel
About Me
● DevSecOps Consultant● Lecturer for Security in Web Applications at
University of Applied Sciences Kiel/Wedel● Open Source / Open Knowledge Enthusiast
● OWASP Juice Shop● DevSecOps Maturity Model● OWASP Security Pins Project● Full University Module Security in Web App.● OWASP Software Assurance Maturity Model
OWASPTimo PagelTimo Pagel
Agenda
● Introduction● Flows● Conclusion
4
OWASPTimo PagelTimo Pagel
Agenda
● Introduction● Flows● Conclusion
5
OWASPTimo Pagel
Classic Username/Password
6
Username / Password
Login Successful / UnsuccessfulBlog A
OWASPTimo Pagel
Classic Username/Password
7
Username / Password
Login Successful / UnsuccessfulBlog A
Blog B
OWASPTimo Pagel
Classic Username/Password
8
Username / Password
Login Successful / UnsuccessfulBlog A
Blog B
Use
rnam
e / P
assw
ord
Logi
n S
ucce
ssfu
l /
Uns
ucce
ssfu
l
OWASPTimo Pagel
Classic Username/Password
9
Username / Password
Login Successful / UnsuccessfulBlog A
Blog B
Use
rnam
e / P
assw
ord
Logi
n S
ucce
ssfu
l /
Uns
ucce
ssfu
l
Username Role
Tux Publisher
Tuxine Writer
Username_Role
Role Permission
Publisher Write
Publisher Read
Publisher Publish
Writer Read
Writer Write
Role_Permission
OWASPTimo Pagel
Classic Username/Password
10
Username / Password
Login Successful / UnsuccessfulBlog A
Blog B
Use
rnam
e / P
assw
ord
Logi
n S
ucce
ssfu
l /
Uns
ucce
ssfu
l
Username_Role
Role_Permission
Username Role
Tux Publisher
Tuxine Writer
Role Permission
Publisher Write
Publisher Read
Publisher Publish
Writer Read
Writer Write
OWASPTimo Pagel
Classic Username/Password
11
Username / Password
Login Successful / UnsuccessfulBlog A
Blog B
Use
rnam
e / P
assw
ord
Logi
n S
ucce
ssfu
l /
Uns
ucce
ssfu
l
Username_Role
Role_Permission
Username Role
Tux Publisher
Tuxine Writer
Role Permission
Publisher Write
Publisher Read
Publisher Publish
Writer Read
Writer Write
OWASPTimo Pagel
Classic Username/Password
12
Username / Password
Login Successful / UnsuccessfulBlog A
Blog B
Use
rnam
e / P
assw
ord
Logi
n S
ucce
ssfu
l /
Uns
ucce
ssfu
l
Username_Role
Role_Permission
Username Role
Tux Publisher
Tuxine Writer
Role Permission
Publisher Write
Publisher Read
Publisher Publish
Writer Read
Writer Write
Usage of the UID/Password-Anti Pattern
OWASPTimo Pagel
How do we solve the UID-Password-Anti-Pattern?-> Tokens
13
OWASPTimo Pagel
OAuth Idea
14
Username / PasswordToken
Blog A(Client)
Blog B(Provider)
Client Permission
X… Read
Y... Write
Client_Permission
OWASPTimo Pagel
OAuth Idea
15
Username / PasswordToken
Blog A(Client)
Blog B(Provider)
Toke
n
Acc
epte
d
Token
Client Permission
X… Read
Y... Write
Client_Permission
OWASPTimo PagelTimo Pagel
Agenda
● Introduction● Flows● Conclusion
16
OWASPTimo Pagel
Client Credentials Flow
17
ResourceServer
AuthorizationServer
Client App(Server)
OWASPTimo Pagel
Client Credentials Flow
18
ResourceServer
AuthorizationServer
Client Credentials (client_id/client_secret)
Authenticate Client
Client App(Server)
Access token
Access protected resource with access tokenProtected resource response
OWASPTimo Pagel
Overview Client Credentials Flow
● No user-based AuthenticationScope/Permissions: Bound to clients
● Usage: Intranet
19
OWASPTimo Pagel
Resource Owner Password Credentials Flow
20
ResourceServer
AuthorizationServer
Client App
Resource Owner
OWASPTimo Pagel
Resource Owner Password Credentials Flow
21
ResourceServer
AuthorizationServer
Resource owner credentials
Authenticate resource owner
Client App
Access token
Authenticate client
Resource Owner
Resource owner
credentials
OWASPTimo Pagel
22
OWASPTimo Pagel
Resource Owner Password Credentials Flow
23
ResourceServer
AuthorizationServer
Resource owner credentials
Authenticate resource owner
Client App
Access token
Access protected resource with access tokenProtected resource response
Authenticate client
Resource Owner
Resource owner
credentials
Usage of the UID/Password-Anti Pattern
OWASPTimo Pagel
Resource Owner Password Credentials Flow
24
ResourceServer
AuthorizationServer
Resource owner credentials
Authenticate resource owner
Client App
Access token
Access protected resource with access tokenProtected resource response
Authenticate client
Resource Owner
Resource owner
credentials
What happens after the access token has expired?
OWASPTimo Pagel
Access token (optional refresh token)
Resource Owner Password Credentials Flow
25
ResourceServer
AuthorizationServer
Resource owner credentials
Authenticate resource owner
Client App
Access protected resource with access tokenProtected resource response
Authenticate client
Resource Owner
Resource owner
credentials
Access token (refresh token)Refresh token
OWASPTimo Pagel
OAuth2 ROPC-Specification
[...] The resource owner password credentials grant type is suitable in cases where the
resource owner has a trust relationship with the client,such as the device operating system [...]Source: RFC 6749 The OAuth 2.0 Authorization Framework - Section 4.3
26
OWASPTimo Pagel
Interpretation of OAuth ROPC-Specification
● The client and the device are completely under your control
● All other flows are not supported by the client
27
OWASPTimo Pagel
Interpretation of OAuth ROPC-Specification
● Use Case: To move legacy application into the OAuth2-Universe● Scope● Expiration of tokens● ...
28
OWASPTimo Pagel
ROPC Main Risks Overview
● UID/password anti-pattern-> client, eavesdroppers, or endpoints could eavesdrop the user id and password● Validation of the client's identity not possible● Client app might issue a not needed scope
● Token revocation nearly useless
29
OWASPTimo Pagel
Scopes
30
Action Scope
View own email profile.email:view
Modify own email profile.email:update
Delete own email profile.email:delete
OWASPTimo Pagel
31
Request profile.email:view
Single factor required
Credentials
Token (scope: profile.email:view)
ResourceServer
AuthorizationServer
Resource Owner
View profile with Token (profile.email:view)
OWASPTimo Pagel
32
Request profile.email:view
Single factor required
Credentials
Token (scope: profile.email:view)
ResourceServer
Update profile with Token (profile.email:view)
Error: Insufficient scopeRequest profile.email:update
Multiple factors required
AuthorizationServer
Resource Owner
View profile with Token (profile.email:view)
OWASPTimo Pagel
Implicit Flow
● Use Case: Browser● Client Secret: Confidentiality can not be
guaranteed
33
OWASPTimo Pagel
Implicit Flow
34
ResourceServer
AuthorizationServer
Client/Browser
Resource Owner
JavaScript
FrontendServer
OWASPTimo Pagel
Implicit Flow
35
ResourceServer
AuthorizationServer
Page with JS
Client/Browser
Open redirect URL
Resource Owner
Enter URL
JavaScript
Present Authorization UIPresent UI
Present Credentials
Present credentials
FrontendServer
(Performs Redirect)
OWASPTimo Pagel
Implicit Flow
36
ResourceServer
AuthorizationServer
Page with JS
Client/Browser
Open redirect URL
Resource Owner
Enter URL
JavaScript
(Performs Redirect)Present Authorization UI
Present UIPresent
Credentials
Present credentials
Verify credentials and create access token
Redirect to frontend server (access token in # fragment)
FrontendServer
OWASPTimo Pagel
Implicit Flow
37
ResourceServer
AuthorizationServer
Page with JS
Client/Browser
Open redirect URL
Resource Owner
Enter URL
JavaScript
(Performs Redirect)Present Authorization UI
Present UIPresent
Credentials
Present credentials
Verify credentials and create access token
Redirect to frontend server (access token in # fragment)
FrontendServer
OWASPTimo Pagel
Implicit Flow
38
ResourceServer
AuthorizationServer
Page with JS
Client/Browser
Open redirect URL
Resource Owner
Enter URL
JavaScript
(Performs Redirect)Present Authorization UI
Present UIPresent
Credentials
Present credentials
Verify credentials and create access token
Redirect to frontend server (access token in # fragment)
FrontendServer
Follow redirect URL (without access token) and get page with JS
Extract and temp. store access token
Call protected resource with access tokenReturn protected resource
OWASPTimo Pagel
Threats Implicit Flow
● Resource owners might issue a token to a malicious client (e.g. via phishing)
● Attackers might steal token via other mechanisms
Source: RFC 6749 The OAuth 2.0 Authorization Framework - Section 10.16
● Main Risk: Whom is a token issued to?
39
OWASPTimo Pagel
Further Risks/Info
● Use Case: Browser-Applications● Silent Refresh● Disadvantages: Man-in-the-Middle can fetch
tokens -> No refresh tokens
40
OWASPTimo Pagel
Authorization Code Grant
[...] the Authorization Code flow should only be used [...] where the Client Secret can be safely stored. [...]
https://auth0.com/docs/api-auth/tutorials/authorization-code-grant
41
OWASPTimo Pagel
Authorization Code Grant Flow
42
ResourceServer
AuthorizationServer
User-Agent
Open redirect URL with client identifier
Resource Owner
Open Client (App)
Present authorization UIPresent credentials Present submitted
credentials
Validate requestPresent authorization UI
Client
Open redirect URL with client identifier
OWASPTimo Pagel
Authorization Code Grant Flow
43
ResourceServer
AuthorizationServer
User-Agent
Open redirect URL with client identifier
Resource Owner
Open Client (App)
Present authorization UIPresent credentials Present submitted
credentials
Validate requestPresent authorization UI
Client
Open redirect URL with client identifier
Authorization codeAuthorization code
Redirection URI and Authorization code
OWASPTimo Pagel
Authorization Code Grant Flow
44
ResourceServer
AuthorizationServer
User-Agent
Open redirect URL with client identifier
Resource Owner
Open Client (App)
Present authorization UIPresent credentials Present submitted
credentials
Validate requestPresent authorization UI
Client
Open redirect URL with client identifier
Authorization codeAuthorization code
Redirection URI and Authorization code
Why isn’t the access token directly issued?
OWASPTimo Pagel
Authorization Code Grant Flow
45
ResourceServer
AuthorizationServer
User-Agent
Open redirect URL with client identifier
Resource Owner
Open Client (App)
Present authorization UIPresent credentials Present submitted
credentials
Validate requestPresent authorization UI
Client
Open redirect URL with client identifier
Authorization codeAuthorization code
Redirection URI and Authorization code
Threats to URIs:● Referrer headers● Request logs● Browser history
Why isn’t the access token directly issued?
OWASPTimo Pagel
Authorization Code Grant Flow
46
ResourceServer
AuthorizationServer
User-Agent
Open redirect URL with client identifier
Resource Owner
Open Client (App)
Present authorization UIPresent credentials Present submitted
credentials
Validate requestPresent authorization UI
Client
Open redirect URL with client identifier
Authorization codeAuthorization code
Redirection URI and Authorization code
Authorization code has a very short lifetime (seconds) to make replay attacks hard
Why isn’t the access token directly issued?
OWASPTimo Pagel
Authorization Code Grant Flow
47
ResourceServer
AuthorizationServer
User-Agent
Open redirect URL with client identifier
Resource Owner
Open Client (App)
Present authorization UIPresent credentials Present submitted
credentials
Access token (optional refresh token)
Validate requestPresent authorization UI
Client
Open redirect URL with client identifier
Authorization codeAuthorization code
Redirection URI and Authorization code
Call protected resource with access tokenReturn protected resource
Refresh tokenAccess Token (optional refresh token)
OWASPTimo Pagel
Native App Flow
Mainly: Proof Key for Code Exchange - PKCE (RFC 7636)
48
OWASPTimo Pagel
Authorization Code Grant Flow: Flaws
49
ResourceServer
AuthorizationServer
User-Agent
Open redirect URL with client identifier
Resource Owner
Open Client (App)
Present authorization UIPresent credentials Present submitted
credentials
Validate requestPresent authorization UI
Open redirect URL with client identifier
Authorization code
OWASPTimo Pagel
Authorization Code Grant Flow: Flaws
50
ResourceServer
AuthorizationServer
User-Agent
Open redirect URL with client identifier
Resource Owner
Open Client (App)
Present authorization UIPresent credentials Present submitted
credentials
Access token (optional refresh token)
Validate requestPresent authorization UI
Open redirect URL with client identifier
Authorization codeAuthorization code
Redirection URI and Authorization code
Call protected resource with access tokenReturn protected resource
Refresh tokenAccess Token (optional refresh token)
OWASPTimo Pagel
RFC 8252: OAuth 2.0 for Native Apps
● External User Agent:● External browser/app● In-App browser tab
51
OWASPTimo Pagel
Authorization Code Grant Flow: Native App
52
ResourceServer
AuthorizationServer
User-Agent
Open redirect URL with client identifier & code_challange
Present submitted credentials
Validate request & store code_challengePresent authorization UI
Open redirect URL with client identifier & chall.
Authorization codeAuthorization
codeAuthorization code & code_verifyer?
Generate random code_verifyer
code_challange=sha256(code_verifyer)
Verify sha256(code_verifyer) == code_challengeDeny access
OWASPTimo Pagel
Further Security Considerations
● URI-Schema: ● Domain-Related, e.g. com.fhunii.eventmarketing● Prevent DNS-Spoofing: Use 127.0.0.1 instead of
localhost by performing redirection on localhost (Desktop)
● Defence against cross-app request forgery:● Usage of the state parameter with a random
● Embedded User Agent (Web-View):● Must open an external browser as the embedded
user agent has full access to authorization grant 53
OWASPTimo PagelTimo Pagel
Agenda
● Introduction● Flows● Conclusion
54
OWASPTimo PagelTimo Pagel
Conclusion
55
● Choose the flow based on the use case● App: Auth. Code Grant + Native Apps● Web: Implicit Flow
OWASPTimo Pagel
Implementation Flaws
Store username and generate password in the client after authentication
57
OWASPTimo Pagel
Implementation Flaws
Storing the username/password locally
58
OWASPTimo Pagel
59
OWASPTimo Pagel
60
OWASPTimo Pagel
61
OWASPTimo Pagel
Implications
● Endless Refresh?● No Caching for shared proxies with
Authentication-Header● Logout -> Invalidation of
Refresh/Access-Tokens● Monitoring of unauthorized invalid Tokens
usage attempts● No-Algo Attack
62
OWASPTimo PagelTimo Pagel
Agenda
● Introduction● Flows● Implementation Flaws● Conclusion
63
OWASPTimo PagelTimo Pagel
Conclusion
● OAuth2 is used to delegate access● Choose the right flow for your use case● OAuth2 does not prevent from thinking on your
own! -> harden endpoints/processes
64
OWASPTimo Pagel
Risk Overview
65
Flow Client (Application) Overall Risk
Resource Owner Password Credentials Flow
Browser / Mobile App Critical (with public clients)
Authorization Code Flow Confidential Client Medium-High
Implicit Flow Browser (JavaScript) Medium-High
Authorization Code Flow (PKCE) Mobile App Medium
Disclaimer: This is an overview of the first impression
https://auth0.com/docs/api-auth/which-oauth-flow-to-use
OWASPTimo Pagel
OAuth ROPC-Specification
It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.
Source: RFC 6749 The OAuth 2.0 Authorization Framework - Section 4.3
66
OWASPTimo Pagel
Hardening Resource Owner Password Credentials Flow (not recommended) 1/2
● Harden Token Endpoint:● Do not allow cross-domain requests● Brute Force / “Token Brute Force”● Timing Attacks● Lack of security sensitive information● Throttling Policy● …
● Reduce Risk of Stolen Tokens:● TLS● Disable refresh tokens and use short lived access tokens● Reconsider lifetime of tokens
67
OWASPTimo Pagel
Hardening Resource Owner Password Credentials Flow (not recommended) 2/2
● Inform resource owners about password reuse● Limit usage to org. where client/application and
authorizing service are from the same org.● The authorization server may generally restrict
the scope of access tokens issued by this flow
68