Presented at
LocoMocoSec 2019,
April 17, 2019, 9:15 a.m.
(45 minutes).
OAuth is the most important framework for federated authorization on the web. It also serves as the foundation for federated authentication using OpenID Connect. While RFC6749 and RFC6819 give advice on securing OAuth deployments, many subtle and not-so-subtle ways to shoot yourself in the foot remain. One reason for this situation is that OAuth today is used in much more dynamic setups than originally anticipated. Another challenge is that OAuth today is used in high-stakes environments like financial APIs and strong identity proving.
To address these challenges, the IETF OAuth working group is working towards a new Security Best Current Practice (BCP) RFC that aims to weed out insecure implementation patterns based on lessons learned in practice and from formal security analyses of OAuth and OpenID Connect. The BCP gives concrete advice to defend against attacks discovered recently (like the AS mix-up attack) and deprecates less-secure grant types such as the Implicit Grant.
This talk will outline the challenges faced by OAuth in dynamic and high-stakes environments and go into the details of the MUSTs, MUST NOTs, and SHOULDs in the new Security BCP.
Presenters:
-
Daniel Fett
- yes.com
Daniel Fett is a security researcher and security specialist at [yes.com](http://yes.com/). Before that, he received a PhD in Computer Science from University of Stuttgart, Germany. During his research, he developed new methods to formally analyze the security of web applications and standards. He used these formal methods to find new attack vectors on OAuth, OpenID Connect, and other federated web authentication/authorization systems. His research was published at top-tier academic conferences. He teaches web security concepts since 2009 and is a co-author of the new OAuth Security Best Current Practice RFC.
Links:
Similar Presentations: