55°F

Aaron Parecki

#oauth2

  • Changes in iOS 9.0 (developer.apple.com)
    SFSafariViewController can be used to display web content within your app. It shares cookies and other website data with Safari, and has many of Safari's great features, such as Safari AutoFill and Safari Reader. Unlike Safari itself, the SFSafariViewController UI is tailored for displaying a single page, featuring a Done button that takes users back to where they were in your app.
    #oauth #oauth2 #ios #ios9
  • Into the symmetry: Open redirect in rfc6749 aka 'The OAuth 2.0 Authorization Framework' (intothesymmetry.blogspot.ch)
    #oauth2 #security
  • Janrain: User management platform for the social web (rpxnow.com)

    OAuth provider guide

    #oauth #oauth2

  • So you implemented an OAuth 2.0 API...

    Thu, Jan 15, 2015 12:15pm -08:00

    While OAuth 2.0 is a good framework for building an API, the spec itself leaves many things un-specified, and it's up to the implementer to make a decision based on their own security requirements. As such, most OAuth 2.0 implementations are not interoperable, which is often cited as a failure of OAuth 2.0. On the other hand, the current state of OAuth 2.0 implementations is that they are often similar enough that developers don't need to learn too many new concepts when dealing with them.

    This post documents all the ways in which OAuth 2.0 implementations may differ. All implementations of OAuth 2.0 have made decisions about these things (whether intentional or not), otherwise they are incomplete implementations.

    Every place in the spec that mentions things are a "MUST" are assumed to be implemented correctly. In other words, this does not ask you to verify that you implemented required parts of the framework correctly.

    Client Registration (Section 2)

    How do developers register a new client application?

    • on a web page (link to registration page)
    • programmatically (link to docs)
    • other (please describe)

    Aside from the client type and redirect URIs, what information is required or requested when registering an application?

    • application name
    • web page
    • description
    • logo image
    • acceptance of legal terms
    • other info:

    Client ID (Section 2.2)

    Clients should avoid making assumptions about the length of the client ID.

    What is the maximum string length of client IDs issued?

    Client Authentication (Section 2.3)

    What form of client authentication is supported?

    • Client ID and secret (this is the most common)
    • Public/private key pair
    • Other

    Client Password (Section 2.3.1)

    If clients are issued a client_secret, which authentication mechanisms are supported for client identification:

    • HTTP Authorization header (HTTP Basic Auth)
    • POST body parameters, client_id and client_secret (not recommended)

    Other Client Authentication Methods (Section 2.3.2)

    If clients are not issued a client_secret, describe any other HTTP authentication schemes used to authenticate clients:

    Protocol Endpoints (Section 3)

    Please specify the authorization endpoint and token endpoints. (note: this is only required here if your endpoints are specified in your documentation)

    • Authorization endpoint:
    • Token endpoint:

    How do clients obtain the location of the authorization and token endpoints? The most common way is to specify them in the API documentation, although an automatic discovery method may be used instead.

    • API Documentation
    • Other method:

    Authorization Endpoint (Section 3.1)

    How does the authorization endpoint authenticate users? (e.g. requires username and password logins each visit? maintains session cookies?)

    Response Types (Section 3.1.1)

    Aside from "code" and "token", are any additional response types supported?

    • Yes, additional types:
    • No

    Redirect Endpoint Confidentiality (Section 3.1.2.1)

    • Are redirect endpoints required to be HTTPS? Yes No
    • If HTTPS is not required, does the authorization endpoint warn users about the insecure redirect endpoint? Yes No

    Redirect URI Registration (Section 3.1.2.2)

    Registration of the redirect endpoints is required for public clients and clients using the "implicit" grant type. Aside from these uses, are all clients required to register redirect URIs?

    • Are all clients required to register their redirect URIs? Yes No
    • Is the registered redirect URI required to match exactly? Yes No
    • If both previous answers are "no", does the authorization server support a variable query string component of the registered redirect URI? Yes No
    • Can clients register multiple redirect URIs? Yes No

    Note: if registration of redirect URIs is not required for all clients, then your authorization endpoint can be used by an attacker as an open redirector.

    Invalid Redirect Endpoint (Section 3.1.2.4)

    • Does the authorization endpoint inform the user that a given redirect endpoint is invalid?
      Yes No

    If the answer is "no", please describe what happens when an invalid redirect URI is provided in an authorization request. (The authorization endpoint must not redirect to this endpoint.)

    Access Token Scope (Section 3.3)

    • Is it possible for the authorization server to ignore (or add) scopes to the values requested during authorization? (For example, giving users the ability to not grant certain scopes requested by the application.) Yes No
    • Does the authorization server document the default scope if none is specified during authorization? Yes (Documentation URL: ) No

    Authorization Response (Section 4.1.2)

    • What is the lifetime of authorization codes? (Maximum of 10 minutes is recommended)
    • If an authorization code is used more than once, does the authorization server revoke all access tokens granted using the authorization code? Yes No
    • What is the maximum size of authorization codes issued?

    List any other parameters returned, as well as their maximum sizes:

    Authorization Error Response (Section 4.1.2.1)

    • If the request fails due to an invalid redirect URI or missing client ID, does the authorization server inform the user of the error? Yes No
    • Does the error response contain an error_description field with a human-readable description of the error that occurred? Yes No
    • Does the error response contain an error_uri field which links to a human-readable web page about the error? Yes No

    Implicit Grant (Section 4.2)

    Implicit Grant Access Token Response (Section 4.2.2)

    When does the access token response include an expires_in parameter?

    • Always
    • Sometimes
    • Never

    If the expires_in parameter is not returned, the default value of the expiration is:

    • Does the response always include the scope of the access token? (Optional if it's identical to the scope requested by the client.) Yes No

    • What is the maximum size of authorization codes issued?

    List any other parameters returned, as well as their maximum sizes:

    Authorization Error Response (Section 4.2.2.1)

    • If the request fails due to an invalid redirect URI or missing client ID, does the authorization server inform the user of the error? Yes No
    • Does the error response contain an error_description field with a human-readable description of the error that occurred? Yes No
    • Does the error response contain an error_uri field which links to a human-readable web page about the error? Yes No

    Password Credentials Grant Type (Section 4.3)

    Describe what types of clients can use the password credentials grant type:

    Authorization Request (Section 4.3.1)

    Describe how the user enters their credentials, e.g. a username and password prompt, client certificate auth, or whether the server uses or requires two-factor auth:

    Access Token Request (Section 4.3.2)

    Since the access token request involves sending the user's password to the authorization server, the server must protect against brute-force attacks. Describe what type of protection is used, e.g. rate limiting, sending alerts to the user, etc:

    Access Token Response (Section 4.3.3)

    • Does the client receives a refresh token when using the password credentials grant type? Yes No

    Client Credentials Grant (Section 4.4)

    What type of client authentication is used for the client credentials grant? e.g. client ID and secret, public key auth, etc.

    • Client Credentials (client ID and secret)
    • Others:

    Can clients use the client credentials grant to request access to resources of other users who have been previously authorized? Yes No

    If yes, describe how clients indicate which user they requesting an access token for. E.g. specifying a username, user ID, opaque token, etc.

    Access Token Response (Section 4.4.3)

    • Does the client receive a refresh token when using the client credentials grant type? (Not recommended) Yes No

    Extension Grants (Section 4.5)

    Authorization servers may support additional extension grant types such as SAML. List any additional grant types that are supported, along with links to their documentation.

    Successful Access Token Response (Section 5.1)

    • Does the access token response include an expires_in parameter indicating the lifetime in seconds of the access token? Yes No
    • If not, what is the default value: , or describe another way the expiration time is indicated:
    • Refresh tokens are returned for the following grant types:
      • Authorization Code
      • Implicit
      • Client Credentials
      • Refresh Token
      • None of the above
      • Describe any other conditions under which a refresh token is or is not returned when requesting an access token. E.g. only for specific clients, etc:
    • What is the maximum size of access tokens issued?
    • What is the maximum size of refresh tokens issued?
    • List any other parameters returned, as well as their maximum sizes:

    Error Response (Section 5.2)

    • Does the error response contain an error_description field with a human-readable description of the error that occurred? Yes No
    • Does the error response contain an error_uri field which links to a human-readable web page about the error? Yes No

    Refreshing an Access Token (Section 6)

    • Does the authorization server issue new refresh tokens when a refresh token is used? Yes No
    • If a new refresh token is issued, is the existing refresh token revoked? Yes No

    Accessing Protected Resources (Section 7)

    Describe how the resource server validates access tokens: (e.g. uses the authorization server's private API, shares cryptography keys, shares a database connection)

    Describe how clients send the access token to the resource server. This typically involves sending the access token in the "Authorization" request header.

    Access Token Type (Section 7.1)

    Which access token types are accepted?

    • Bearer tokens
    • MAC tokens
    • Others:

    Error Response (Section 7.2)

    Does the resource server inform the client of an error? Yes No

    New Authentication Schemes

    If you are using a new authentication scheme (other than Bearer tokens), there are several things to take into account when handling error responses. Please describe the following:

    • How your new authentication scheme provides error status codes to the client
    • What is the name of the error parameter? (e.g. error)
    • Does your scheme also return an error_description parameter? Yes No
    • Does your scheme also return an error_uri parameter? Yes No

    Security Considerations (Section 10)

    Client Authentication (Section 10.1)

    • Are client passwords (or other credentials) issued to clients for specific devices? (e.g. an individual installation of an application on a device gets unique credentials.) Yes No
    • When clients are unable to use authentication such as a client_secret, does the authorization server employ other means to validate the client's identity?
      • Requires registration of redirect URIs for clients
      • Involves the user in confirming the client's identity
      • Other:
      • No

    Client Impersonation (Section 10.2)

    • Does the authorization server provide the user with information about the client? Yes No
    • ... about the requested scope? Yes No
    • ... and lifetime of the request? Yes No
    • Describe the security measures taken to ensure repeated authorization requests come from the original client and not an impersonator:
    likes 6 reposts 3 replies 5 mentions
    #oauth #oauth2 #standards #web #authentication #checklist
  • [OAUTH-WG] OAuth Status (www.ietf.org)
    #oauth #oauth2
  • Top 5 OAuth 2 Implementation Vulnerabilities (intothesymmetry.blogspot.ch)
    #oauth2 #security
  • Into the symmetry: Beware what you click (intothesymmetry.blogspot.ch)
    #oauth2 #security #github
  • OAuth 2.0 and Sign-In (www.cloudidentity.com)
    OAuth 2.0 is not a sign-in protocol. Sign-in can be implemented by augmenting OAuth, and people routinely do so...
    #oauth #oauth2 #authentication #internet
  • SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers (securityintelligence.com)
    #oauth #security #oauth2
  • Continuing last weekend's documentation of all the un-specified parts of OAuth 2.0, things were going pretty well until I hit the "Security Considerations" section, which basically recommends but doesn't require a whole bunch of things. Basically this means an API can be fully OAuth 2.0 compliant and also completely insecure.

    If you want to know more, keep an eye out for this blog post. Or hire me as an independent OAuth consultant and I'd gladly spend a day with you.
    Portland, Oregon, USA
    likes 6 replies
    #oauth2 #oauth
  • Currently documenting all the ways the OAuth 2.0 framework leaves choices up to the implementor. The list is long. #oauth2
    Portland, Oregon, USA
    likes 1 repost 2 replies
    #oauth2
  • Justin Richer http://bspk.io/
    The article on OAuth and Authentication that I helped write/edit is online now: http://oauth.net/articles/authentication/ (thanks to @aaronpk for publishing!)
    2 mentions
    #oauth #oauth2
  • @channaly Thanks! You might also like my written version of the talk: http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified #oauth2
    Portland, Oregon, USA
    #oauth2
  • OAuth meeting minutes (www.ietf.org)
    #ietf #oauth #oauth2
  • Using ArcGIS with OAuth 2.0
    Nov
    20
    November 20, 2013 at 2:30pm UTC+4
    بورسعيد, دبي, ARE
    Esri Dev Summit
    #esri #devsummit #oauth2
    permalink
  • Esri Dev Summit Middle East and Africa
    Nov
    19
    Nov
    20
    Nov
    21
    November 19, 2013 at 9:00am UTC+4
    Park Hyatt
    Dubai
    #esri #devsummit #geotrigger #oauth2 #terraformer #leaflet
    permalink
  • Speed Geeking: An Intro to OAuth 2
    Jul
    9
    July 9, 2013 at 3:30pm UTC-7
    Esri User Conference
    San Diego, California
    1 RSVP
    #esri #esriuc #speedgeeking #oauth #oauth2
    permalink
  • Speed Geeking: An Intro to OAuth 2
    Jul
    9
    July 9, 2013 at 3:30pm UTC-7
    San Diego, California, USA
    Esri User Conference
    #oauth #oauth2 #esri #esriuc #speedgeeking
    permalink
  • At @EsriUC? I'm doing a #speedgeeking session on OAuth 2 tomorrow at 3:30pm!
    San Diego, CA, USA
    #speedgeeking #esri #esriuc #oauth2
  • @a_hershberger Yes, most implementations require the client ID and secret. At the very least you'd need to require client ID to identify the client. Of course don't send the secret if it's coming from a mobile device. #oauth2
    Redlands, CA, USA
    #oauth2 #oauth