Review of different types of authentication attacks. This is examined through an example where user wants an application X to access their files on application Y and needs to delegate those permissions.

 

Exposing Credentials

Giving out your credentials is bad. Plain and simple.

Minus the risk of exposure, having full credentials doesn’t allow for least privilege.

 

Using Tokens

To remediate handing out credentials we can use tokens instead. The tokens have least privilege and timed to expire.

How these tokens are provisioned is the point of this security conversation.

 

Implicit Flow

This form of OAuth token exchange can be seen in the below example.

 

Some major components to this flow

• client_id = needed to identify the service that is requesting the delegated access tokens
• redirect url = for the browser; used so that user can jump between the applications and IDP
• scope = the permissions allowed by destination application
• response_type = “token” indicating implicit flow

Potential Attacks with Implicit Flow

• Redirect URI manipulation = need to verify that the client_id and redirect_uri match and trusted
• CSRF (cross-site request forgery) = could potentially expose the tokens through csrf. A way to mitigate this is:

Use of ‘state’ can help avoid CSRF, but there are still other ways to expose the token, for example during GET request the reponse token is actually stored in the browser session which could get exposed by other applications.

The final flow for OAuth 2.0 looks like this. Uses PKCE (Proof Key for Code Exchange)

 

 

 

 

 

 

References

https://stack-auth.com/blog/oauth-from-first-principles

.