OAuth 2.0 - Security

2019-03-22 22:06:47

• Protecting Redirect-Based Flows
  • Exact matching of client redirect URIs against pre-registred URIs
  • Avoid forwarding the user 's browser to a URI obtained from query parameter (if needed implement appropriate countermeasures against open redirection)
  • Prevent CSRF by implementing one-time CSRF token (state parameter)
  • Validate that all request came from the same user agent / client.
  • Authorization Code Grant
    • Clients utilizing the authorization grant type must use PKC
  • Implicit Grant
    • Should not use
• Token Replay Prevention
  • Authorization server should use end-to-end TLS whenever possible
  • Refresh token rotation must be implemented
  • One-time refresh token

• Access Token Privilege Restriction

  • The privileges associated with an access token SHOULD be restricted the minimum required for the particular application or use case.
  • Access tokens SHOULD be restricted to certain resource servers preferably to a single resource server
  • Additionally, access tokens SHOULD be restricted to certain resources and actions on resource servers or resources.

• Attacks

  • Insufficient Redirect URI Validation
  • Credential Leakage via Referrer Headers
    • Stealing the authorization code through the reference
    • Stealing the access token through the reference
  • Attacks through the Browser History
    • Code in Browser History
    • Access Token in Browser History
  • Authorization Code Injection
  • Access Token Injection
  • Cross Site Request Forgery attack against the client
  • Access Token Leakage at the Resource Server
  • Compromised Resource Server
    • XSS, SQL Injection and other
  • Open Redirect
    • Stealing the token through an open redirect
  • Theft of client credentials from JavaScript-only application
  • Token replays

• Reference

  • https://tools.ietf.org/pdf/draft-ietf-oauth-security-topics-12.pdf
  • OAuth 2 in Action by Mr Justin Richer