Presentation Material
Abstract
Since the beginning of distributed personal computer networks, one of the toughest problem has been to provide a seamless and secure SSO experience between unrelated servers/services. OAuth is an open protocol to allow secure authorization in a standard method from web, mobile and desktop application. The OAuth 2.0 authorization framework enables third-party applications to obtain discretionary access to a web service. Built on top of OAuth 2, OpenID Connect is a helpful “identity layer” that provides developers with a framework to build functional and secure authentication systems. In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild because of which relying parties and users face myriad of issues ranging from authorization code compromise (unauthorized resource access) to account takeovers. This work discusses common malpractices that relying party devs perform when implementing OAuth/OpenID based relying party solutions, and the goof-ups that authorization servers can introduce—including a case study on OAuth authorization providers and vulnerability in Microsoft’s authorization server (login.windows.net).
Presented at Security Fest 2019.