Event Recording

High-security & interoperable OAuth 2: What's the latest?

Name: High-security & interoperable OAuth 2: What's the latest?
Uploaded: 2023-05-10T12:00:00+02:00
Duration: 15 min 36 s

Posted on May 10, 2023

OAuth is a widely used authorization framework that enables third-party applications to access resources on behalf of a user. However, it has been historically difficult to meet very high security and interoperability requirements when using OAuth. Daniel and Joseph have spent much of the last five years working to improve the state of the art and will present the latest developments in the field.

There are challenges when trying to achieve high security and interoperability with OAuth 2: Many potential threats need to be addressed, some not part of the original OAuth threat model. To seamless authorizations, optionality must be minimized OAuth itself and also in any extensions
used.

Six years ago, the IETF OAuth working group started work on the Security Best Current Practice document and more recently on OAuth 2.1. Meanwhile, the OpenID Foundation has created FAPI1 and FAPI2 security profiles.

We will introduce these specifications and help you understand the focus of each document and when to use which. We show how to achieve on-the-wire interoperability and high security through the use of techniques like asymmetric client authentication and sender-constraining via DPoP and MTLS. We highlight the benefits for implementers and the role of conformance testing tools.

Show description

Speakers

Security and Standardization Expert
Authlete

Dr. Daniel Fett

Daniel holds a Ph.D. in Computer Science for the development of new methods for analyzing the security of web standards. Leveraging this background, he has worked for the past several years to advance the state of the art in authentication and authorization standards security. With his...

View profile

CTO
Authlete Inc

Joseph Heenan

Joseph is a software engineer & architect with over 25 years’ experience, who started writing mobile apps before mobile apps existed. He contributes to IETF and OpenID Foundation working groups, including the FAPI group where he helped write the security profiles used by...

View profile

Show Transcript

So yeah, I'm Joseph Heenan, I'm the CTO or athlete. We're a an authorization server vendor. We had a different session explaining a bit more about what we do, which I'm sure you can look at the recording of if you're interested. But a lot of the last five plus years I've been really helping make ecosystems interoperable and secure. So I'm gonna talk a bit about that with my colleague Daniel.
Hi everybody. Thanks for joining us So late here today. My name's Daniel Fed and I'm today here also for Athlete and Justice Joseph. I've worked in a different thing, but same goal making things interoperable on a large scale. And this talk will in, in this talk we will present what we learned and what we did over the last years. And it all starts with orth two of course. So say you want to create an eHealth API or you want to your, your technical body writing an open insurance specification, of course you need API authorization, you might need authentication based on open ID connect. So what do you do? What do you write in your specification? Do you just say, and I've seen that in practice just use or two, that is not enough because as it turns out, in any larger ecosystem, you need more than what or two gives you, for example, you want real interpretability or two says in the first paragraph that it is not interoperable, it will create non interoperable protocols.
So it's a framework giving you a lot of flexibility, but you really need to tie that down. Obviously you need to do something about security. I've seen specifications where it says use or two and then cater for the OS top 10 security issues. That's obviously not enough. What is with the or OS top 11 security issue, right? So or two really just gives you authorization. You need more than that. We learned a lot about author to security and so we, some of that you already find it open and deconnect where you obviously get the authentication part. You also get conformance tests that we'll talk about later, but you don't get what is, for example, written in the OR two security bcp, which, which really captures a lot of the, the security stuff that we learned you can use or 2.1 which is great, which is essentially or two plus the security BCP best current practice. So that's great, but it still doesn't give you interpretability. If you want all of that, then your best choice is probably to use fpi. So what is fpi?
All right, so let's start a little bit by talking about the naming. So the naming has evolved a little bit over the years, so there we go. So FPI started out as financial API and there was a, a goal in the working group to provide a all singing or dancing globally compatible open banking api. Turned out that wasn't quite so easy, but we did do a security profile so we started to, to use that in the name. But then we realized that this wasn't just for banking. You need high security for all the use cases. Daniel mentioned, you know, when you're sharing your health records, you probably want that to be at least as secure as your access to your bank. But we wanted to keep the FPI name. So we moved to financial grades API security profile to try and imply that yes, you can use this in other places.
But then as we talked to more ecosystems, they said, well it's still got financial in the name. We don't really like that we'd, we think it's focus for banks. We don't really think it's for us. So now we are just fpi, we, we don't stand for anything. Although Nat, if you're at the session on Monday, the chairman of the FPI working group, Nat has an idea on turning it back into an acronym again. So this may not be the end of the story. I think we were going for formally analyzed protection interfaces latest idea. So we'll, we'll update you on that at EIC next year.
Yep. So FPI is, FPI is a security interoperability and feature profile for all two. That gives you all the things that I mentioned in the beginning. It's usable for all high security APIs, whether it's an E-sign application, e-government, health, financial obviously insurance, whatever. You can use it. And yeah, so, so it's really agnostic to what you're actually do doing with it. FPI two is the latest here. So we have FPI one which is already also rolled out in some applications, but there's also FPI two, which is an evolution of FPI one based on the industry experience. So the things that we learned about the best security mechanisms, the best interoperability, the things that you should do and shouldn't do in such a profile, we put all of that into far P two. It's easier to use than FPI one, it has better interoperability and it's more secure in the sense that it's easier to analyze whether it's actually secure or not.
So there's a couple of specifications that you should know. So at the bottom you find the attacker model. That's a more theoretical document that outlines what we want to protect against and what we don't want to protect against in this profile. Of course you still have attacks that, that you need to consider, but some of those are outside of what provides you. You need other measures to do that. Then there's a security profile on top that really tries to protect against all these attacks outlined in the attacker models or against the attackers, not the specific attacks. So we really talk in attacker capabilities. That's probably the most important document. That's the one where you want to start reading that tells you what exactly you need to do to get secure and interpretable or an almighty connect. And then for special use cases or special requirements, there are a couple of add-on documents that you can or cannot use.
So there's message signing obviously for signing messages for non-repudiation client initial initiated back channel authentication for special flows grant management if you want to have an API to, to talk about, like to manage grants or to to talk about authorizations that happened in the past and to modify them and so on. And let's talk about the security profile for moment. As I said, this is the most important document here, just to give you an idea of what's happening in that document. A few examples. For example, we took all the things from the orth best current practice RFC draft if you want. If you don't want to read that document it ha, I think it has 60 plus pages. It's a good idea to use FPI two because we incorporated all the measures from there into FPI two. Obviously we have paragraphs telling to you what algorithms to use, what algorithms not to use TLS recommendations and so on.
There are recommendations for example, for sender constraint access tokens, super important to keep access token safe. Even if they get stoned they cannot be misused. Asmatic client authentication is a learning to improve security. We don't have enough time to go into all the details here, but the message here is there's really a lot in there, but still it's a relatively brief document that you can read and is really actionable. The security recommendations they, so we didn't just like invent them. We had a formal security analysis to to underpin this to really say okay, this actually protects against the attacker model. So this is also formally verified. Then regarding interoperability of course the main point is reduce the optionality or two gives you a lot of optionality, different grant types, different mechanisms for almost everything so far. P two selects the best mechanisms for you and also tells you which mechanism not to use, which mechanisms might be insecure to give you an A protocol that is on the wire interoperable. So two far P compliant implementations will actually be able to talk to each other. One thing that we added for various reasons actually push authorization requests. They increase interoperability, they replaced bespoke solutions that were, that we saw for example in the banking sector and they improved security as well. So great mechanism and that's actually, that touches on security interoperability and all the other areas as well. And then there's another part that's conformance tests.
Thank you Daniel. So yeah, so the great thing about all the work Daniel just talked about where we've actually reduced the optionality and been quite prescriptive about how you should do things. It means you can actually test things cuz generic OTH two, it's just too flexible. Nobody has ever produced a comprehensive OTH two test suite. But for fpi we can absolutely do that. And this is what we really use to drive the interoperability in large scale ecosystems. It's great having a protocol that's interoperable, but if people don't actually implement it, like the specification says it's still not gonna be interoperable or it's not going to be secure. So we have a complete conformance testing program. It does positive and negative tests. So it tests the happy flow, it checks what happens when, yeah hey let's put this incorrect signature on an object and see what happens. It shouldn't work. And the test suite detects all those things. And then there's, there's a, a certification program around that actually lets you get your results formally published. So you're on a list of people that are known to have passed the test.
And yeah, it's quite a cheap and easy program compared to if sometimes people think about these things, comparing it to, you know, getting a sensor to do an audit of you. It's not that it's an open source serve software. You actually run the test yourself against your own system and then it's, it pretty much gives you a pass or fail and then you just have to package the resorts up and send them to open ID foundation to get your official certified mark. So we'll just talk a little bit about who's actually using this now. So FPI was first adopted in the UK open banking. They were very much the trailblazers with open banking and immediately saw the value in FPI and actually contributed to the spec development and gave us lots of useful impact. So that's been life for four years now, five years, something quite a while now and people have continued to copy that, that model really.
So I think Australia was the next one to go live. Then Brazil with open banking, which later became open finance there and then they launched open insurance very recently as well. So they're, they're going wide and fast on their ecosystems and they've really gone all completely full in on conformance as well to make sure that they can grow at that kind of scale and speed. FDX in the USA has formally adopted fpi and they also have a Canada chapter. We've got banks in Japan live with fpi. We've got the yes.com ecosystem in the the Europe and Steiner's health ecosystem in Norway. And did I mention Kingdom of Saudi Arabia? I think that's one of the latest editions. They just went live early in the year again, just really copying what the UK did and then we've got Russia who are using it, but they picked their own crypto for Russian reasons.
Yeah, so coming to the end of our talk and I'm happy that we are right on time. If you want a high security in Intel Porwal or two implementation FPI and FPI two in particular is your best choice. It is really a batteries included specification. So we hope that we as we speaking as the open ID f p working group that we provide you with everything that you need to really get your API running quickly. It incorporates all the latest security recommendations, ensures interoperability, which also of course means through the conformance testing that when you say your API uses F P two, you automatically get vendors that can provide you with software that is already conformance tested. So that's a, a huge benefit. So you don't need to, and your implementers don't need to write everything themselves. The future rich extensions, I can imagine that there might be more in future for specific use cases and Joseph has talked about that this has already gained adoption worldwide. Probably some other use cases that we don't even know about as well. So that's the specification that you want to use if you need these properties. Thank you very much.
Well thank you very much. And of course, do we have any questions from the audience? No, well just let's cut of all this sinking in. We need some time to digest it and have
A question.
Thank you for a fantastic talk. That was really good. I was wondering, do you have any numbers for coverage on the RP slash client side for the client libraries or CERTIF certifications?
So client side libraries certification is a bit of a more difficult topic. It's very easy to get the banks certifying. We are working to get more clients certified, but certainly one of the things Brazil did was they mandated RP certification. So every library that is being used in Brazil is now indirectly certified, but we would like to have more certified libraries. Ultimately, if anybody has written a OAuth FPI client library and would like to get it certified, please come talk to me and I'll help you through the process.
Okay, awesome. Thank you. Thank you again.

Playlist

European Identity and Cloud Conference 2023

Event Recording

Moving on from legacy MFA: Phishing-resistant MFA as a prerequisite for Passwordless

May 10, 2023

As long as passwords exist, enterprises are vulnerable to account takeover attacks –yet organizations looking to eliminate passwords may not know where to begin their passwordless journey. While passwordless authentication methods—especially those based on FIDO2—are widely available, they are not yet universally supported nor adopted. This lack of a universal approach can cause confusion and complacency—or both. Attend this session to learn why (and how) organizations should move away from passwords and legacy MFA to advance to and adopt a secure passwordless strategy centered on phishing-resistant MFA in 2023

Watch

Event Recording

Digital Identity (Wallet) in (International) Travel and Tourism

May 10, 2023

This panel discussion is addressing what is currently happening to make the travel and tourism ecosystem ready for the use of a digital identity that has the level of assurance to cross an international border, board a flight and sign in to a hotel. The travel ecosystem still revolves around a physical passport/ID card or drivers licence and this is about to see incremental, but pivotal changes. The digital wallet will also ad to the way we get ready to travel and add verifiable credentials that travellers can share in advance of their trip.

Watch

Event Recording

Celebrating a Digital Age to Advance Digital Stages of Necessity

May 11, 2023

Samuel Devasahayam will discuss the past decade of identity sights through Microsoft’s lens, demonstrating that security in a digital age remains valuable, and detailing what these insights imply for the next decade to continue building customer trust and resilient infrastructures.

Watch

Event Recording

Safeguarding IoT/OT/IIoT Devices, Their Identities and Communication with Autonomous Networking

May 11, 2023

Autonomous networking aims at the appropriate handling of the growing number of devices, machine, sensors and components for which authentication and authorization must be ensured, i.e., identities must exist. The initial provision of such identities, but also the handover and onboarding into the respective operational environment (WiFi, smart home, factory floor) require scalable, automated, end-to-end secured procedures and concepts to facilitate trusted communication, but also e.g., the provision of made-to-measure updates.
Making IoT/OT/IIoT identities and networks secure by design is essential. ACP (Autonomic Control Planes) and BRSKI (Bootstrapping Remote Secure Key Infrastructure) lay one foundation for achieving this.

Watch

Event Recording

Digital Trust in the Metaverse & Decentralized Internet of Everything

May 11, 2023

Phishing, hacking, threats, fraud, and malicious behavior online of all types all share a common root: verification. In this session we’ll go beyond identity and explain how decentralized identity and verifiable credentials can provide a complete, secure system for exchanging different types of information between multiple parties. Learn how Trusted Data Ecosystems can connect people, machines, companies or any two entities to multiple businesses and jurisdictions without sharing private information. In this conversation, long-time community contributor at Hyperledger, working group leader at Decentralized Identity Foundation, and Indicio Senior Engineer Sam Curren will share more about digital trust and describe the critical importance of digital verification to decentralized healthcare, finance, the metaverse, and to the interaction of digital objects and non-digital objects in the spatial web—the “Internet of Everything.”

Watch

Event Recording

Getting the Travel and Tourism Ecosystem Ready for a Digital Identity and Verifiable Credentials

May 10, 2023

The ICAO DTC Type 1 and de mDL standard are currently being used/prepared to be used in several pilots. What are lessons learned, what impact do the panellists see and or expect. Also the EU Digital Wallet will have an important role in these developments. The travel ecosystem connects public and private parties around a traveller. Using a digital identity in an ecosystem that crosses international borders and legal systems is complex, for passengers ànd stakeholders, and requires international standards for technology, data privacy and trust frameworks.

Watch

Event Recording

Cyber Insurance Claims & Denials

May 12, 2023

Watch

Event Recording

Managing your Code-to-Cloud Security Risks in a Multi-Cloud Environment

May 10, 2023

The shift to multi-cloud introduces a wide range of cloud security risks that remain unaddressed due to the siloed approach and limited focus of existing cloud security tools. Most cloud security tools offer highly focused solutions that are limited in scope and capabilities to address the growing spectrum of multi-cloud security risks. The convergence of IAM and multi-cloud security tools (CSPM, CWP and CIEM) offer a cloud security platform that takes an integrated approach to securely manage identities and their access entitlements to cloud resources for cloud-native application development, deployment and operations in the cloud. In this session, we will discuss:

What are the emerging archetypes of IAM and multi-cloud security tools convergence?
What are the essential building blocks to effectively address your code-to-cloud security risks in a multi-cloud environment?
What are the industry best practices and recommendations to deploy and operationalize multi-cloud security tools for best results?

Watch

Event Recording

Why Active Directory is the Prime Cyber attack Target - and what to do about it!

May 10, 2023

For more than two decades, Microsoft Active Directory (AD) has been the de facto method organizations use to authenticate and authorize users for access to computers, devices, and applications within a company’s network. Most companies still rely on it and have further extended its reach into the cloud by synchronizing their on-prem AD with the Microsoft Azure AD to allow proper SSO to cloud-applications by their users. AD is celebrated for its extensive compatibility with various applications and Windows editions, but that compatibility comes with security downsides.

Compromises of Active Directory can occur as an entry point leading to a further attack or can arise at various other points along the kill-chain following an initial compromise via some other mechanism. Even in cases where a compromise is gained following an attack on applications or infrastructure directly, it is frequently infeasible for an attacker to progress further without elevating privileges, making Active Directory a primary target in an overall breach strategy.

It is therefore important that Active Directory defense tools are paired with a wider Zero Trust and XDR approach to provide full visibility over organizational infrastructure, enabling security teams to accurately identify the point of origin of an attack, and to perform the containment and remediation actions required to neutralize and prevent reoccurrence of an attack.

Join Principal Technologist, Guido Grillenmeier, to discuss AD access points used in recent cyberattacks, security risks to watch for in managing AD with Azure AD, how to look for warning signs that AD has been compromised and steps to take in the event of an attack.

Watch

Event Recording

The ID-Wallet in Germany’s eHealth Sector from Jan 1st 2024

May 12, 2023

Germany's healthcare sector will introduce its own ID wallet called "Sectoral IDP" for all statutorily insured persons on 01.01.2024. The issuers of the wallet are the health insurance companies, and approval will be granted in accordance with the extensive specifications of gematik (the regulatory authority). The ID attributes are issued by 2 issuers: PID and health insurer. The sectoral IDP is based on the OpenID Connect (core and Federation), Open Authorization 2.0 (OAuth 2) and JSON Web Token (JWT) standards. The presentation will describe the specific gematik requirements for product and operations of the ID wallet as well as their possible implementation. Despite the closed system in eHealth (Telematics Infrastructure) by definition, bridges to developments of ID wallets outside the sector such as EU, AML and eIDAS will be shown.

Watch

Event Recording

Panel: What Happens When Applications Don't Use the Identity Standards We Have Built

May 11, 2023

OAuth 2.0 is a widely adopted standard for authorization, but it can be complex to implement correctly. It's not uncommon for developers to have difficulty understanding the nuances of the OAuth 2.0 flow and instead rely on simpler approaches such as using API keys in "god mode."

OAuth 2.0 can be difficult to set up and configure, especially for developers who are new to the standard. It involves creating an OAuth 2.0 client, setting up redirect URIs, and managing access and refresh tokens, which can be confusing and time-consuming. Additionally, the standard requires developers to handle user authentication and authorization separately, which can be difficult to understand for those who are not familiar with the concepts.

Many developers may not understand the security benefits of OAuth 2.0 over API keys. OAuth 2.0 allows for fine-grained access control, enabling developers to limit access to specific resources and actions. In contrast, API keys provide more open access, allowing all actions on all resources. Developers may be inclined to use API keys instead of OAuth 2.0 because they are simpler and easier to implement, but they don't offer the same level of security.
Developers may find it hard to understand the standards, and may end up using an inconsistent approach.

The panel will discuss these reasons and other potential causes for why developers may not be using OAuth 2.0 correctly, and provide recommendations for how to overcome these challenges. We will highlight the benefits of OAuth 2.0, such as improved security and the ability to provide fine-grained access control, to encourage developers to adopt the standard. Additionally we will give examples of real-world attack scenarios that could have been avoided if the application was using OAuth 2.0.

Watch

Event Recording

How to Get Your Cyber Insurance, Bring Down the Premium and Up the Coverage

May 12, 2023

More and more it becomes difficult to Insure yourself against a Cyber attack. Understanding all the different vectors of your risk posture, the flood of different tools and checklists that need to be taken into account and the way to consolidate this risk into an overarching risk dashboard is an immense challenge for CISO's, Risk Managers and their senior leadership. Because of this major challenge and a non-standard way of calculating the risk; more and more Insurance companies are putting a high demand on the information provided in order to get a proposal for a Cyber Insurance and then, if and when a Cyber Insurance is offered, the premiums and coverage become another big challenge and financial burden on companies.

The presentation will highlight these challenges and will provide hints and tips on how to deal with this problem, ensuring to get Cyber Insurance at the lowest possible premium and with the highest coverage.

Watch