Talks & Tutorials Thursday

When the rubber hits the road: How the OAuth security protocols are rolling out to the thousands of health professionals in Norway

Simone Vandeberg, Product owner for NHNs trust framework and formerly product owner for NHNs autorization server and its self-service application

At the end of this presentation, you will know more about how OIDC and OAuth are being used in the context of healthcare, a highly critical, life-and-death, scenario.

The health sector in Norway is enabling health professionals to digitally access health information, giving them access regardless of where the information is stored. Heath information includes, for example, prescriptions, medical images and test results, medical IOT device information, patient records, care plans, and clinical registries.

In Norway, digitally sharing healthcare information across legal entities is a fundamental change. Health professionals themselves have the legal basis for accessing health information. They do not require pasient consent. However, both the legal entity accessing health information and the legal entity that collected the information are considered data collectors. Thus, both are responsible for ensuring that the transaction is authorized and managed in accordance with the law.

Another challenge is that the sector is both fragmented and diverse. To help ensure that access is given in accordance with the law, Norsk Helsenett (NHN) is establishing an ecosystem of legal entities that agree to use a trust framework as the basis for sharing. The trust framework, also being established by NHN, documents the agreed rules and mechanisms for sharing. It includes identity federation using OIDC and OAuth for delegation.

In NHNs roll as the sector's trusted 3rd party, the organization is facilitating reinterpreting and realigning existing laws. In addition NHN is helping health organizations reevaluate their requirements and processes. In addition, NHN is developing and implementing new concepts and solutions across the sector. In this work, NHN faces challenges like building an understanding of trust concepts and technologies, agreeing a shared way of determining and expressing legitimate interest, agreeing the appropriate investment in information security, and operationalizing technical solutions across the sector.

In this presentation I will talk about how OIDC and OAuth are rolling out to the thousands of health professionals in Norway.

The insecurity of OAuth 2.0 in frontends

Philippe De Ryck

Everyone agrees that Cross-Site Scripting (XSS) is a real threat to browser-based applications, but many underestimate the true power of XSS. In fact, various OAuth 2.0 security mechanisms for frontends, such as refresh token rotation or token isolation in workers, fail to look beyond script kiddie XSS attacks.

In this talk, we take an in-depth look at the consequences of XSS in frontend OAuth 2.0 clients. We explore real-world attacker capabilities and map them against a concrete threat model. We also explore how structural solutions like the Backend-for-Frontend pattern effectively increase the security of frontend applications.

The goal of this session is to establish a baseline understanding of security in frontend OAuth 2.0 clients, so that we can consolidate the current guidelines in the specifications into risk-based developer-oriented recommendations. Ideally, this session is followed-up by a breakout meeting to flesh out the details.

OAuth 2.0 Redirect URI Validation Falls Short, Literally

Tommaso Innocenti, Matteo Golinelli, Kaan Onarlioglu, Bruno Crispo, Engin Kirda

OAuth 2.0 is an industry-standard delegated access protocol allowing Internet users to grant a web application access to their data hosted on a third-party server. The most widely-used mechanism provided by OAuth 2.0, the Authorization Code Grant flow, involves multiple interactions between a Client application requesting access to external data and an Identity Provider (IdP), where sensitive parameters need to be securely transferred and processed by each party. In particular, the "redirect URI" parameter, included in the popular Authorization Grant Code flow, governs the callback endpoint that users are routed to together with their security tokens. The protocol specification, therefore, includes guidelines on protecting the integrity of the redirect URI.

In this work, we analyze the OAuth 2.0 specification in light of modern systems-centric attacks; here vulnerabilities stem from the discrepancies between how different system components parse the same URI. We reveal that the RFC guidance available for Clients and IdP narrowly focuses on protecting the integrity of the domain name included in redirect URI alone, but not the entire URI, exposing IdPs to path confusion and parameter pollution attacks.

Based on this observation, we propose novel attack techniques and experiment with 16 popular IdPs. We empirically verified that the OAuth 2.0 security guidance is under-specified. Our experiments show that they expose vulnerabilities due to insufficient validation of redirect URI, even under the charitable assumption that they follow the relevant RFCs flawlessly. Specifically, 5 IdPs are vulnerable to path confusion, and 10 are susceptible to parameter pollution attacks. Using these vulnerabilities as novel exploit building blocks and combining them with other Client and IdP vulnerabilities, we show that sensitive OAuth 2.0 parameter leakage leads to complete account takeover.

Following a coordinated disclosure process, we have shared our findings with the impacted parties. We have also identified the parts of the OAuth 2.0 specification where redirect URI validation requirements are under-specified, leading to the vulnerabilities we have discovered, and made recommendations to the OAuth Working Group for improvements to the protocol specification.

AM coffee break

What should a secure standards framework for Machine Identities look like?

Pieter Kasselman

We entrust machines (hardware and software) with our most sensitive data, giving them access to far more information than the human on whose behalf it operates, if it is even operating on behalf of a human. Yet, managing machine identities and applying Zero Trust Policies to them is a Herculean task complicated by a heterogenous technology landscape, amplified by multi-cloud/multi-hybrid environments, exacerbated by critical skills shortages and magnified by exponential growth in machine identities.

It's the kind of problem standards excel at solving by creating interoperability layers between heterogenous environments, codifying the wisdom of the crowd to alleviate pressures on rare skills, and creating eco-systems of interoperable solutions that meet a common security bar.

Fortunately there are already several standards efforts that can help us manage machine identities. Some of these are building on standards for human identities, while others are focused exclusively on machines. But how are all these efforts related and how to we avoid replacing a patchwork of heterogenous solutions with a patchwork of heterogenous standards? Is it possible to craft a standards framework and connect all these efforts in a single identity trust fabric, and is that desirable? If we had such a framework, what would it look like?

In this talk we explore the benefits of weaving a secure standards framework for machines by bringing together more than 18 standards from at least 7 standards bodies while identifying opportunities to align and connect them all to solve the emerging challenge of machine identities at scale.

Federation Bubbles

Justin Richer

We have traditionally thought of federations as relatively static engagements, with significant effort being put into easing the onboarding of entities into the federation. But what about when the needs change over time? Can we build out a robust network of interconnected federation-driven environments for an ever-changing world?

We'll talk about the federation bubbles concept and how it relates to existing and emerging security technologies including OAuth, OpenID Connect, Verifiable Credentials, SPIFFE, and others.

Targeted Logout for OAuth and OpenID Connect

Aaron Parecki

Logging out is an important aspect of security that is often overlooked. While the industry has made significant strides in making logging in more secure with OAuth and OpenID Connect, there are still many challenges remaining with logging out.

When it comes to securing user accounts, we often think about password strength, 2-factor authentication, and account recovery methods. However, we often forget about the importance of logging out. A secure logout process is just as important as a secure login process, especially in today's world where users are accessing multiple applications on various devices. Targeted logout is an emerging concept that addresses the security challenges of logging out of multiple applications on a single device.

In this session, we will explore the concept of targeted logout and why it is necessary for modern applications.

This session will cover the following topics:

• The importance of targeted logout in preventing session hijacking, cookie theft, and other security threats.

• The challenges of logging out of multiple applications on a single device. Whether this is browsers dropping support of third party cookies, or sandboxed native apps unable to share data, communicating logout information to all applications from an authorization server remains a challenge.

• The challenges of linking native app and web browser sessions on the same device. When a native application uses the recommended browser-based login flow, a web session is created on the device along with the tokens issued to the app, but these aren’t necessarily linked today.

In this session, we will explore the importance of targeted logout and discuss the tools available for implementing this concept in modern applications. We will cover what tools exist today in OAuth and OpenID Connect for implementing targeted logout, and will identify the gaps where there is a potential for creating new solutions.

Conformance testing for OpenId for Verifiable Credentials

Joseph Heenan

Digital wallets and verifiable credentials are currently a hot topic in many jurisdictions around the world, with work ongoing in the EU, ISO, Japan, USA and many more that leverages OpenID Foundation (OIDF) standards. OIDF has a history of creating conformance tests and certification programmes for OpenID standards.

OIDF is currently working on tests for the OpenID for Verifiable Presentations, OpenID for Verifiable Credential Issuance and OpenID4VC High Assurance Interoperability Profile (HAIP) specifications to ensure that deployments of these protocols are both interoperable and correctly implement the security properties. Joseph talks about the approach being taken, demonstrates the progress to date, and shares the future roadmap and how implementors can run the current tests.