OSW 2023

Agenda Wednesday

Talks & Tutorials Wednesday

OAuth 2.1

Aaron Parecki

Since the original publication of OAuth 2.0 (RFC 6749) in 2012, several new RFCs have been published that either add or remove functionality from the core spec, including OAuth 2.0 for Native Apps, Proof Key for Code Exchange, OAuth for Browser-Based Apps, and OAuth 2.0 Security Best Current Practice. OAuth 2.1 is an in-progress effort to consolidate and simplify OAuth 2.0 by packaging up all the best practices into a new version of the spec. This session will cover the current status of this ongoing work and what you need to know to be prepared for the publication of OAuth 2.1.

Tutorial: High-security & interoperable OAuth 2: What’s the latest?

Joseph Heenan, Daniel Fett

OAuth is a widely used authorization framework that enables third-party applications to access resources on behalf of a user. However, it has been historically difficult to meet very high security and interoperability requirements when using OAuth. Daniel and Joseph have spent much of the last five years working to improve the state of the art and will present the latest developments in the field.

There are challenges when trying to achieve high security and interoperability with OAuth2: There are many potential threats, some not part of the original OAuth threat model. To seamless authorizations, optionality must be minimized OAuth itself and also in any extensions used.

Six years ago, the IETF OAuth working group started work on the Security Best Current Practice document and more recently on OAuth 2.1. Meanwhile, the OpenID Foundation has created FAPI1 and FAPI2 security profiles.

We will help you understand the focus of each document and when to use which. We show how to achieve on-the-wire interoperability and security through the use of techniques like asymmetric client authentication and sender-constraining via DPoP and MTLS, discussing the benefits and potential disadvantages of each. We highlight the benefits for implementers and the role of conformance testing tools.

A Key Is Not Enough: OpenID Connect Federation 1.0

Roland Hedberg, Michael B. Jones, Giuseppe De Marco, John Bradley, Vladimir Dzhuvinov

Large scale identity federations and wallet applications need more than basic public key attestation, handled traditionally by X.509 certificates. The new OpenID specification combines support for real world trust topologies, a rich set of APIs and built-in metadata discovery & policing -- a one-stop solution for attesting entities on the Internet.

Formal Verification of the Cedar Policy Language

Darin McAdams

Cedar is a new authorization policy language & evaluation engine developed by AWS and open sourced in May 2023. While standards such as OpenID Connect provide authentication, Cedar solves for authorization at a finer granularity than can be expressed by course-grained OAuth scopes. This talk will introduce Cedar, describe the motivations for its creation, and deep-dive into the ways that formal verification techniques have been applied to its development.

AM coffee break

Keynote/Invited Talk: Programming Engineers: How Standards Shape the Way We Work (Justin Richer)

Justin Richer

When programming a computer system, developers utters strange and specific incantations in esoteric languages to make the system do their bidding. Computers have the benefit of being fairly predictable.

But what if the runtime environment was not so stable? What if one command could get interpreted in a nearly infinite variety of ways? What if even the most fundamental instructions could be simply ignored or countered at any point ... just because?

This is exactly the world that standards writers live in, where the standards text is executed on the most unreliable platform possible: the minds of implementors around the world. After all, a standard document is really just a set of instructions with a desired output; it's just that the output is itself a software system and its behavior.

So how do you work in this kind of space? By approaching standards with an engineering mindset, both in writing and reading them, systems and protocols can be more robust and predictable for everyone. Come to this talk to find out what you should do, and what you must pay attention to, in the unpredictable world of the internet.

Invited Talk



Identity Theft using In-Browser Communications in Dual-Window Single Sign-On

Louis Jannett

Academic security and privacy research on Single Sign-On (SSO) protocols like OAuth 2.0 and OpenID Connect 1.0 focused on the standardized single-window authentication flows, which rely on HTTP redirects to transfer identity tokens between the Service Providers (SPs) and Identity Providers (IdPs). However, modern web applications like single page applications may not be able to execute single-window SSO because they lose the local state in case of HTTP redirects. By using novel browser technologies, such as postMessage, developers designed and implemented SSO flows that are not standardized and have not been analyzed thoroughly. We call them dual-window SSO flows.

In the first part of this talk, we present our recent work published at CCS’22 [1], in which we provided the first comprehensive evaluation of dual-window SSO. In particular, we focused on the in-browser communication used to exchange authentication tokens between SPs and IdPs in iframes and popups. We found that 56% of the SPs in the Tranco top 1k list support dual-window SSO. Surprisingly, 28% of the SPs implemented dual-window SSO without using official SDKs, leading to identity theft and XSS in 31% of these self-implemented SPs. Our ongoing research shows that 50% of the SPs in the Tranco top 1m list support dual-window SSO (20,595 of 41,411 domains, 50%). Our large-scale scan further shows that developers prefer to manually implement dual-window SSO (11,766 of 20,595 domains, 57%), increasing the overall risk for implementation flaws and token leaks.

In the second part of this talk, we present prior [2, 3] and discuss preferable future standardization attempts of dual-window SSO. The increased attack surface of dual-window SSO has been addressed with the recent inclusion of "Attacks on In-Browser Communication Flows” into the OAuth 2.0 Security Best Current Practice [4]. However, the standardization of dual-window SSO is still open for discussion. Thereby, we also consider current and future browser cookie policies and how they have an impact on SSO in general.

[1] https://dl.acm.org/doi/10.1145/3548606.3560692

[2] https://datatracker.ietf.org/doc/html/draft-ideskog-assisted-token-05

[3] https://datatracker.ietf.org/doc/html/draft-sakimura-oauth-wmrm-00

[4] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-attacks-on-in-browser-commu