How to f*ck up at OAuth2 while following BCPs

Best current practices (BCPs) for implementing OAuth2 and OIDC have undergone many changes over the years. In this presentation we highlight the risks of staying with the ancient (roughly 2019-2021) “current” best practices. The current (circa 2022) BCPs bring many changes, such as deprecation of the implicit flow, required usage of PKCE and the BFF pattern which mitigates some of the previous attack vectors. It takes time for new concepts to fully mature and secure defaults emerge. While following the latest BCPs it’s still possible to make mistakes and end up with a broken implementation. This presentation will show some common OAuth2/OIDC security pitfalls and why it is bad practice to use reverse proxy catch-all routing in your BFF, an OAuth2 client with access to many scopes, together with APIs that do authorization based on just a valid token and scopes. Does your BFF enable authenticated SSRF as a Service? During the presentation we will demonstrate both attacks and defences for a OAuth2/OIDC application running locally.

Presented at Security Fest 2023.

Speakers: Pontus Hanssen, Tobias Ahnoff

About Pontus Hanssen

Pontus Hanssen

Pontus Hanssen in an experienced security researcher and penetration tester. He loves to hack everything that blinks or has an IP address. Pontus performs security reviews and penetration tests as part of Omegapoint Cybersecurity Gothenburg, a group of experts in application security.


About Tobias Ahnoff

Tobias Ahnoff

Tobias Ahnoff is an experienced developer and architect with focus on application security. He specializes in implementing authentication flows and authorization for web applications and APIs that manage sensitive data. Tobias performs security reviews and penetration tests as part of Omegapoint Cybersecurity Gothenburg, a group of experts in application security. He also gives courses in application security and is an appreciated speaker in OAuth2 and OpenID Connect areas.

 
Get all relevant information and news regarding Security Fest, when we release recordings of talks, etc.