Why Developers Do Care About OAuth and OpenID Connect

27 January 2019 OAuth

Recently, Okta released an article titled “Nobody Cares About OAuth or OpenID Connect” that authoritatively stated that “Developers don’t care about OAuth or OpenID Connect". I strongly disagree.

I recommend you give the article a read before reading my rebuttal below (although you might want to skip to “Why Nobody Cares About OAuth and OpenID Connect” and onwards).

Their key takeaways are:

  • The security community needs to keep developers safe
  • Developers using OAuth and OpenID Connect client libraries is similar to them rolling their own crypto
  • Client libraries should handle all of the authentication and authorization for developers, not just OAuth and OpenID Connect
Continue reading...

ASP.NET Core using Proof Key for Code Exchange (PKCE)

22 January 2019 OpenID Connect Last Updated: 13 October 2019

Proof Key for Code Exchange (PKCE) was initially designed for native/mobile client applications when using OAuth; however, as a happy accident, it’s also handy for all other kinds of applications. Because of this, new specifications and BCP documents are starting to encourage the use of PKCE across the board.

PKCE allows us to ensure that the client application swapping an authorization code for tokens, is the same application that initially requested the authorization code. It protects us from bad actors from stealing authorization codes and using them.

In this article, we’re going to see how we can add PKCE support to an existing ASP.NET Core OpenID Connect client application (with some IdentityServer4 config thrown in for good measure).

Continue reading...

Cheat Sheet: OAuth for Browser-Based Applications (e.g. a JavaScript SPA)

22 January 2019 OAuth

Confused how to properly authenticate access an API when using a browser-based application? Then use the below cheat sheet to choose the right approach for your needs.

The Scenario

I have an application running within the context of the browser (e.g. a React or Angular Single Page Application (SPA)) that wants to access an API on behalf of a user. This authenticated API call will be made directly from the user’s browser, and only our application should be able to call it on behalf of our authenticated user (i.e. we’re not vulnerable to Cross-Site Request Forgery (CSRF/XSRF).

Angular Logo
React Logo
Vue Logo
Aurelia Logo
Continue reading...

JSON Web Encryption (JWE) in .NET Core

14 January 2019 C#

A signed JSON Web Token (JWT) is one of the most useful and common constructs you’ll see floating around modern security systems. These tokens give us a simple, secure structure in which to transfer data and verify that it has not been tampered with. However, what about when we need to send sensitive data within a JWT?

To solve this issue, we have JSON Web Encryption (JWE), enabling us to encrypt a token so that only the intended recipient can read it.

In this article, we’re going to look at how we can protect sensitive data within our JWTs in .NET Core, using JWEs and the various token libraries available to us.

.NET Core

JWE Format

We’re going to use JWE Compact Serialization (as opposed to JWE JSON Serialization), which looks something like the following...

Continue reading...

Migrating oidc-client-js to use the OpenID Connect Authorization Code Flow and PKCE

11 January 2019 Angular

Recently, there’s been a bit of a palaver around a draft specification proposed to the OAuth Working Group and its recommendation of abandoning the implicit flow in browser-based applications, e.g. Single Page Applications (SPAs), in favor of the authorization code flow with Proof-Key for Code Exchange (PKCE).

This article is going to look at how to update the Angular application found in my previous article “SPA Authentication using OpenID Connect, Angular CLI and oidc-client”, to start using the authorization code flow and PKCE.

Continue reading...

Software Tokens Won't Save You

09 January 2019 Authentication

Software tokens, such as those you use in software token apps such as Google Authenticator and Authy, have been getting a bit of flack recently thanks to the growing adoption of FIDO2 and WebAuthn. Software tokens (aka soft tokens) still have their benefits and are easily one of the most widely adopted second factors used alongside passwords; however, I think a lot of us are using them for the wrong reasons. Not only are soft tokens phishable, but in the event of a breach, soft tokens won’t save you.

In this article, I’m going to look how a typical TOTP software token implementation works, and then pick apart their advantages and disadvantages.

Continue reading...

Year in Review: 2018 Catch Up

01 January 2019 General

The past few years since joining Rock Solid Knowledge have been a bit of a blur. I’ve gone from living in a small flat in Cornwall with no central heating, sat all year in a small office of 3, to being married, living in a city, and becoming sick of flying.

I know I’ve accomplished a lot these past few years, but I still seem to feel like I’m not moving fast enough or that someone will eventually discover me for the fraud that I am.

So, to combat this feeling, and since my wife keeps telling me that I should share what I do more often, I’m going to publicly take stock of the past couple of years and think about what I want from 2019. In true social media fashion, I’m going to only discuss the positives, but obviously there were some lows; however, those are private.

Hopefully, this will be useful for me to review again in 2020.

What’s Happened since 2016

In the mad rush since 2016, I have...

Continue reading...

Creating Your Own IdentityServer4 Storage Library

11 December 2018 Identity Server

Over the years I’ve experienced many opinions about the default IdentityServer4 storage libraries; however, no matter your views on entity framework, clustered indexes, and varchar lengths, if you have concerns with the defaults then my advice is always the same: If you have database expertise in-house, use it and create your own storage layer.

Creating your own IdentityServer4 persistence store is very simple. There are only a handful of interfaces to implement, each with just a few read and write methods. They are not full repository layers, nor do they dictate database type or structure.

So, let’s take a look and see what’s involved with implementing our own IdentityServer4 storage library...

Continue reading...

Removing Shared Secrets for OAuth Client Authentication

02 October 2018 OAuth

Passwords suck. We all complain about them and constantly look for alternatives or add multiple factors to secure our user authentication. So why do many of us still use passwords to authenticate our OAuth clients? After all, a client ID and client secret is just a username and password with a different name.

One of the easiest ways to remove the use of shared secrets for client authentication is to replace them with public-key cryptography by using JWT Bearer Token for Client Authentication defined in RFC 7523 and again detailed in the core OpenID Connect specification as the private_key_jwt client authentication method.

This flow makes use of signed JSON Web Tokens (JWTs) to simplify public-key cryptography, allowing us to use well known and established libraries to simplify our implementation.

Continue reading...

Delegation Patterns for OAuth 2.0

27 September 2018 OAuth Last Updated: 28 September 2018

With the rising popularity of patterns such as microservices, it is becoming more and more common that the API that your client application is calling, isn’t the API that is going to be performing the requested functionality. Instead, you could be calling an API gateway.

OAuth is all about delegation. It allows a client application to ask resource owner (a user) for permission to access a protected resource (an HTTP API) on their behalf. It is a delegation protocol.

So, what happens when a client application communicates with a protected resource that itself then needs to interact with other protected resources? How do we keep this request acting on the user’s behalf? How do we do this securely without getting the user involved again?

Continue reading...