Breaking real-world OAuth 2.0 implementations with state machines

02.07.2019, O4 Coworking w Olivia Business Centre

The OAuth 2.0 protocol is used everywhere, from startups to large corporations and cloud service providers. It allows users to log in to services such as Google and Facebook (through its cousin OpenID Connect) and enables users to delegate access to third-party applications. Security of OAuth 2.0 is a topic of active research, with rigorous analyses, peer-reviewed papers and constantly evolving RFCs covering its threat model and best practices. It would seem that this wealth of information makes building a robust OAuth 2.0 system a hard, yet achievable, goal. Real-life deployments need to deal with other aspects, such as two-factor authentication (2FA), single sign-on (SSO) and user credentials management (including the dreaded password reset). Those are rarely covered by existing threat models. How do we then approach finding implementation flaws in such complex implementations? Join Marcin as he shows you how combining state machines with threat modeling techniques can help discover serious security flaws in OAuth 2.0 systems.