SlideShare a Scribd company logo

NextGenPSD2 OAuth SCA Mode Security Recommendations

Download as PPTX, PDF
T
Torsten Lodderstedt

The document discusses security recommendations for OAuth SCA mode authentication in PSD2 open banking. It recommends adhering to OAuth 2.0 security best practices and using mutual TLS client authentication and certificate bound access tokens to protect against replay and authentication attacks. It also recommends measures like CSRF tokens, nonce values, and checking redirect URIs to prevent attacks like cross-site request forgery, code injection, mix-up attacks, and session fixation. Detailed checks and validations are described to secure the authorization request, response, token request and API requests in the OAuth flow.

Internet
1 of 29
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt @tlodderstedt yes®
OAuth 2.0 ● Standard for API access authorization ● Current version 2.0 published in 2012, broadly used and mature ● Updated Security Guidlines under way Design pattern: ● Separate authentication and authorization from actual API access ● Delegate user interactions to service provider ● User credentials are only touched by the service provider and no 3rd party ● Versatile, secure and, privacy preserving
ASPSPUser AIS with OAuth SCA Mode - High Level Create Account Access Consent Use access_token for AIS AISP Consent-ID User gives authorization for Account Access with Consent-ID access_token OAuth Authorization Code Grant Start XS2A
Closer Look: OAuth SCA Mode GET /authorize?scope=AIS:<Consent-ID>&... Redirect to ASPSP Redirect to aisp.com/authok?code=foo42&... POST /token, code=foo42... Send code=foo42 Send access_token ASPSPUser AISP User gives authorization for account access (incl. SCA)
ASPSPUser PIS with OAuth SCA Mode - High Level Create Payment Resource Use access_token PISP Payment-ID User gives authorization for Payment with Payment-ID access_token OAuth Authorization Code Grant Start Payment
User What happens when? Payment Initiation ASPSP Use access_token PISP Payment-ID User gives authorization for Payment with Payment-ID access_token Start Payment Payment authorized & executed Payment prepared Potential attacks!
ASPSPAttacker Cross-Browser Payment Initiation Attack Payment Initiation PISP Payment-ID User gives authorization for Payment with Payment-ID Pay my order Redirect to ASPSP User Redirect to ASPSP Attacker disguises as a merchant. User thinks she pays for her order at the merchant, but instead pays for the attacker’s order at PISP! Attacker’s Payment executed! Pay my order All details: https://cutt.ly/cross-browser-payment-initation
Security of OAuth ● Many security features of OAuth against CSRF, Replay, … come into play after user authorization ● Security of OAuth lies in the access token ● Therefore, any subsequent process, including payment, should be performed with the access token, not within the user authorization process
User Better Solution! Payment Initiation ASPSP Use access_token PISP Payment-ID User gives authorization for Payment with Payment-ID access_token Start Payment Payment authorized Payment prepared Payment executed
Security Recommendations (Overview) ● Adhere to OAuth 2.0 Security Best Current Practice (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) ● TPP authentication and access token replay protection using OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens ● Protection against code injection through Proof Key for Code Exchange ● Protection against CSRF using session-bound state parameter values ● Protection against Mix-Up attacks using session bound ASPSP specific redirect URIs ● Protection against session-fixation type of attacks by utilizing OAuth grant flow as designed
Security Recommendations in Detail
Security Advice in Detail GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
Resource Creation GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
Resource Creation ● Mix-up attack* detection: TPP shall set up a redirect URI with the ASPSP which uniquely identifies the ASPSP Example: https://aisp.com/authok?aspsp=2 ● ASPSP needs to authentication TPP using eIDAS certificate and check TPP’s authorization to perform desired services *Mix-up attack: a malicious or compromised ASPSP confuses the TPP in order to learn an authorization code
Authorization Request GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
Authorization Request In preparation of sending the authorization request, the TPP shall 1. CSRF protection: Create a one-time use CSRF token to be conveyed to the ASPSP in the “state” parameter 2. Code replay protection: Create a one-time use nonce, whose SHA-265 value will be conveyed to the ASPSP in the “challenge” parameter 3. Bind those values to the current session in the user agent 4. Mix-Up protection: Memorize in the current session the identity of the ASPSP the request will be sent to
Authorization Request The ASPSP upon receiving this request must perform these checks: ● TPP impersonation detection: “redirect_uri” value must exactly match the value sent to the ASPSP with the request used to create the payment or consent resource in the header “TPP-Redirect-URI”. ● Otherwise, the ASPSP must refuse to process the request and must not redirect the user agent back to the TPP.
Authorization Response GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
Authorization Response The TPP upon receiving this response shall perform the following checks: 1. Mix-Up detection: Redirect URI where the response was received must match the ASPSP the response was expected to come from. 2. CSRF detection: The “state” value is linked to the current session in the user agent. If any of these check fails, the TPP must refuse to process the authorization response.
Token Request GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
Token Request The ASPSP upon receiving the request shall perform the following checks: 1. TPP impersonation detection: Authenticate TPP with eIDAS certificate 2. Code leakage and replay detection: Check that code was sent to exactly the redirect URI conveyed in the “redirect_uri” request parameter, is still valid, and is bound to the TPP. 3. Code injection detection: “verifier” value, when hashed, matches the “challenge” value the code parameter is bound to (see [RFC7636], Section 4.6). If any of these check fails, the ASPSP must refuse to process the token request. See [RFC6749], Section 10 and [OAuth 2.0 Security BCP], Section 2.1
Token Response GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
Token Response (Scope swap detection) ● ASPSP must return scope values assigned to the access token ● Upon receiving the token response, the TPP must check whether the scope assigned to the access token is the same as requested in the authorization request. ● If this check fails, the TPP must refuse to process the token response.
API Requests GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
API Requests (access token replay detection) ● On every API request, the TPP shall be authenticated using TLS client authentication and its eIDAS certificate according to [mTLS], Section 3. ● The resource server must check whether the certificate used for TLS Client Authentication matches the certificate the access token is bound to (see [mTLS], Section 3). ● The ASPSP must also check that the access token is still valid and whether the permission associated with the access token entitles the TPP to perform the specific request. ● If any of these checks fails, the request must be refused by responding with a suitable HTTP Status code.
Q&A! Latest Drafts & Publications OAuth 2.0 Security Best Current Pracice https://tools.ietf.org/html/draft-ietf-oauth-security-topics Cross-Browser Payment Initiation Attack https://cutt.ly/cross-browser-payment-initation OpenID Connect 4 Identity Assurance https://openid.net/specs/openid-connect-4-identity-assurance.html Transaction Authorization or why we need to re-think OAuth scopes https://cutt.ly/oauth-transaction-authorization JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) https://openid.net/specs/openid-financial-api-jarm-ID1.html OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer https://tools.ietf.org/html/draft-fett-oauth-dpop Dr. Torsten Lodderstedt CTO, yes.com torsten@yes.com @tlodderstedt yes® Talk to me about - Details on OAuth Security Best Practices - The OAuth Security Workshop - Other emerging OAuth & OpenID stuff - Partnering with and working at yes.com
Mix-Up Attack
Mix-Up Attack GET /authorize... ASPSPPISPUser Forward Redirect to ASPSP1 2 ASPSP 1 Redirect to aisp.com/authok?code=42&... GET /authok?code=42&... User gives authorization for account access POST /token, code=42... Attacker learns code!
Mitigation GET /authorize... Redirect to aisp.com/authok?aspsp=2&code=42&... GET /authok?aspsp=2&code=... ASPSPPISP User gives authorization for account access User Redirect to ASPSP1 2 ASPSP 1 PISP can detect attack here! Mismatch between intended ASPSP (1) and ASPSP identity in the redirect URI (2) 1 Uses unique redirect URI for each ASPSP, e.g., by encoding ASPSP ID into URI parameter. Forward 2

Recommended

OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSITorsten Lodderstedt
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)Torsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsTorsten Lodderstedt
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenIDPrabath Siriwardena
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 

Recommended

OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSITorsten Lodderstedt
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)Torsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsTorsten Lodderstedt
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenIDPrabath Siriwardena
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenIDFoundation
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base CampOliver Pfaff
 
Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsTorsten Lodderstedt
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OpenIDFoundation
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Torsten Lodderstedt
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization RequestsTorsten Lodderstedt
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WGTorsten Lodderstedt
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization RequestsTorsten Lodderstedt
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 

More Related Content

What's hot

OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenIDFoundation
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsTorsten Lodderstedt
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OpenIDFoundation
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Torsten Lodderstedt
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 

What's hot (20)

OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
 
Full stack security
Full stack securityFull stack security
Full stack security
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 

Similar to NextGenPSD2 OAuth SCA Mode Security Recommendations

OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esbhimajareddys
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
Trends in Banking APIs
Trends in Banking APIsTrends in Banking APIs
Trends in Banking APIsTatsuo Kudo
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...Mike Schwartz
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 

Similar to NextGenPSD2 OAuth SCA Mode Security Recommendations (20)

OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Mule security
Mule securityMule security
Mule security
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS Enhancement
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
 
Trends in Banking APIs
Trends in Banking APIsTrends in Banking APIs
Trends in Banking APIs
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 

More from Torsten Lodderstedt

OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes DecentralizedTorsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32Torsten Lodderstedt
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectTorsten Lodderstedt
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceTorsten Lodderstedt
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityTorsten Lodderstedt
 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectTorsten Lodderstedt
 

More from Torsten Lodderstedt (17)

OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
GAIN Presentation.pptx
GAIN Presentation.pptxGAIN Presentation.pptx
GAIN Presentation.pptx
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity Assurance
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
 
OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27
 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID Connect
 

Recently uploaded

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 

Recently uploaded (9)

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 

NextGenPSD2 OAuth SCA Mode Security Recommendations

  • 1. NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt @tlodderstedt yes®
  • 2. OAuth 2.0 ● Standard for API access authorization ● Current version 2.0 published in 2012, broadly used and mature ● Updated Security Guidlines under way Design pattern: ● Separate authentication and authorization from actual API access ● Delegate user interactions to service provider ● User credentials are only touched by the service provider and no 3rd party ● Versatile, secure and, privacy preserving
  • 3. ASPSPUser AIS with OAuth SCA Mode - High Level Create Account Access Consent Use access_token for AIS AISP Consent-ID User gives authorization for Account Access with Consent-ID access_token OAuth Authorization Code Grant Start XS2A
  • 4. Closer Look: OAuth SCA Mode GET /authorize?scope=AIS:<Consent-ID>&... Redirect to ASPSP Redirect to aisp.com/authok?code=foo42&... POST /token, code=foo42... Send code=foo42 Send access_token ASPSPUser AISP User gives authorization for account access (incl. SCA)
  • 5. ASPSPUser PIS with OAuth SCA Mode - High Level Create Payment Resource Use access_token PISP Payment-ID User gives authorization for Payment with Payment-ID access_token OAuth Authorization Code Grant Start Payment
  • 6. User What happens when? Payment Initiation ASPSP Use access_token PISP Payment-ID User gives authorization for Payment with Payment-ID access_token Start Payment Payment authorized & executed Payment prepared Potential attacks!
  • 7. ASPSPAttacker Cross-Browser Payment Initiation Attack Payment Initiation PISP Payment-ID User gives authorization for Payment with Payment-ID Pay my order Redirect to ASPSP User Redirect to ASPSP Attacker disguises as a merchant. User thinks she pays for her order at the merchant, but instead pays for the attacker’s order at PISP! Attacker’s Payment executed! Pay my order All details: https://cutt.ly/cross-browser-payment-initation
  • 8. Security of OAuth ● Many security features of OAuth against CSRF, Replay, … come into play after user authorization ● Security of OAuth lies in the access token ● Therefore, any subsequent process, including payment, should be performed with the access token, not within the user authorization process
  • 9. User Better Solution! Payment Initiation ASPSP Use access_token PISP Payment-ID User gives authorization for Payment with Payment-ID access_token Start Payment Payment authorized Payment prepared Payment executed
  • 10. Security Recommendations (Overview) ● Adhere to OAuth 2.0 Security Best Current Practice (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) ● TPP authentication and access token replay protection using OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens ● Protection against code injection through Proof Key for Code Exchange ● Protection against CSRF using session-bound state parameter values ● Protection against Mix-Up attacks using session bound ASPSP specific redirect URIs ● Protection against session-fixation type of attacks by utilizing OAuth grant flow as designed
  • 12. Security Advice in Detail GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
  • 13. Resource Creation GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
  • 14. Resource Creation ● Mix-up attack* detection: TPP shall set up a redirect URI with the ASPSP which uniquely identifies the ASPSP Example: https://aisp.com/authok?aspsp=2 ● ASPSP needs to authentication TPP using eIDAS certificate and check TPP’s authorization to perform desired services *Mix-up attack: a malicious or compromised ASPSP confuses the TPP in order to learn an authorization code
  • 15. Authorization Request GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
  • 16. Authorization Request In preparation of sending the authorization request, the TPP shall 1. CSRF protection: Create a one-time use CSRF token to be conveyed to the ASPSP in the “state” parameter 2. Code replay protection: Create a one-time use nonce, whose SHA-265 value will be conveyed to the ASPSP in the “challenge” parameter 3. Bind those values to the current session in the user agent 4. Mix-Up protection: Memorize in the current session the identity of the ASPSP the request will be sent to
  • 17. Authorization Request The ASPSP upon receiving this request must perform these checks: ● TPP impersonation detection: “redirect_uri” value must exactly match the value sent to the ASPSP with the request used to create the payment or consent resource in the header “TPP-Redirect-URI”. ● Otherwise, the ASPSP must refuse to process the request and must not redirect the user agent back to the TPP.
  • 18. Authorization Response GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
  • 19. Authorization Response The TPP upon receiving this response shall perform the following checks: 1. Mix-Up detection: Redirect URI where the response was received must match the ASPSP the response was expected to come from. 2. CSRF detection: The “state” value is linked to the current session in the user agent. If any of these check fails, the TPP must refuse to process the authorization response.
  • 20. Token Request GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
  • 21. Token Request The ASPSP upon receiving the request shall perform the following checks: 1. TPP impersonation detection: Authenticate TPP with eIDAS certificate 2. Code leakage and replay detection: Check that code was sent to exactly the redirect URI conveyed in the “redirect_uri” request parameter, is still valid, and is bound to the TPP. 3. Code injection detection: “verifier” value, when hashed, matches the “challenge” value the code parameter is bound to (see [RFC7636], Section 4.6). If any of these check fails, the ASPSP must refuse to process the token request. See [RFC6749], Section 10 and [OAuth 2.0 Security BCP], Section 2.1
  • 22. Token Response GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
  • 23. Token Response (Scope swap detection) ● ASPSP must return scope values assigned to the access token ● Upon receiving the token response, the TPP must check whether the scope assigned to the access token is the same as requested in the authorization request. ● If this check fails, the TPP must refuse to process the token response.
  • 24. API Requests GET /authorize?... Redirect to ASPSP Redirect to aisp.com/authok?... POST /token Send code=foo42 Send access_token ASPSPUser PISP User gives authorization for account access Use access_token Start Create Consent Consent ID
  • 25. API Requests (access token replay detection) ● On every API request, the TPP shall be authenticated using TLS client authentication and its eIDAS certificate according to [mTLS], Section 3. ● The resource server must check whether the certificate used for TLS Client Authentication matches the certificate the access token is bound to (see [mTLS], Section 3). ● The ASPSP must also check that the access token is still valid and whether the permission associated with the access token entitles the TPP to perform the specific request. ● If any of these checks fails, the request must be refused by responding with a suitable HTTP Status code.
  • 26. Q&A! Latest Drafts & Publications OAuth 2.0 Security Best Current Pracice https://tools.ietf.org/html/draft-ietf-oauth-security-topics Cross-Browser Payment Initiation Attack https://cutt.ly/cross-browser-payment-initation OpenID Connect 4 Identity Assurance https://openid.net/specs/openid-connect-4-identity-assurance.html Transaction Authorization or why we need to re-think OAuth scopes https://cutt.ly/oauth-transaction-authorization JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) https://openid.net/specs/openid-financial-api-jarm-ID1.html OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer https://tools.ietf.org/html/draft-fett-oauth-dpop Dr. Torsten Lodderstedt CTO, yes.com torsten@yes.com @tlodderstedt yes® Talk to me about - Details on OAuth Security Best Practices - The OAuth Security Workshop - Other emerging OAuth & OpenID stuff - Partnering with and working at yes.com
  • 28. Mix-Up Attack GET /authorize... ASPSPPISPUser Forward Redirect to ASPSP1 2 ASPSP 1 Redirect to aisp.com/authok?code=42&... GET /authok?code=42&... User gives authorization for account access POST /token, code=42... Attacker learns code!
  • 29. Mitigation GET /authorize... Redirect to aisp.com/authok?aspsp=2&code=42&... GET /authok?aspsp=2&code=... ASPSPPISP User gives authorization for account access User Redirect to ASPSP1 2 ASPSP 1 PISP can detect attack here! Mismatch between intended ASPSP (1) and ASPSP identity in the redirect URI (2) 1 Uses unique redirect URI for each ASPSP, e.g., by encoding ASPSP ID into URI parameter. Forward 2

Editor's Notes

  1. Say something about my role in oauth, in NextGenPSD2 and the security best current practice