On the fourth episode of Identity, Unlocked, host Vittorio Bertocci, principal architect at Auth0, is joined by Daniel Fett, a security specialist at yes.com. Daniel received his Ph.D. from the University of Stuttgart through research on the formal analysis of web protocols. Daniel joins the podcast today to talk about the security BCP document.
A BCP document is a document that describes the best current practices for any given field. Fett is a co-author and has been working on the OAuth 2.0 Security Best Current Practice document. This document gives an update on the best industry practices, but it does not override the core specifications. Instead, this document provides additional information and practices in OAuth. While there are many great recommendations in this document, three of the most important that stand out to Daniel are:
- Recommendations to not use the implicit grant any longer.
- If the authorization code grant is used, PKCE should also be used.
- Use sender constraining for the access tokens when possible, or at least have rotation for the refresh tokens.
The implicit grant is the process where an authorization server creates the access token and sends it to the browser that requested the access token. Although this is beneficial from a usability standpoint, there are several problems from a security perspective. Daniel unpacks several of the security concerns of implicit flow. Next, he and Vittorio discuss using PKCE when using the authorization code grant. PKCE helps to combat a mix-up attack. This type of attack is called a code injection attack, where attackers gain access to a confidential access code. With PKCE, the client for each run will invent a new code challenge or code verifier and will only accept a code that is bound to the same code challenge. This means that if an attacker tries to inject another code, it will not be bound to the correct code challenge. Finally, Daniel explains the BCP recommendations around sender constraint. He recommends using sender constraint for access tokens whenever possible.
[4:20] - What is a BCP document, and how is it different from the core specification?
[6:48] - What are the top three most impactful recommendations in the BCP? Here’s the list of direct links to the top three spec recommendations Daniel mentions
- Don’t use the implicit grant to get access tokens
- Use PKCE for every code authorization flow, regardless of client type
- Sender constraint for access tokens and/or refresh token rotation
[7:59] - What are the problems with the implicit grant? The problems with the implicit grant have been explored in the podcast episode about OAuth2.1 with Aaron Parecki, last section - and we expanded on the issues further in this post. Check those out if you want to dig deeper!
[16:02] - Using authorization code grant when using PKCE.
[26:09] - What are the BCP recommendations around sender constraint? This is a topic we explored in-depth with Brian on the podcast’s inaugural episode- you can find the audio and associated explanations here.
Identity, Unlocked is the podcast that discusses identity specs and trends from a developer perspective. Identity, Unlocked is powered by Auth0. Vittorio Bertocci is Principal Architect at Auth0 and applies his vast knowledge of the identity industry to Auth0 in all aspects of the company, including internal and external education, product innovation, and customer integration.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.