The Future of Authorization: Why OAuth 2.0 is Just the Beginning

Photo by Markus Spiske

The Future of Authorization: Why OAuth 2.0 is Just the Beginning

Authorization is a critical component of application security, allowing only authenticated and authorized users access to protected resources. OAuth 2.0 has become the industry standard protocol for authorization, providing a framework for delegated access control.

First published in 2012, OAuth 2.0 enables applications to access resources hosted by a resource server on behalf of the resource owner, through the issuance of access tokens. It allows users to grant third-party applications access to their data on another service, without exposing their credentials.

OAuth has been widely adopted across the web, powering authorization for many major platforms including Facebook, Google, Twitter, and Microsoft. However, as OAuth usage has grown exponentially, so have discovered vulnerabilities and weaknesses. These have enabled attackers to steal access tokens and impersonate valid users.

In this article, we will provide an overview of how OAuth 2.0 works, common use cases, best practices, and vulnerabilities. We will also look beyond OAuth at more advanced authorization and authentication protocols that aim to enhance security - OpenID Connect, mutual TLS, and WebAuthn. By the end, you will have a solid understanding of OAuth 2.0 and how to utilize it safely. Additionally, you will gain insight into new standards and techniques that go beyond OAuth to further secure access control for modern applications.

How OAuth 2.0 Works

OAuth 2.0 is an open standard for access delegation that provides secure authorization for applications to access server resources on behalf of a user. It allows users to grant limited access to their resources without exposing their credentials.

OAuth 2.0 defines four main authorization flows:

Authorization Code Flow

The authorization code flow is best suited for confidential clients such as web applications. It involves an intermediary authorization code to exchange for an access token:

  1. The client application redirects the user to the authorization server to login and approve access.
  2. The authorization server authenticates the user and redirects back with an authorization code.
  3. The client exchanges the authorization code for an access token.
  4. The client can use the access token to make API calls to access resources.

This flow provides increased security because the access token is never transmitted directly through the user’s browser.

Implicit Flow

The implicit flow is optimized for user-agent-based clients such as single page web apps. The access token is returned directly without an authorization code:

  1. The client application redirects the user to the authorization server to login and approve access.
  2. The authorization server authenticates the user and redirects back with an access token in the URL fragment.
  3. The client can use the access token to make API calls to access resources.

This simplified flow removes the need for extra round trips to the authorization server, but is less secure because the access token is exposed in the browser history.

Comparison of Flows

The authorization code flow is more secure but involves more round trips. The implicit flow is simpler and optimized for user-agent clients at the cost of security.

Overall, OAuth 2.0 provides a secure delegated authorization framework for client applications to access server resources in a standardized way. However, vulnerabilities still exist if not implemented properly.

Pros and Cons of OAuth 2.0

Pros:

  • Delegated authorization without sharing user credentials
  • Flexible authorization flows for various client types
  • Wide adoption across major platforms and providers

Cons:

  • Complexity leads to common implementation mistakes
  • Relies on HTTPS and token secrecy for security
  • Access tokens can be leaked if not properly protected
  • Limited built-in user context beyond scopes

OAuth 2.0 solves the key problem of secure authorization, but has weaknesses that more advanced protocols attempt to address.

OAuth 2.0 Use Cases

OAuth 2.0 is commonly used to enable authorization flows in a wide variety of applications and services across the internet. Some of the most prevalent use cases and examples include:

  • Social Media Login - Services like Facebook, Twitter, Google, and GitHub all leverage OAuth 2.0 to enable users to “Login with” their platform credentials. This allows users to forgo creating new accounts, and instead authorize these sites to connect to their existing social profiles.

  • Application Authorization - Mobile and desktop applications often integrate OAuth for authorizing access to REST APIs. For example, an app may use OAuth to gain access to a user’s photos in a cloud storage service, contacts in an address book service, or other data from an API provider.

  • Security and Single Sign-On - OAuth allows centralized authentication through a single identity provider, rather than managing credentials for each application individually. This single sign-on (SSO) approach is popular in enterprise environments to improve security and convenience.

  • User Account Protection - For security-conscious users, OAuth enables authorizing application access without ever sharing their primary credentials. This protects the user’s account in the event an app is compromised or malicious.

  • Service Integration - OAuth enables seamless integration between different platforms through its authorization flows and access tokens. Services can connect directly to one another via APIs on behalf of users, avoiding friction and hassle conducting redundant authentication steps.

In summary, OAuth 2.0 provides a standardized framework for granting limited access to user data and capabilities without exposing credentials. Its flexible flows and token format make it a broadly applicable protocol for authorization across web, mobile, desktop, IoT, and API-driven integrations. OAuth 2.0 underlies much of the seamless interoperability between apps and services on the modern web.

OAuth 2.0 Best Practices

To fully leverage the security benefits of OAuth 2.0, it’s important to follow best practices around registration, keys, tokens, and refresh tokens.

Registration and Key Handling

  • Use HTTPS for the authorization and token endpoints. This protects against man-in-the-middle attacks.

  • Generate cryptographically strong keys with sufficient entropy. Recommended key sizes are 2048 bits for RSA and 256 bits for EC.

  • Never hardcode client secrets in apps or share secrets with untrusted parties. Store secrets securely on the server side.

  • Set short expiration times for authorization codes, around 10 minutes. This reduces the window for interception.

  • Revoke exposed client secrets immediately and generate new keys.

Token Usage

  • Keep access tokens short-lived, around 1 hour. Refresh tokens can have longer expiration, around 2 weeks.

  • Send access tokens only over HTTPS and only to trusted backends. Never include tokens in URLs, logs or front-end code.

  • Always validate the token audience to match the expected audience for your API.

  • Check the issuer matches your authorization server domain.

  • Verify the token signing algorithm and key against known trusted keys.

Refresh Tokens

  • Issue refresh tokens only for trusted, first-party apps and devices. Avoid providing refresh tokens for third-party clients.

  • Bind refresh tokens to a single specific client ID and user identity combination.

  • Revoke refresh tokens when the user logs out or permissions change. Issue new tokens on re-authentication.

  • Secure refresh tokens equivalent to long-term authorization. Transmit only over HTTPS and restrict access through encryption.

Following these best practices will ensure OAuth 2.0 provides robust security for API authorization.

OAuth 2.0 Vulnerabilities

While OAuth 2.0 is an improvement over previous authentication protocols, it still has vulnerabilities that attackers can exploit if it is not properly implemented and secured. Some common OAuth attacks include:

  • Token hijacking - An attacker steals an access token and uses it to gain unauthorized access to resources. This can happen if tokens are not properly protected or transmitted over insecure channels.

  • Authorization code interception - The authorization code used to exchange for an access token can be intercepted by an attacker during the authorization process, allowing them to obtain a valid access token.

  • Client impersonation - An attacker pretends to be a valid client to trick the authorization server into issuing an access token. Weak client authentication makes this possible.

  • User impersonation - The attacker steals or guesses a user’s credentials and uses them to authenticate as the user and gain access to their data.

  • Broken OAuth flows - Incorrect implementation of OAuth flows and validation can leave endpoints open to exploitation. Attackers can abuse flaws in redirect_uri validation, state parameters, and code/token issuing to compromise accounts.

  • Cross site request forgery (CSRF) - Attackers can force authenticated users to unknowingly make requests on their behalf by exploiting OAuth’s reliance on browser redirection for flows.

  • Open redirectors - Allowing open redirects after OAuth login can let attackers redirect users to phishing sites and steal credentials or tokens.

To prevent OAuth abuse, proper implementation is crucial:

  • Use state and nonce parameters to prevent CSRF
  • Enforce secure client registration and validation
  • Utilize encrypted communication channels
  • Set short expiry times on tokens
  • Revoke tokens when no longer needed
  • Use refresh tokens sparingly and carefully
  • Follow OAuth best practices for validation and redirects

While OAuth 2.0 offers a standardized framework for authorization, organizations must take care to mitigate vulnerabilities through proper implementation, security controls, and robust access policies. Additional protocols like OpenID Connect build on OAuth to enhance security, demonstrating the need for continued evolution.

Moving Beyond OAuth 2.0

OAuth 2.0 has been an important standard for authorization and still remains widely used today. However, as a 10+ year old standard, OAuth 2.0 is starting to show its age and limitations in the face of modern security threats. Here are some of the key reasons why OAuth 2.0 may no longer be sufficient:

  • Designed for desktop and web, not mobile or native apps - OAuth 2.0 was created in the era before mobile and native apps. It relies on redirects that don’t work well outside of a web browser context. This can create security vulnerabilities.

  • Not encrypting tokens by default - OAuth 2.0 tokens are often sent unencrypted, leaving them open to interception. The specification requires https for the authorization flow, but access tokens can still be transmitted in the clear.

  • No built-in methods for validating identity - OAuth 2.0 focuses on authorization and access delegation. It does not verify the identity of the user. This leaves room for impersonation attacks.

  • Token reuse and embedding risks - OAuth 2.0 provides single-use authorization but does not prevent the token from being used multiple times. Tokens with wider access can also get embedded in apps, broadening exposure.

  • No requirement for proof of possession - There is no cryptographic proof that the party using a token is the intended authorized user. This creates greater risk if a token is intercepted.

  • Limited encryption standards - OAuth 2.0 only supports older encryption like SHA-1. Stronger modern algorithms like SHA-256 are not built-in to the core specification.

As threats have evolved, OAuth 2.0’s capabilities to protect against them are reaching their limits. While still in widespread use, OAuth 2.0 needs to be augmented and replaced by more robust and modern authorization standards for certain use cases. Exploring protocols like OpenID Connect, mutual TLS, and WebAuthn provides options for stronger security in the future.

OpenID Connect

OpenID Connect is an authentication protocol built on top of OAuth 2.0 that provides additional identity capabilities. With OAuth 2.0, the resource server receives an access token that grants access, but does not provide any information about the identity of the user.

OpenID Connect allows clients to verify the identity of the user through authentication with an authorization server. This allows the client to obtain basic profile information about the user. OpenID Connect utilizes JWT (JSON Web Tokens) that contain claims about user authentication, which can be passed back to the client.

Some key use cases where OpenID Connect enhances security:

  • Single sign-on (SSO) - OpenID Connect allows for simple SSO across multiple sites and applications. The authentication is handled by the identity provider’s authorization server, so the sites do not need to each handle their own authentication.

  • Increased integrity - The ID token contains signed claims that have been securely verified by the identity provider. This provides better integrity guarantees than standard OAuth access tokens.

  • User profile access - OpenID Connect optionally provides access to the end user’s profile information, giving the client additional context about who the user is without needing additional API calls.

  • Higher confidence in identity - The standards around use of scope, JWT claims, and encryption provide higher confidence that the user is who they claim compared to basic OAuth.

So in summary, OpenID Connect builds on top of the authorization provided by OAuth 2.0 to also provide reliable authentication and verify the user’s identity. For use cases like SSO and when identity assurance is critical, OpenID Connect is a more secure and robust protocol.

Mutual TLS for Stronger Authentication

Mutual TLS provides stronger authentication than traditional TLS by requiring bi-directional authentication between the client and server. With mTLS, both the client and server must provide certificates to identify themselves before establishing an encrypted TLS connection.

Here’s how mTLS authentication works:

  • The client initiates the handshake by sending the server its client certificate. This certificate is issued from a trusted certificate authority (CA) and verifies the client’s identity.

  • The server then provides its own server certificate to the client. This certificate is validated against the trusted CA to authenticate the server’s identity.

  • The client and server negotiate an encrypted TLS session if both parties successfully validate each other’s certificates. This creates an authenticated bi-directional communication channel.

  • The client and server can now securely exchange data through the encrypted TLS tunnel knowing the identities on both ends have been verified.

mTLS is more secure than standard TLS that only authenticates the server to the client. By requiring mutual authentication, mTLS prevents unauthorized network connections, thwarting man-in-the-middle attacks.

Use cases where mTLS enhances security:

  • Securing communications between microservices. mTLS prevents unauthorized microservices from joining the mesh.

  • Authentication for Kubernetes pods connecting internally. mTLS verifies pod identities communicating within the cluster.

  • Securing IoT device communication. mTLS locks down machine-to-machine communication by requiring client certificates.

  • Banking and financial transactions. mTLS guarantees transaction integrity between financial systems.

Implementation requires both client and server support mTLS. Load balancers like NGINX can terminate mTLS connections then relay traffic in plain TLS mode. Client SDKs make it easier to integrate mTLS authentication in mobile and web apps connecting to backend services. With appropriate libraries and load balancing, companies can deploy mTLS security at scale.

WebAuthn/FIDO2

WebAuthn (Web Authentication) and FIDO2 are emerging web standards that provide an alternative to traditional password-based authentication.

WebAuthn allows websites to register and authenticate users using public key cryptography instead of passwords. This is enabled through authenticators like security keys or biometrics. The standard was created by the FIDO Alliance and the World Wide Web Consortium (W3C).

FIDO2 is a set of technical specifications that enable passwordless authentication methods using secure credentials like security keys, biometrics, or platform authenticators. It’s an extension of the FIDO (Fast Identity Online) standard.

Here are some key benefits of WebAuthn and FIDO2 over traditional password authentication:

  • Increased security - Passwords can be weak, reused, leaked, stolen or subject to phishing attacks. WebAuthn uses asymmetric (public key) cryptography to offer a much stronger form of authentication resistant to these threats.

  • Better user experience - No need to create or remember passwords. Users simply authenticate with a fingerprint or security key which is faster and easier.

  • Reduced costs - Organizations spend less dealing with password resets, help desk calls, and other password related issues that add IT overhead.

  • Privacy protection - With WebAuthn, the original credentials (biometric templates or private keys) never leave the user’s device. This protects privacy.

  • Platform/device agnostic - WebAuthn works across desktop and mobile devices. And it doesn’t lock users into a particular platform or device.

Overall, WebAuthn and FIDO2 represent a major step forward for authentication security and usability on the web. As these standards gain wider adoption, we will see less reliance on vulnerable password-based systems.

Conclusion

OAuth 2.0 has become the standard for authorization and authentication for many applications, providing a way for users to grant limited access to their data without exposing credentials. However, as an older protocol, OAuth 2.0 has some limitations around security, scope of access, and user experience.

Newer protocols are aiming to improve on OAuth 2.0 in various ways:

  • OpenID Connect builds on top of OAuth 2.0 to add identity services, providing verification of identity along with authentication and authorization. This helps address some of the security vulnerabilities in OAuth 2.0.

  • Mutual TLS provides certificate-based authentication of both client and server, preventing man-in-the-middle attacks. While more complex to implement, mutual TLS improves integrity and privacy protections compared to OAuth 2.0 alone.

  • WebAuthn/FIDO2 uses public key cryptography instead of passwords for authentication, providing phishing-resistant and tamper-resistant login. This protocol could fully replace OAuth for login in many cases.

Overall, while OAuth 2.0 laid the groundwork for secure authorization, its age shows in various legacy limitations. Newer protocols build on OAuth but address its weaknesses around security, privacy, and user experience.

For highly sensitive applications like healthcare, financial services, and identity management, mutual TLS and protocols like WebAuthn should be strongly considered to provide defense-in-depth. Even for consumer apps, augmenting OAuth with OpenID Connect helps ensure better integrity of user identity and authentication.

Stay tuned with APIRobots for more insights and updates on this exciting field. Don’t miss out on the opportunities that APIs can bring to your business. Contact us today at API Robots an APIs Development Agency and let’s unlock the full potential of APIs together.