Elevating OAuth2.0 for Security of Native Clients
Discover the power of PKCE (Proof Key for Code Exchange), an OAuth2.0 extension. OAuth has become the go-to authentication mechanism, with a multitude of users seamlessly logging into apps with well-known platforms like Google or Twitter. Join us as we explore the limitations of standard OAuth flows for native clients, uncover the risks and potential attack vectors associated with them, and showcase the case studies. Gain invaluable insights into how PKCE addresses these challenges head-on, fortifying your applications against potential attacks. The talk begins with a brief reminder of the OAuth2 workflow, explaining its trusted relationships between the resource owner, client, authentication server, and resource server. It is followed by the introduction to the OAuth2 workflow, ensuring everyone is on the same page. After that, I will present an explanation of the Authorization code flow, which will be the focus of the talk. It will be followed by a discussion of the need for the auth code and why it’s more secure than immediate access tokens. Based on this I will introduce the issue of using private-use URI schemes for redirecting URIs on native clients and we will take a look at the code interception attacks. To solve this problem we will consider PKCE (Proof Key for Code Exchange) as an extension to OAuth2.0 and how it is able to mitigate such attacks. After this, however, we will question the PKCE, discussing its limitations. It will be followed by the twist that PKCE is still useful despite its limitations. We will also explore various mitigation strategies, best practices, and recommendations.
About the Speaker
Alina Boshchenko is a software engineer and security champion at JetBrains. Her current focuses are high-load systems, more specifically new transaction management concepts for the embedded databases, software development on Kotlin/Java, and network security. As a member of the Security Champions team, she ensures the robustness of systems by identifying and fixing security issues. Alina is a serial hackathonner and her interests also extend to mentorship, where she guides and support students through workshops and talks, equipping them with the necessary skills and knowledge to excel in their professional journeys.