OAuth 2.1: The Future of API Security

A presentation at phpday 2025 in May 2025 in Verona, VR, Italy by Rob Allen

Slide 1

Slide 1

OAuth 2.1 The Future of API Security Rob Allen, May 2025

Slide 2

Slide 2

OAuth is the standard for securing access to APIs Rob Allen ~ akrabat.com

Slide 3

Slide 3

OAuth 2.0 A Refresher Rob Allen ~ akrabat.com

Slide 4

Slide 4

OAuth 2.0 Roles • • • • Resource Owner (The User) Resource Server (The API) Client (The application that uses the API) Authorization Server (OAuth server) Rob Allen ~ akrabat.com

Slide 5

Slide 5

OAuth 2.0 Protocol Flows • • • • Resource Owner Password Credentials Authorization Code Implict Client Credentials Rob Allen ~ akrabat.com

Slide 6

Slide 6

Password Credentials Flow For logging into 1st party apps Rob Allen ~ akrabat.com

Slide 7

Slide 7

Password Credentials Flow Rob Allen ~ akrabat.com

Slide 8

Slide 8

Password Credentials Flow Rob Allen ~ akrabat.com

Slide 9

Slide 9

Password Credentials Flow Rob Allen ~ akrabat.com

Slide 10

Slide 10

Password Credentials Flow Rob Allen ~ akrabat.com

Slide 11

Slide 11

Authorization Code Flow For logging into 3rd party websites Rob Allen ~ akrabat.com

Slide 12

Slide 12

Authorization Code Flow Rob Allen ~ akrabat.com

Slide 13

Slide 13

Authorization Code Flow Rob Allen ~ akrabat.com

Slide 14

Slide 14

Authorization Code Flow Rob Allen ~ akrabat.com

Slide 15

Slide 15

Authorization Code Flow Rob Allen ~ akrabat.com

Slide 16

Slide 16

Authorization Code Flow Rob Allen ~ akrabat.com

Slide 17

Slide 17

Authorization Code Flow Rob Allen ~ akrabat.com

Slide 18

Slide 18

Authorization Code Flow Rob Allen ~ akrabat.com

Slide 19

Slide 19

Authorization Code Flow Rob Allen ~ akrabat.com

Slide 20

Slide 20

Authorization Code Flow Rob Allen ~ akrabat.com

Slide 21

Slide 21

Implicit Flow For logging into 3rd party apps and web SPAs Rob Allen ~ akrabat.com

Slide 22

Slide 22

Implict Flow Rob Allen ~ akrabat.com

Slide 23

Slide 23

Implict Flow Rob Allen ~ akrabat.com

Slide 24

Slide 24

Implict Flow Rob Allen ~ akrabat.com

Slide 25

Slide 25

Implict Flow Rob Allen ~ akrabat.com

Slide 26

Slide 26

Implict Flow Rob Allen ~ akrabat.com

Slide 27

Slide 27

Implict Flow Rob Allen ~ akrabat.com

Slide 28

Slide 28

Implict Flow Rob Allen ~ akrabat.com

Slide 29

Slide 29

Client Credentials Flow For jobs that don’t need user permission Rob Allen ~ akrabat.com

Slide 30

Slide 30

Client Credentials Flow Rob Allen ~ akrabat.com

Slide 31

Slide 31

Client Credentials Flow Rob Allen ~ akrabat.com

Slide 32

Slide 32

Client Credentials Flow Rob Allen ~ akrabat.com

Slide 33

Slide 33

OAuth 2.0 Refresh token • Allows the client to gain a new access token • Refresh tokens need to be kept secure • Authorization server can choose not to issue Rob Allen ~ akrabat.com

Slide 34

Slide 34

OAuth 2.0 Since 2012 Rob Allen ~ akrabat.com

Slide 35

Slide 35

The OAuth 2.0 Framework in 2012 Rob Allen ~ akrabat.com

Slide 36

Slide 36

The OAuth 2.0 Framework Today Rob Allen ~ akrabat.com

Slide 37

Slide 37

Key extensions since 2012 • RFC 7636: Authorization Code without a client secret (PKCE) • RFC 8628: Device Authorization grant for devices Rob Allen ~ akrabat.com

Slide 38

Slide 38

PKCE • First created for mobile, but useful for all public clients • Protects the authorization code in the redirect • We know that the right client is converting the code to a token Rob Allen ~ akrabat.com

Slide 39

Slide 39

PKCE workflow Rob Allen ~ akrabat.com

Slide 40

Slide 40

PKCE workflow Rob Allen ~ akrabat.com

Slide 41

Slide 41

PKCE workflow Rob Allen ~ akrabat.com

Slide 42

Slide 42

PKCE workflow Rob Allen ~ akrabat.com

Slide 43

Slide 43

PKCE workflow Rob Allen ~ akrabat.com

Slide 44

Slide 44

Device Authorization Flow For apps with no browser (or keyboard) Rob Allen ~ akrabat.com

Slide 45

Slide 45

Device Authorization Flow Rob Allen ~ akrabat.com

Slide 46

Slide 46

Device Authorization Flow Rob Allen ~ akrabat.com

Slide 47

Slide 47

Device Authorization Flow Rob Allen ~ akrabat.com

Slide 48

Slide 48

Device Authorization Flow Rob Allen ~ akrabat.com

Slide 49

Slide 49

Best Practices since 2012 • RFC 7900: Best Current Practice for OAuth 2.0 Security • RFC 8653: OAuth 2.0 for Native Apps • OAUTH-WG: OAuth 2.0 for Browser Apps Rob Allen ~ akrabat.com

Slide 50

Slide 50

Best Current Practice • Always use PKCE with Authorization Code Rob Allen ~ akrabat.com

Slide 51

Slide 51

Best Current Practice • Always use PKCE with Authorization Code • Don’t use Implicit flow; use Authorization Code (with PCKE) Rob Allen ~ akrabat.com

Slide 52

Slide 52

Best Current Practice • Always use PKCE with Authorization Code • Don’t use Implicit flow; use Authorization Code (with PCKE) • Don’t use Password flow; use Authorization Code (with PCKE) Rob Allen ~ akrabat.com

Slide 53

Slide 53

Best Current Practice • • • • Always use PKCE with Authorization Code Don’t use Implicit flow; use Authorization Code (with PCKE) Don’t use Password flow; use Authorization Code (with PCKE) Use exact string matching for redirect URIs Rob Allen ~ akrabat.com

Slide 54

Slide 54

Best Current Practice • • • • • Always use PKCE with Authorization Code Don’t use Implicit flow; use Authorization Code (with PCKE) Don’t use Password flow; use Authorization Code (with PCKE) Use exact string matching for redirect URIs No access tokens in query strings Rob Allen ~ akrabat.com

Slide 55

Slide 55

Best Current Practice • • • • • • Always use PKCE with Authorization Code Don’t use Implicit flow; use Authorization Code (with PCKE) Don’t use Password flow; use Authorization Code (with PCKE) Use exact string matching for redirect URIs No access tokens in query strings Refresh tokens must be sender constrained or one-time use Rob Allen ~ akrabat.com

Slide 56

Slide 56

Best Current Practice • • • • • • • Always use PKCE with Authorization Code Don’t use Implicit flow; use Authorization Code (with PCKE) Don’t use Password flow; use Authorization Code (with PCKE) Use exact string matching for redirect URIs No access tokens in query strings Refresh tokens must be sender constrained or one-time use … plus other good implementation information! Rob Allen ~ akrabat.com

Slide 57

Slide 57

OAuth 2.1 Rob Allen ~ akrabat.com

Slide 58

Slide 58

My main goal with OAuth 2.1 is to capture the current best practices in OAuth 2.0 as well as its well-established extensions under a single name. Aaron Parecki Rob Allen ~ akrabat.com

Slide 59

Slide 59

Key Objectives of OAuth 2.1 • Not a new protocol Rob Allen ~ akrabat.com

Slide 60

Slide 60

Key Objectives of OAuth 2.1 • Not a new protocol • Simplifies the specification Rob Allen ~ akrabat.com

Slide 61

Slide 61

Key Objectives of OAuth 2.1 • Not a new protocol • Simplifies the specification • Incorporation of Best Current Practices Rob Allen ~ akrabat.com

Slide 62

Slide 62

OAuth 2.1 Flows • Authorization Code + PKCE • Device Authorization • Client Credentials Rob Allen ~ akrabat.com

Slide 63

Slide 63

Tokens • Transfer only by HTTP header or POST form body • Require sender contraints or one-time use refresh tokens • Refined token management (shorter lifetimes, rotation policies) Rob Allen ~ akrabat.com

Slide 64

Slide 64

Other things • • • • Redirect URIs must be exact matches State parameter is now mandatory for CSRF protection Confidential client now means a client that has credentials Otherwise it’s public Rob Allen ~ akrabat.com

Slide 65

Slide 65

Going forwards Rob Allen ~ akrabat.com

Slide 66

Slide 66

Migrating to 2.1 Rob Allen ~ akrabat.com

Slide 67

Slide 67

Migrating to 2.1 • Review current implementation Rob Allen ~ akrabat.com

Slide 68

Slide 68

Migrating to 2.1 • Review current implementation • Adopt Authorization Code flow with PKCE Rob Allen ~ akrabat.com

Slide 69

Slide 69

Migrating to 2.1 • Review current implementation • Adopt Authorization Code flow with PKCE • Remove deprecated flows Rob Allen ~ akrabat.com

Slide 70

Slide 70

Migrating to 2.1 • • • • Review current implementation Adopt Authorization Code flow with PKCE Remove deprecated flows Secure redirect Uris Rob Allen ~ akrabat.com

Slide 71

Slide 71

Migrating to 2.1 • • • • • Review current implementation Adopt Authorization Code flow with PKCE Remove deprecated flows Secure redirect Uris Review and implement the Best Current Practices Rob Allen ~ akrabat.com

Slide 72

Slide 72

Other relatively new OAuth features Rob Allen ~ akrabat.com

Slide 73

Slide 73

Other relatively new OAuth features • Demonstrating Proof of Possession (RFC 9449) • Mutual TLS (RFC 8705) Rob Allen ~ akrabat.com

Slide 74

Slide 74

Other relatively new OAuth features • • • • Demonstrating Proof of Possession (RFC 9449) Mutual TLS (RFC 8705) JWT Profile for Access Tokens (RFC 9068) JWT-Secured Authorization Requests (RFC 9101) Rob Allen ~ akrabat.com

Slide 75

Slide 75

Other relatively new OAuth features • • • • • • Demonstrating Proof of Possession (RFC 9449) Mutual TLS (RFC 8705) JWT Profile for Access Tokens (RFC 9068) JWT-Secured Authorization Requests (RFC 9101) Rich Authorization Requests (RFC 9396) Pushed Authorization Requests (RFC 9126) Rob Allen ~ akrabat.com

Slide 76

Slide 76

Rob Allen ~ akrabat.com

Slide 77

Slide 77

Thank you! slides: https://akrabat.com/7337 q&a and feedback: https://grusp.org/agenda Rob Allen ~ akrabat.com