OAuth 2.0 Authentication Vulnerabilities

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Hydra Composer Repositories Oauth2 Authentication and Authorization openid-connect

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • Ory Hydra

    OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Works with Hardware Security Modules. Compatible with MITREid.

    • The first vulnerability is in the title, OAuth is an Authorization framework (Open Authorization) and is explicitly NOT for authentication. It’s also a delegation protocol (I give you something to do on my behalf).

    If you want a list of things that can go wrong, look here: https://tools.ietf.org/id/draft-ietf-oauth-security-topics-1...

    Generally you probably do not need OAuth2: https://www.ory.sh/hydra/docs/concepts/before-oauth2/

    But if you do don’t roll your own but use proven open source like https://github.com/ory/hydra

  • paseto

    Platform-Agnostic Security Tokens

    • > Someone flubbed up and made the "none" algorithm mandatory for spec-compliant implementations.

    Which spec are you referring to? 7519? Per section 6 ( https://tools.ietf.org/html/rfc7519#section-6 ) "none" is an optional feature of JWT.

    I am not aware of any spec related to OAuth which requires a server to issue or accept a JWT with an algo of "none". Can you point one out to me?

    From the AS side, our product won't even allow you to "sign" a JWT with a value of none. I'm not sure about other authorization servers.

    And I always recommend that if a resource server ever sees an algorithm of "none" it should throw out the JWT full stop.

    > It's a chicken-and-egg problem that the designers missed: you can't trust the token until you've validated it, but you'd have to believe the value of the algo field before you've validated it in order to check the signature.

    What is the way around this? Looks like Paseto tokens (an alternative I've heard mentioned) works by not allowing unsigned tokens: https://github.com/paragonie/paseto

    Is there another way to fix this?

    > There are libraries that will see "none" in the algo field and treat that as "this token doesn't have a signature that needs to be validated, so it's good".

    Spooky! Can you share these so I can stay far away from them? :)

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Show HN: Login with HN (Unofficially)

    3 projects | news.ycombinator.com | 13 Jan 2022

  • Hydra for self hosted auth ? Is it any good ?

    1 project | /r/selfhosted | 8 Apr 2021

  • Ory Hydra 1.9: Open-source Golang OAuth2 provider

    1 project | /r/patient_hackernews | 13 Jan 2021

  • Ory Hydra 1.9: Open-source Golang OAuth2 provider

    1 project | /r/hackernews | 13 Jan 2021

  • Ory Hydra 1.9: Open Source OAuth2/OIDC Provider

    2 projects | dev.to | 13 Jan 2021