OAuth - SAML - SPID


The OAuth 2.0 Authorization Framework
https://tools.ietf.org/html/rfc6749

OAuth 2.0 Threat Model and Security Considerations
https://tools.ietf.org/html/rfc6819

OpenID Connect Specifications
https://openid.net/specs/openid-connect-core-1_0.html#IDToken

http://stackoverflow.com/questions/19615372/client-secret-in-oauth-2-0

https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660

https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864

Implicit grant:
Protocol vulnerability
https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid

Vulnerability in Facebook
https://www.ehackingnews.com/2020/03/a-vulnerability-that-allows-hackers-to.html

Security Incidents (Token/Grant stealing)

https://www.zdnet.com/article/data-of-24-3-million-lumin-pdf-users-shared-on-hacking-forum/

Haveibeenpwned notified me that I was in that breach
In April 2019, the PDF management service Lumin PDF suffered a data breach. The breach wasn't publicly disclosed until September when 15.5M records of user data appeared for download on a popular hacking forum. The data had been left publicly exposed in a MongoDB instance after which Lumin PDF was allegedly been "contacted multiple times, but ignored all the queries". The exposed data included names, email addresses, genders, spoken language and either a bcrypt password hash or Google auth token. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com". (September 18-th, 2019)

http://gizmodo.com/twitter-accounts-hacked-with-swastikas-through-third-pa-1793286451

Misplaced trust examples

SAML Vulnerability
Two vulnerabilities were identified in the SAML Service Provider implementation of Github Enterprise edition that allowed for full authentication bypass.
http://www.economyofmechanism.com/github-saml.html

SPID Sistema Pubblico Identità Digitale
http://spid-regole-tecniche.readthedocs.io/en/latest/introduzione.html#


Post più popolari