OAuth - SAML - SPID
The OAuth 2.0 Authorization Framework
https://tools.ietf.org/html/rfc6749
OAuth 2.0 Threat Model and Security Considerations
https://tools.ietf.org/html/rfc6819
OpenID Connect Specifications
https://openid.net/specs/openid-connect-core-1_0.html#IDToken
http://stackoverflow.com/questions/19615372/client-secret-in-oauth-2-0
https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660
https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864
Implicit grant:
- https://tools.ietf.org/html/rfc6749#section-4.2
- https://oauth.net/2/grant-types/implicit/ (no longer recommended)
https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid
Vulnerability in Facebook
https://www.ehackingnews.com/2020/03/a-vulnerability-that-allows-hackers-to.html
Security Incidents (Token/Grant stealing)
https://www.zdnet.com/article/data-of-24-3-million-lumin-pdf-users-shared-on-hacking-forum/
Haveibeenpwned notified me that I was in that breach
In April 2019, the PDF management service Lumin PDF suffered a data breach. The breach wasn't publicly disclosed until September when 15.5M records of user data appeared for download on a popular hacking forum. The data had been left publicly exposed in a MongoDB instance after which Lumin PDF was allegedly been "contacted multiple times, but ignored all the queries". The exposed data included names, email addresses, genders, spoken language and either a bcrypt password hash or Google auth token. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com". (September 18-th, 2019)
http://gizmodo.com/twitter-accounts-hacked-with-swastikas-through-third-pa-1793286451
- https://motherboard.vice.com/en_us/article/bja7qq/how-50-million-facebook-users-were-hacked
- https://newsroom.fb.com/news/2018/09/security-update/
- https://arstechnica.com/information-technology/2020/07/microsoft-neuters-office-356-account-attacks-that-used-clever-ruse/
- https://www.microsoft.com/security/blog/2020/07/08/protecting-remote-workforce-application-attacks-consent-phishing/
- https://krebsonsecurity.com/2021/05/malicious-office-365-apps-are-the-ultimate-insiders/
SAML Vulnerability
Two vulnerabilities were identified in the SAML Service Provider implementation of Github Enterprise edition that allowed for full authentication bypass.
http://www.economyofmechanism.com/github-saml.html
SPID Sistema Pubblico Identità Digitale
http://spid-regole-tecniche.readthedocs.io/en/latest/introduzione.html#