Захист відкритих клієнтів за допомогою одного алгоритму авторизації

Abstract

Pозглянуто конфіденційні та відкриті клієнти у контексті авторизації. Проведено аналіз проблем, пов’язаних з авторизацією відкритих клієнтів, котрі не можуть забезпечити конфіденційність секретних налаштувань. Досліджено існуючі вектори атак, недоліки стандарту OAUTH, потенційно небезпечні практики. Виявлено алгоритми, моделі та методи для захищеної авторизації відритих додатків. Створено модель алгоритму авторизації на основі Proof Key for Code Exchange та методу Backend For Frontend, яка не вразлива до атак Cross-Site-Scripting та Auth Code Interception. У результаті розроблено додаток, що являє собою відкритий клієнт на технології Blazor Web Assembly, використовуючи створену модель авторизації.

The paper focuses on authorization in public clients and provides a secure authorization model as an alternative to costly Microsoft Duende BFF solution. After providing a brief overview of confidential and public clients in terms of authorization, we have analyzed problems and potential attack vectors associated with the authorization process in public clients due to their inability to hold credentials securely. Confidential clients are implemented on secure servers or able to facilitate secure authentication by other means, while public clients lack this security. Our research discovered algorithms, models, and methods for secure authorization in public clients. As a part of our model, we have implemented high entropy Proof Key for Code Exchange generator in C# .NET 6.0. In addition, we have provided a solution to a problem of storing sensitive information in public clients using the Backend for Frontend concept. This concept leverages a reverse proxy pattern where a backend application acts as a proxy and handles all client requests. Having a proxy backend application significantly tightens security model for public clients, while restricting possible attack vectors. The authorization model being researched was based on Proof Key for Code Exchange and Backend for Frontend approach. During the testing phase of our research, we have confirmed that the model was not vulnerable to Cross-Site-Scripting and Auth Code Interception attacks. A sequence diagram outlining main actors and interactions among them in context of authorization has been designed. The diagram stands as the visual representation of the model that uses proposed methods and algorithms. As a result, we have managed to build an alternative to secure authorization solutions for public clients that do not rely on the client secret. We have summarized our key findings in a Blazor Web Assembly application, which is classified as public and uses the described authentication model.