Using an OAuth 2.0 Resource Server with Certificate-Bound Access Tokens

ZmartZone has implemented OAuth 2.0 Resource Server functionality in Apache/NGINX modules so these components can be used as a reverse proxy in front of APIs or other backends. In such a setup the backend does not have to deal with security but outsources it to a proxy sitting in front of it in a similar way that TLS termination is often offloaded to a load-balancer.

Most of the OAuth 2.0 deployments today use so-called bearer access tokens that are easy to deploy and use. This type of access token is not bound to the Client presenting the token which means that an attacker intercepting an access token can just use that token to get access to the resources/APIs/services as if it were the Client. So called Proof-of-Possession semantics for access tokens prevent that type of attack and present a more secure setup but such a system is typically harder to implement, deploy and maintain.

A relative simple variant of Proof-of-Possession for access tokens is specified in RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens. This specification leverages a (possibly self-signed) certificate held by the Client to bind an access token cryptographically to the private key associated with that certificate.

This specification is implemented in liboauth2 1.4.1 which is used in the Apache module mod_oauth2 3.2.1. This means that you can now require and verify OAuth 2.0 certificate bound access tokens for your API in a very simple way that is easy to deploy. All it takes is an Apache server in front of your API, configured with something like:

AuthType oauth2
OAuth2TokenVerify jwk "{\"kty\":\"RSA\",\"kid\":\"one\",\"use\":\"sig\",\"n\":\"...\",\"e\":\"AQAB\" }" type=mtls&mtls.policy=optional
SSLVerifyClient optional_no_ca

Acknowledgement: this work was performed in a partnership with Connect2ID. Thanks Vladimir Dzhuvinov.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s