WEBVTT 1 00:00:01.080 --> 00:00:03.000 How'd you like to listen to dot net rocks with 2 00:00:03.040 --> 00:00:07.879 no ads? Easy? Become a patron for just five dollars 3 00:00:07.919 --> 00:00:10.800 a month. You get access to a private RSS feed 4 00:00:10.839 --> 00:00:14.240 where all the shows have no ads. Twenty dollars a month, 5 00:00:14.279 --> 00:00:16.879 we'll get you that and a special dot net Rocks 6 00:00:16.960 --> 00:00:21.000 patron mug. Sign up now at Patreon dot dot NetRocks 7 00:00:21.120 --> 00:00:36.640 dot com. Hey, it's dot net rocks one more time. 8 00:00:36.840 --> 00:00:39.960 I'm Carl Franklin, an amateur camp and man, we are 9 00:00:40.000 --> 00:00:42.240 getting ready to go to build, aren't we getting there? Yeah? 10 00:00:42.320 --> 00:00:43.799 Now that's just about that time. 11 00:00:44.600 --> 00:00:46.439 There's a lot of you know, for me, I'm organizing 12 00:00:46.640 --> 00:00:50.520 a dozen podcasters so right, and a bunch of different teams. 13 00:00:50.679 --> 00:00:52.799 So it's an adventure. This is something that we did 14 00:00:52.799 --> 00:00:54.640 in the past together and then you sort of just 15 00:00:54.679 --> 00:00:59.119 took it over, which is fine because you've got all 16 00:00:59.200 --> 00:01:02.399 of the podcasts wrangled from not just dot net, right, 17 00:01:02.520 --> 00:01:05.640 and not just Microsoft, yeah, specifically not just dot net. Yeah. 18 00:01:05.680 --> 00:01:08.480 We got a bunch of YouTubers well coming out this time, 19 00:01:08.519 --> 00:01:10.359 Tim Corey, who has been on the show not. 20 00:01:10.280 --> 00:01:11.239 In a long time anyway. 21 00:01:11.439 --> 00:01:14.040 I love Tim Corey and Derek co Martin, which we 22 00:01:14.079 --> 00:01:16.480 had on recently coming as well. We got one video 23 00:01:17.040 --> 00:01:19.799 studio as well as a few audios do. Yeah, very cool. 24 00:01:20.680 --> 00:01:23.760 So here's the deal, listeners. If you are going to 25 00:01:23.799 --> 00:01:25.120 be at build, find us. 26 00:01:25.280 --> 00:01:27.920 Yeah. Do you have any idea physically where we're going 27 00:01:28.000 --> 00:01:28.120 to be. 28 00:01:28.200 --> 00:01:30.719 Yeah, we're on the fourth floor, okay, which is the 29 00:01:30.799 --> 00:01:33.359 community area. We're off on one side there. You'll find 30 00:01:33.400 --> 00:01:34.319 us easy enough. We're there. 31 00:01:34.400 --> 00:01:36.519 Yeah, stop in and say hi. Yep. All right, let's 32 00:01:36.560 --> 00:01:47.480 get busy with better know a framework. Awesome? All right, 33 00:01:47.680 --> 00:01:50.840 what do you got? So? I'm having a lot of 34 00:01:50.879 --> 00:01:55.560 fun with a sister podcast Security this week, which is myself, 35 00:01:55.599 --> 00:01:57.799 Patrick Hines and Dwayne Laflatte. And if you don't know 36 00:01:57.799 --> 00:02:01.120 who these guys are, Patrick Hines was actually our first guests. 37 00:02:01.480 --> 00:02:03.959 Well he's now our lucky charm, right, he's the first 38 00:02:03.959 --> 00:02:06.480 guest on all shows we make it seems that's right. 39 00:02:06.519 --> 00:02:08.520 He was your first guest on run As and I 40 00:02:08.560 --> 00:02:10.960 think he was the first guest on Mondays too. I'm 41 00:02:10.960 --> 00:02:15.000 not sure, but anyway, Patrick is a veteran and a 42 00:02:15.039 --> 00:02:20.599 security expert, and Dwayne is his Red team leader. They 43 00:02:20.599 --> 00:02:26.319 basically do penetration tests for customers. You know, customer says 44 00:02:26.319 --> 00:02:28.840 go ahead, try to hack us and you know, try 45 00:02:28.840 --> 00:02:32.960 to be all clever, and Dwayne was like, okay, done. 46 00:02:33.560 --> 00:02:37.879 So it's just and here's the thing about Security this Week, 47 00:02:37.919 --> 00:02:40.560 which is just the podcast name and Security this Week 48 00:02:40.639 --> 00:02:44.840 dot Com is the page we laugh far more than 49 00:02:44.919 --> 00:02:48.520 we should be laughing while talking about hacks that have 50 00:02:48.599 --> 00:02:51.439 happened at the end of the universe. Yeah, because what 51 00:02:51.479 --> 00:02:55.039 we're talking about is fundamentally scary, you know. Yeah. Sure, 52 00:02:55.319 --> 00:02:58.319 security can be very frightening. Yeah, if you think your 53 00:02:58.360 --> 00:03:03.159 passwords are safe. Mmm. So we have, you know, a 54 00:03:03.199 --> 00:03:05.919 lot of mantras that we say over and over again, 55 00:03:06.000 --> 00:03:09.039 like use a password manager and patch and update your 56 00:03:09.039 --> 00:03:12.319 firmware on your Wi Fi, you know thing whatever all 57 00:03:12.360 --> 00:03:14.919 the time. But I just wanted to mention we also 58 00:03:15.000 --> 00:03:17.400 have a Discord server and it's getting a lot of 59 00:03:17.439 --> 00:03:23.840 traction and we're even handing out swag which are lock 60 00:03:23.919 --> 00:03:27.120 pick sets. Oh yeah, with the Security this Week logo 61 00:03:27.240 --> 00:03:30.479 on them lock pick sets. Yeah. So, so if you 62 00:03:30.520 --> 00:03:33.840 go to Discord dot Security this Week dot com and 63 00:03:33.919 --> 00:03:37.199 don't put hddps in front of it or because it's 64 00:03:37.240 --> 00:03:42.439 a URL DNS router, so just go on your browser 65 00:03:42.520 --> 00:03:45.319 type Discord dot Security this week dot com. You'll get 66 00:03:45.319 --> 00:03:48.039 to our discord server and if you, you know, engage 67 00:03:48.080 --> 00:03:50.039 us and give us some things to think about, we'll 68 00:03:50.039 --> 00:03:52.520 send you a lock pick set cool and that's my 69 00:03:52.639 --> 00:03:54.680 better no framework, that's what you get. Who's talking to 70 00:03:54.719 --> 00:03:56.960 us today? Richard Grab a comment off for show nineteen 71 00:03:57.080 --> 00:03:58.879 forty eight. This is the one which is just a 72 00:03:58.919 --> 00:04:01.639 couple of weeks ago with Rob talking about his open 73 00:04:01.719 --> 00:04:06.319 source maintenance fee and Jimmy Scott had this comment back. 74 00:04:06.360 --> 00:04:07.520 He said, thanks for your time. Rob. 75 00:04:07.560 --> 00:04:10.000 We are users of wis, which is a product that 76 00:04:10.520 --> 00:04:13.280 Rob maintains, and I was concerned that wicks was going commercial. 77 00:04:13.560 --> 00:04:17.079 Like many others, we use numerous OS projects and I've 78 00:04:17.079 --> 00:04:18.759 suscribed to several of them. The fee is more than 79 00:04:18.800 --> 00:04:21.079 reasonable and we will be subscribing today. 80 00:04:21.160 --> 00:04:21.560 Awesome. 81 00:04:21.639 --> 00:04:24.240 Yeah, it was great, great news, and I was very 82 00:04:24.480 --> 00:04:27.680 you know, we've been battling with this problem talking about 83 00:04:27.879 --> 00:04:29.839 how we're going to create sustainable open source on it 84 00:04:29.920 --> 00:04:33.600 for years now. So yeah, Rob's approach, you know, and 85 00:04:33.920 --> 00:04:36.519 again I appreciate it. He's not just postulating. He set 86 00:04:36.560 --> 00:04:38.040 it up. He set it up how to do it 87 00:04:38.040 --> 00:04:40.000 through githubs so you can learn everything you need to 88 00:04:40.040 --> 00:04:42.720 do about it, and clearly Jimmy's taking advantage that. So Jimmy, 89 00:04:43.240 --> 00:04:44.800 thank you so much for your comment. And a copy 90 00:04:44.839 --> 00:04:46.360 of music Goby is on its way to you. And 91 00:04:46.360 --> 00:04:47.839 if you'd like a copy of music Go Buy, I 92 00:04:47.879 --> 00:04:50.319 write a comment on the website dot NetRocks dot com 93 00:04:50.399 --> 00:04:52.000 or on the facebooks. We publish every show there and 94 00:04:52.040 --> 00:04:53.720 if you comment there and a reading the show will 95 00:04:53.759 --> 00:04:54.959 send you copy Music to Go Buy. 96 00:04:55.079 --> 00:04:58.160 Yeah, And I just wanted to say I'm standing by 97 00:04:58.360 --> 00:05:01.079 sort of watching how it unfolds with other people other 98 00:05:01.160 --> 00:05:03.079 than Rob and this guy or through the only two 99 00:05:03.120 --> 00:05:06.160 people that I know who are using is systems. So 100 00:05:06.199 --> 00:05:08.480 but I plan on jumping in as soon as I 101 00:05:08.519 --> 00:05:15.160 see happy customers. So also a reminder that Music to 102 00:05:15.240 --> 00:05:18.480 Code By is still going strong with twenty two tracks 103 00:05:18.720 --> 00:05:20.879 and you can download the whole collection in MP three 104 00:05:21.000 --> 00:05:24.720 flak or wave at music tocode by dot net. Awesome. Yeah, 105 00:05:24.759 --> 00:05:26.879 and with that, do you want to do the history thing? 106 00:05:27.000 --> 00:05:29.560 Are we done with it? Oh? That's a great idea. 107 00:05:29.680 --> 00:05:32.680 I didn't. I didn't have time to assemble anything. But 108 00:05:32.839 --> 00:05:35.199 it's nineteen fifty. I mean, what can we say, yes 109 00:05:35.240 --> 00:05:37.920 besides el Wells or beginning of the Korean War. 110 00:05:38.920 --> 00:05:42.360 Oh that that would be one. 111 00:05:42.519 --> 00:05:45.800 There was that, yeah, yeah, okay. 112 00:05:46.040 --> 00:05:48.839 But also the very first credit card, the Diner's Card, 113 00:05:49.000 --> 00:05:52.839 no kidding, is nineteen fifty yeah, I said, sort of famous. 114 00:05:53.120 --> 00:05:55.600 It's it's not an apocryphal story, but it's supposed to 115 00:05:55.639 --> 00:05:58.800 be true that Frank McNamara. It was this sales guy 116 00:06:00.079 --> 00:06:03.120 got his wallet in a different suit, took out his clients, 117 00:06:03.480 --> 00:06:06.000 and his wife had to pay. He didn't have any 118 00:06:06.000 --> 00:06:07.879 money on him, and thought, well, it's got to be 119 00:06:07.920 --> 00:06:10.720 a better way and work with a group of folks, 120 00:06:10.720 --> 00:06:14.199 including Alfred Bloomingdale, who was the heir to the Bloomingdale 121 00:06:14.399 --> 00:06:17.560 d department store. So got it into Bloomingdale's right away 122 00:06:17.600 --> 00:06:19.279 and it kicked that whole thing off. Of course, the 123 00:06:19.319 --> 00:06:21.920 big card, what became Visa, comes along later in nineteen 124 00:06:21.920 --> 00:06:22.439 towty eight. 125 00:06:23.120 --> 00:06:24.959 So did you say it was the diners Club. 126 00:06:25.360 --> 00:06:27.079 That's what became Diner's Club, but at the time it 127 00:06:27.120 --> 00:06:27.959 was called Diner's Card. 128 00:06:28.040 --> 00:06:28.879 The Diner's Card. 129 00:06:29.079 --> 00:06:32.199 Interesting, and it was again focused on restaurants initially, although 130 00:06:32.480 --> 00:06:33.920 rapidly branched into retail. 131 00:06:34.040 --> 00:06:36.839 So you know, we're getting out of like the war 132 00:06:36.959 --> 00:06:39.439 as well, we're getting into via the not the Vietnam, 133 00:06:39.519 --> 00:06:43.480 the Korean War, but and more interesting things are happening 134 00:06:43.480 --> 00:06:47.600 in compute around this time. Do you have any computer 135 00:06:48.079 --> 00:06:49.360 kind of history. 136 00:06:49.480 --> 00:06:51.399 The only comput story that's like a lot of things 137 00:06:51.439 --> 00:06:53.319 will happen in the fifties but in fifty is not 138 00:06:53.680 --> 00:06:56.800 a bunch except that at the Canadian World Exposition in 139 00:06:56.920 --> 00:07:00.839 nineteen fifty they had a computer they called Birdie the 140 00:07:01.040 --> 00:07:04.759 Brain and it played tic tac toe. Wow, And apparently 141 00:07:04.800 --> 00:07:07.040 there was huge cues of people to play tic tac 142 00:07:07.160 --> 00:07:09.480 toe against Berdie the Brain. 143 00:07:09.839 --> 00:07:13.480 Wow. That's cool. Silly but yeah, no, that was silly 144 00:07:13.480 --> 00:07:13.920 but cool. 145 00:07:14.040 --> 00:07:16.319 And you know that all the write ups talk about 146 00:07:16.360 --> 00:07:19.199 it being artificial intelligence, but none of the stuff at 147 00:07:19.240 --> 00:07:22.759 the time called it artificial intelligence. Yeah, which is Bertie 148 00:07:22.759 --> 00:07:27.319 the Brain. They just called it tic tac toe. Okay, 149 00:07:27.480 --> 00:07:31.399 So with that, I'm going to introduce Erwin. Erwin van 150 00:07:31.399 --> 00:07:34.639 der Walk is an experienced software engineer with the passion 151 00:07:34.720 --> 00:07:39.879 for software design, development practices and web security. He works 152 00:07:39.879 --> 00:07:42.360 as a principal engineer at Dwende Software and is the 153 00:07:42.399 --> 00:07:46.199 product owner for the Dwende BFF That's not Best Friends Forever, 154 00:07:46.319 --> 00:07:49.839 That's back in for front End Security Library and the 155 00:07:49.879 --> 00:07:54.360 popular open source library dwende access token management. In his 156 00:07:54.399 --> 00:07:56.639 spare time, he tries to learn as much as possible 157 00:07:56.680 --> 00:08:00.560 about pretty much anything and everything tech, science, history, and 158 00:08:00.600 --> 00:08:06.360 all things metal, listening, playing guitar, and fighting with historically 159 00:08:06.519 --> 00:08:08.360 accurate long's words. 160 00:08:08.560 --> 00:08:09.759 Well there's a hobby for you. 161 00:08:09.959 --> 00:08:10.160 Yeah. 162 00:08:10.279 --> 00:08:14.120 I don't even know what that means, but uh, welcome, Irwin. 163 00:08:14.199 --> 00:08:18.639 I recently learned what dwen day is. Like, I'm not 164 00:08:18.720 --> 00:08:24.199 the company, but the word. It's a Spanish word that means, 165 00:08:24.920 --> 00:08:28.560 you know, it's sort of what do they what do 166 00:08:28.600 --> 00:08:30.439 they call it? It's it's it's sort of a way 167 00:08:30.480 --> 00:08:33.879 of life, right day. You would call something dwende if 168 00:08:33.919 --> 00:08:39.559 it's amazing, if it's awesome, Yeah, that's the idea. Yeah, 169 00:08:39.600 --> 00:08:41.440 so welcome, Well, thank you very much. 170 00:08:41.480 --> 00:08:43.200 I'm super excited to be on the show. A long 171 00:08:43.240 --> 00:08:44.080 time listener, so. 172 00:08:44.600 --> 00:08:49.799 Yeah, we're super excited to have you BFF. Back End 173 00:08:49.879 --> 00:08:53.759 for front end. Yeah, and why why is it back 174 00:08:53.879 --> 00:08:55.679 end for front end and not just back end? 175 00:08:55.919 --> 00:08:59.519 Well, they call it back and for front end because 176 00:09:00.960 --> 00:09:04.879 tied to a particular front end, you have to have 177 00:09:05.440 --> 00:09:08.320 one back end if you have a micro services or 178 00:09:08.399 --> 00:09:11.240 just an appropriately sized services architecture, behind it. You can 179 00:09:11.279 --> 00:09:13.759 have many services behind your front end, but in this 180 00:09:13.799 --> 00:09:16.360 particular case, you only have one back end for that 181 00:09:16.399 --> 00:09:19.799 front end. And you know, the back end for front 182 00:09:19.879 --> 00:09:23.440 end pattern itself has been also around for quite a 183 00:09:23.440 --> 00:09:26.639 long time, and in this particular case, we're explicitly talking 184 00:09:26.679 --> 00:09:29.480 about adding the security layer on top of that. That's 185 00:09:29.519 --> 00:09:33.559 also how the if the Internet Engineering Task Force defined 186 00:09:33.600 --> 00:09:37.960 it now, but originally it was just if you have 187 00:09:38.080 --> 00:09:41.000 multiple different types of front ends, maybe a mobile, maybe 188 00:09:41.039 --> 00:09:44.000 a web application, you would build a specific back end 189 00:09:44.120 --> 00:09:47.639 for that one front end. And in this particular case, 190 00:09:48.000 --> 00:09:51.480 it's kind of similar, but you have a back end 191 00:09:51.840 --> 00:09:54.519 for a particular front end, but also to provide it 192 00:09:54.639 --> 00:09:56.240 with the authentication services. 193 00:09:56.600 --> 00:10:00.320 So with MVC fall into that category, and MVC server 194 00:10:00.480 --> 00:10:03.639 because if you think about it, it's serving up hdmun 195 00:10:03.879 --> 00:10:06.240 JavaScript and front end stuff. 196 00:10:06.480 --> 00:10:09.279 I think the primary goal is to look at what 197 00:10:09.360 --> 00:10:11.679 we call browser based application. So it's a little bit 198 00:10:11.720 --> 00:10:16.480 more like you know, spas applications built with React Angular Blazer, 199 00:10:16.559 --> 00:10:19.679 those type of applications that live primarily in the browser. 200 00:10:20.240 --> 00:10:25.000 They don't necessarily need a one single backhand for them. 201 00:10:25.039 --> 00:10:26.919 I mean, they could use any types of back ends, 202 00:10:27.240 --> 00:10:31.120 but in this particular case, and yeah, maybe it's good 203 00:10:31.120 --> 00:10:33.399 to dive into why we need that thing in the 204 00:10:33.440 --> 00:10:37.759 first place. It is to prevent you from using access 205 00:10:37.799 --> 00:10:40.279 tokens in the browser. Now why would you want that, 206 00:10:40.360 --> 00:10:42.600 Because for a long time, using access tokens in the 207 00:10:42.639 --> 00:10:45.480 browser has been a recommended practice. Right, There's all these 208 00:10:45.480 --> 00:10:49.279 libraries that are out there to handle those in JavaScript. 209 00:10:50.600 --> 00:10:54.600 And that's because the field of security is constantly evolving, right. 210 00:10:54.879 --> 00:10:57.399 I mean, things that were just completely valid in the 211 00:10:57.440 --> 00:11:02.360 past of implicit grand flow for example, is now totally 212 00:11:02.399 --> 00:11:07.519 not recommended anymore because you know, just clear security vulnerabilities 213 00:11:07.559 --> 00:11:08.440 have been discovered in. 214 00:11:08.559 --> 00:11:13.440 Yeah, you're increasing the surface, the attack surface by allowing 215 00:11:13.960 --> 00:11:17.000 hackers to get in there and mess with the tokens 216 00:11:17.039 --> 00:11:19.279 and try to spoof your back end and all of that, 217 00:11:19.360 --> 00:11:20.600 all the things that hackers do. 218 00:11:21.000 --> 00:11:24.840 Absolutely And there's the problem, right because within a browser 219 00:11:24.879 --> 00:11:28.759 based application, all the code for that one application is 220 00:11:28.799 --> 00:11:32.080 just mashed together in the same sandbox this week. So 221 00:11:32.159 --> 00:11:35.039 if a hacker is able to inject code in there, 222 00:11:35.240 --> 00:11:38.879 and unfortunately they do. Injection attacks are still the opity 223 00:11:39.159 --> 00:11:44.559 top three absolutely issue. It just happens a lot. Then 224 00:11:45.039 --> 00:11:47.759 an attacker can do exactly what your application is able 225 00:11:47.799 --> 00:11:51.240 to do as well. Now, if that is just impersonating 226 00:11:51.240 --> 00:11:54.679 you while you have your browser online, that's already a problem. 227 00:11:54.759 --> 00:11:56.960 And sure there are ways that you can limit the 228 00:11:57.000 --> 00:12:00.000 attack surface. Then, but if the attacker is able to 229 00:12:00.759 --> 00:12:03.639 take an access token and take that offline, even when 230 00:12:03.679 --> 00:12:06.320 you close down your browser, he's still able to impersonate you, 231 00:12:06.799 --> 00:12:09.480 or even worse right, take what we call a refresh 232 00:12:09.519 --> 00:12:12.320 token and be able to get more and more access 233 00:12:12.360 --> 00:12:14.960 tokens all the time, then you really have a problem 234 00:12:15.360 --> 00:12:16.080 if that happens. 235 00:12:17.039 --> 00:12:19.879 But these things are require like a sort of a 236 00:12:19.919 --> 00:12:22.960 man in the middle attack, right, This isn't something that 237 00:12:23.000 --> 00:12:25.279 you're going to pick up some malware and somebody's going 238 00:12:25.360 --> 00:12:27.679 to steal your tokens and whatever. Somebody has to really 239 00:12:27.679 --> 00:12:28.639 target you, don't they. 240 00:12:28.840 --> 00:12:32.200 Well, it is so easy to make a small mistake 241 00:12:32.559 --> 00:12:35.679 while building your web application that opens you up to 242 00:12:35.960 --> 00:12:40.480 cross side scripting attacks. Yeah, I myself not too long 243 00:12:40.519 --> 00:12:44.519 ago found out that if you have a URL and 244 00:12:44.559 --> 00:12:47.799 you add that URL into an image tag all of us, 245 00:12:47.840 --> 00:12:51.919 and that URL comes from another source, that URL could 246 00:12:52.000 --> 00:12:55.799 contain script and that will immediately be executed. So immediately 247 00:12:55.919 --> 00:12:59.279 that turns it into a cross side scripting attack. I 248 00:12:59.320 --> 00:13:02.639 didn't know that, and the library at the time React 249 00:13:03.120 --> 00:13:06.399 doesn't handle that particular case. It does when you bind 250 00:13:06.879 --> 00:13:10.720 a textbox to some data, but it doesn't handle that 251 00:13:10.759 --> 00:13:11.639 particular problem. 252 00:13:11.759 --> 00:13:13.919 So so you're saying that I could have you know, 253 00:13:14.480 --> 00:13:21.000 IMG source equals HTDP Joe's discount, sharkcages dot com, slashcage 254 00:13:21.000 --> 00:13:26.039 one dot jpeg, and that jpeg could no a jpeg 255 00:13:26.080 --> 00:13:28.480 could contain a script or is it more like a 256 00:13:28.600 --> 00:13:33.879 script tag that loads a JavaScript file from some other site. 257 00:13:33.919 --> 00:13:38.600 This particular example is a URL that contains script itself. 258 00:13:38.600 --> 00:13:40.559 So it's not necessarily even a URL. It doesn't even 259 00:13:40.600 --> 00:13:45.000 start with htps or something, but it just contains script. 260 00:13:45.080 --> 00:13:47.000 And if you put that into an image tag, it 261 00:13:47.039 --> 00:13:49.120 gets executed and you have a vulnerability. 262 00:13:49.200 --> 00:13:51.080 Oh if you put it into an image to ic. 263 00:13:51.440 --> 00:13:53.240 So if you set the source for an image tag 264 00:13:53.279 --> 00:13:55.840 to a script file, the script is going to get executed. 265 00:13:56.039 --> 00:13:59.679 Yes, And this is just one tiny example. I mean, 266 00:14:00.120 --> 00:14:03.600 when you build a browser based application using React or something, 267 00:14:03.840 --> 00:14:06.759 you get a million node files. How do you know 268 00:14:06.840 --> 00:14:09.240 that not one of those tiny node files has a problem. 269 00:14:09.480 --> 00:14:12.080 I wish you were exaggerating that it was a million 270 00:14:12.159 --> 00:14:15.279 node files, because you're right, so it's so many. 271 00:14:16.159 --> 00:14:18.679 So here's the point, right, I mean, if you do 272 00:14:18.799 --> 00:14:23.360 everything perfect, then doing what we call public client public 273 00:14:23.440 --> 00:14:29.120 client authorization code flow works and it's secure. But as 274 00:14:29.120 --> 00:14:32.360 soon as you have a tiny little hole in your 275 00:14:32.360 --> 00:14:36.360 browser based security, then what you want to do is 276 00:14:37.000 --> 00:14:39.960 put layers in there. Security is all about adding more 277 00:14:40.039 --> 00:14:43.840 layers and reducing the blast radius if something goes wrong. 278 00:14:43.960 --> 00:14:45.799 Right, and before you go down that rabbit hole, let 279 00:14:45.879 --> 00:14:48.200 me just say that it's not just a mistake that 280 00:14:48.240 --> 00:14:51.759 you could make. But in your software bill of materials, 281 00:14:51.759 --> 00:14:56.480 which you have right everybody listening, yes, all right, that 282 00:14:56.679 --> 00:14:59.600 is all of the dependencies that you are taking on 283 00:14:59.759 --> 00:15:03.120 in that list, and that list, as Richard said, could 284 00:15:03.159 --> 00:15:08.720 be millions of JavaScript files down the line. And there's 285 00:15:08.720 --> 00:15:11.720 been examples of these where we've depended on a particular 286 00:15:11.759 --> 00:15:15.279 JavaScript library and that library contained a bug and everything crashed. 287 00:15:16.120 --> 00:15:18.759 You're depending on those things, and how are you going 288 00:15:18.840 --> 00:15:23.480 to know if somebody gets in there maliciously does a 289 00:15:23.519 --> 00:15:27.320 pull request and approves it and absolutely Bob's your uncle, 290 00:15:27.559 --> 00:15:28.559 and you won't know. 291 00:15:28.759 --> 00:15:31.840 Exactly so, and it doesn't even have to be that right, 292 00:15:32.120 --> 00:15:34.799 script injection attacks is just one of the vectors. I mean, 293 00:15:34.840 --> 00:15:37.600 not too long ago, we had Spector. Right, Spector was 294 00:15:37.639 --> 00:15:41.600 a processor based issue. There's a proof of concept that. 295 00:15:41.799 --> 00:15:45.399 It was a vulnerability in the micro code of Intel processors. 296 00:15:45.639 --> 00:15:48.639 Exactly. There was a proof of concept out there that 297 00:15:48.759 --> 00:15:53.320 proved that by somehow from one browser window to another 298 00:15:53.360 --> 00:15:56.519 browser window, they could find poke into the memory of 299 00:15:56.639 --> 00:15:59.279 the other browser window. Now that's scary as well, right, 300 00:16:00.000 --> 00:16:02.480 I mean, the point that I'm making is that you 301 00:16:02.600 --> 00:16:05.759 have code running that you know, comes from all kinds 302 00:16:05.759 --> 00:16:10.000 of sources, maybe even you know, add links or whatever. Right, 303 00:16:10.039 --> 00:16:13.679 it comes from all kinds of sources, just execute together, 304 00:16:13.879 --> 00:16:16.600 and anything that that code does, it will you know 305 00:16:17.120 --> 00:16:19.360 that the code can do, you know it might do. 306 00:16:19.720 --> 00:16:24.360 And that's that's a problem. So the BFF pattern comes 307 00:16:24.360 --> 00:16:27.159 in to try and help that. Now, like I mentioned, 308 00:16:27.240 --> 00:16:30.919 the i ETF Enginet Engineering Task Force. That's the group 309 00:16:30.960 --> 00:16:33.480 that's responsible for creating all of these standards in the 310 00:16:33.480 --> 00:16:37.360 first place. Right, they created the OALTH to specification, open 311 00:16:37.360 --> 00:16:41.000 and deconnect all of that, and every now and then 312 00:16:41.080 --> 00:16:43.919 they come out with what they call a best current 313 00:16:43.960 --> 00:16:47.240 Practice document and in there they try to document well, 314 00:16:47.279 --> 00:16:49.759 you know, looking at the landscape, looking at what we 315 00:16:49.799 --> 00:16:53.320 know right now, what is what do we recommend and 316 00:16:53.360 --> 00:16:55.480 what don't we recommend. And one of the things that 317 00:16:55.480 --> 00:16:59.440 they're recommending is to use the BFF pattern. If you 318 00:16:59.519 --> 00:17:02.159 look at it, the BFF pattern consists of a couple 319 00:17:02.240 --> 00:17:05.720 of things. The first thing really important is that the 320 00:17:05.759 --> 00:17:09.880 authentication needs to happen on the server. So in the 321 00:17:09.880 --> 00:17:12.279 server you have what we call a confidential client, and 322 00:17:12.319 --> 00:17:15.759 the confidential client handles all of the authentication with your 323 00:17:16.000 --> 00:17:20.480 identity provider. Now the browser is still involved, but not 324 00:17:20.599 --> 00:17:25.319 the browser based application. It's not the JavaScript based So 325 00:17:25.400 --> 00:17:28.400 all that the front end has to do is redirect 326 00:17:28.480 --> 00:17:31.240 to a log in page or the logout page, and 327 00:17:32.359 --> 00:17:37.039 the server then takes care of the rest. After the 328 00:17:37.079 --> 00:17:41.079 authentication has completed. What the server then does is it 329 00:17:41.119 --> 00:17:44.079 places a cookie on your machine. Now, cookies have a 330 00:17:44.079 --> 00:17:47.039 bit of a bad rep for privacy reasons, of course, 331 00:17:47.359 --> 00:17:52.200 but also you know, for a cross side request forgery attacks, 332 00:17:52.440 --> 00:17:54.000 and we might get into those in a little bit 333 00:17:54.000 --> 00:17:56.839 in a minute, but they're very easily to protect you 334 00:17:56.920 --> 00:18:01.240 against those actually pretty much. Yeah, but cookies have been 335 00:18:01.279 --> 00:18:03.680 around for a long time and actually they you know, 336 00:18:04.480 --> 00:18:07.640 when you apply them properly. They're actually really secure. Sure, 337 00:18:08.039 --> 00:18:11.000 so what happens if you set your cookie to HTTP only. 338 00:18:11.480 --> 00:18:14.319 That means that your JavaScript can't reach them, and they're 339 00:18:14.359 --> 00:18:18.279 just added by the browser implicitly. Now, you can also 340 00:18:18.400 --> 00:18:21.160 set some policies on there, like same site policies, maybe 341 00:18:21.200 --> 00:18:24.319 even underscore underscore host prefix. It's a little bit technical, 342 00:18:24.400 --> 00:18:26.839 but all these flags that you can turn onto your 343 00:18:26.839 --> 00:18:30.200 cookies so that it's more difficult for attackers to to 344 00:18:31.119 --> 00:18:33.200 you know, accidentally get access to those things. 345 00:18:33.519 --> 00:18:35.079 Got to keep the cookie monster away. 346 00:18:35.519 --> 00:18:39.160 Yeah, but then once you've once you've configured those cookies correctly, 347 00:18:39.440 --> 00:18:42.559 the authentication just happens. Any call that you make to 348 00:18:42.680 --> 00:18:47.119 your backhand service is just authenticated automatically in a simple 349 00:18:47.240 --> 00:18:50.480 application what you just mentioned, right, just an MVC application, 350 00:18:50.519 --> 00:18:54.319 but then maybe one that exposes APIs the authentication just flows. 351 00:18:54.720 --> 00:18:59.240 Everything's fine, But now if you want to access external services, 352 00:18:59.720 --> 00:19:02.599 you know, micro services that you have running somewhere else, 353 00:19:03.000 --> 00:19:05.319 you don't want the cookie to flow over there because 354 00:19:05.319 --> 00:19:09.559 it can't read those cookies, can't do anything with them there. 355 00:19:09.079 --> 00:19:13.759 So you need some federated kind of multiple server communication 356 00:19:13.920 --> 00:19:14.240 going on. 357 00:19:14.400 --> 00:19:17.160 Right, Yeah, Well, what you then do is you exchange 358 00:19:17.279 --> 00:19:20.000 the cookie for an access token, and from that point 359 00:19:20.039 --> 00:19:24.880 on you just have a request from the BFF to 360 00:19:24.960 --> 00:19:28.079 your API using access tokens. And that's just a very 361 00:19:28.119 --> 00:19:32.880 well known pattern to flow, just credentials and information and 362 00:19:33.119 --> 00:19:38.319 security context. Yeah, okay, that is pretty much it. I mean, 363 00:19:38.359 --> 00:19:39.920 there's more that you can add to that. 364 00:19:40.279 --> 00:19:42.720 But so the access tokens are kind of made up 365 00:19:42.720 --> 00:19:47.160 on the fly, whereas the cookie identifies you to your server. Yeah, 366 00:19:47.200 --> 00:19:50.359 but when you say exchange, you mean, hey, this is 367 00:19:50.440 --> 00:19:52.359 me because I have this cookie, you know who I am. 368 00:19:52.480 --> 00:19:54.720 Give me an authentication token that I can use over 369 00:19:54.759 --> 00:19:55.440 in this API. 370 00:19:55.599 --> 00:19:58.400 Yes, yeah, and you can still have the choice. I mean, 371 00:19:58.440 --> 00:20:02.079 some APIs they don't want what we call a user 372 00:20:02.119 --> 00:20:04.799 based a token, right, They just want to have a 373 00:20:04.839 --> 00:20:08.079 client credentials token and that's it. You might want to 374 00:20:08.079 --> 00:20:11.279 have a token that's very narrow for that one particular service, 375 00:20:11.839 --> 00:20:14.680 because you might want to have multiple tokens for different services, 376 00:20:14.960 --> 00:20:17.720 and some other service might actually want to have a 377 00:20:17.799 --> 00:20:20.200 token with the subject identifier in it and all kinds 378 00:20:20.240 --> 00:20:21.480 of claims in there as well. 379 00:20:21.960 --> 00:20:27.200 So we're really talking about authorization at this point, not authentication. 380 00:20:27.279 --> 00:20:31.720 You're authenticated by that cookie. Now authorization takes on this 381 00:20:32.039 --> 00:20:33.240 whole other topic. 382 00:20:33.519 --> 00:20:37.400 Well, think about it from the perspective of your API. 383 00:20:38.160 --> 00:20:42.079 You're still authenticating, right, because a request comes in, there's 384 00:20:42.119 --> 00:20:45.599 an access token that says who is calling this thing? 385 00:20:45.640 --> 00:20:47.799 And that may just be hey, it's just a BFF 386 00:20:47.839 --> 00:20:51.359 that's calling you. Trust a BFF, right, do your thing, 387 00:20:51.559 --> 00:20:53.400 But it may also be no, this is an access 388 00:20:53.400 --> 00:20:57.279 token that has user information in it, so a subject identifier, 389 00:20:57.400 --> 00:21:00.440 maybe all kinds of other claims that then the might 390 00:21:00.480 --> 00:21:04.119 also use to make coarse grained authorization decisions. 391 00:21:04.200 --> 00:21:06.640 Sure, sure, okay, So. 392 00:21:08.039 --> 00:21:13.319 Now on top of that, you can also look at sessions. Now, 393 00:21:14.680 --> 00:21:18.480 the cookie, that's the thing that identifies you as a 394 00:21:19.079 --> 00:21:21.160 but you can store information in the cookie. If you 395 00:21:21.160 --> 00:21:24.599 wanted to, you could store the access token in the cookie. 396 00:21:24.759 --> 00:21:27.160 Now it's still secure. It goes to the browser, but 397 00:21:27.480 --> 00:21:31.839 the browser based application can't reach it, and then that's sorry. 398 00:21:31.880 --> 00:21:36.440 The advantage of that is is that your BFF is 399 00:21:36.680 --> 00:21:40.160 relatively stateless, right, it doesn't need to store that session 400 00:21:40.200 --> 00:21:43.279 information somewhere. But if you were to store that session 401 00:21:43.319 --> 00:21:46.240