SecAppDev 2020 Lecture Details

OAuth 2.0 Security Reinforced

Dr. Torsten Lodderstedt
Wednesday March 11, 16:00 - 17:30
Short description

OAuth 2.0 has become the standard for API authorization. Practical experience and security research have shown a need for updated security guidelines that will be presented in this session.

Abstract

The OAuth working group recently decided to discourage the use of the implicit grant. However, that's just the most prominent recommendation that will be published in the upcoming OAuth 2.0 Security Best Current Best Practice (https://tools.ietf.org/html/draft-ietf-oauth-security-topics). The password grant is discouraged as well, the code flow shall be used with PKCE only, and tokens should be sender-constrained to mention a few. This session will present the new security guidelines in detail, along with the underlying rationales.

Key takeaway

Understand the do's and don'ts of OAuth 2.0

Content level

Introductory

Target audience

Anyone building, designing or securing API-based applications

Prerequisites

OAuth 2.0 basics


Dr. Torsten Lodderstedt

Dr. Torsten Lodderstedt

CTO, yes.com

Dr.-Ing. Torsten Lodderstedt is CTO of yes.com, a startup building an identity scheme for banks and their customers. With more than a decade experience in building and running large scale identity services he regularly contributes to OAuth & OpenID. His current focus is on OAuth Security and its use in security sensitive applications like financial services and remote electronic signing.

Full speaker profile


Related identity and access management sessions

Advanced OAuth for security-sensitive applications

Lecture by Dr. Torsten Lodderstedt

OAuth has become the standard for API authorization because of its simplicity and versatility. This talk will present battle-proven patterns and OAuth extensions that should be used when building security-sensitive applications.

Identity and access management Thursday March 12, 14:00 - 15:30

A practical introduction to OIDC (and OAuth 2.0)

Lecture by Dominick Baier

OIDC and OAuth 2.0 have become the de facto standard to implement authentication and authorization in modern applications. This session introduces their features, such as authentication, sessions, and protocol flows.

Identity and access management Wednesday March 11, 11:00 - 12:30

OIDC and OAuth 2.0 – Tips from the trenches

Lecture by Dominick Baier

Building an API-based system with OIDC and OAuth 2.0 raises quite a few questions. In this session, we answer these questions using common patterns and anti-patterns derived from real-world scenarios.

Identity and access management Thursday March 12, 11:00 - 12:30

Making smart choices from the authentication cookbook

Lecture by Philippe De Ryck

Modern applications need to authenticate users and services in various scenarios. This session focuses on helping architects and developers understand the different authentication mechanisms and their purpose.

Identity and access management Tuesday March 10, 11:00 - 12:30

Modern access control policies

Lecture by Jim Manico

TBD

Identity and access management Wednesday March 11, 09:00 - 10:30