SecAppDev 2022 Lecture Details

Analyzing the security of OAuth 2.0 implementations

Pieter Philippaerts
Wednesday June 15, 11:00 - 12:30
Short description

In this presentation, we introduce a tool to test and analyze the security of OAuth 2.0 authorization servers. We also present a summary of the results of our OAuth ecosystem analysis, and identify some lessons learned.

Abstract

The OAuth 2.0 protocol is a popular and widely adopted authorization protocol. It has been proven secure in a comprehensive formal security analysis, yet new vulnerabilities continue to appear in popular OAuth implementations.

In this presentation, we introduce a tool, called OAuch, that tests and analyzes the security of OAuth authorization servers. We show how the tool works and how it can help you to test and secure your implementations. We also present a summary of the results of our OAuth ecosystem analysis, and identify some lessons learned.

Key takeaway

Securely implementing and configuring OAuth services is difficult. Follow the OAuth Security Best Current Practices to properly mitigate threats.

Content level

Introductory

Target audience

Anyone who is using OAuth 2.0

Prerequisites

An understanding of OAuth 2.0

Download handouts


Pieter Philippaerts

Pieter Philippaerts

Research Manager, DistriNet, KU Leuven

Pieter is employed as a research manager at imec-DistriNet, KU Leuven (BE). His main research interests lie in the field of software and web security. Pieter has worked on a range of topics, including software security policy enforcement on mobile devices, protecting native code from memory errors, and formal verification of source code. His current focus is on web security, with a particular interest in the security of (implementations of) authentication and authorization protocols.

Full speaker profile


Related identity and access management sessions

Introduction to OAuth 2.0 and OpenID Connect

Lecture by Philippe De Ryck

OAuth 2.0 and OIDC are confusing, which often results in confusion and implementation mistakes. In this session, we explore the purpose of these technologies and the current best practices of using them.

Identity and access management Monday June 13, 09:00 - 10:30

Securing OAuth 2.0 and OpenID Connect in Frontends

Lecture by Philippe De Ryck

Learn why SPAs as OAuth 2.0 clients are inherently insecure, and how moving responsibilities to a lightweight backend with the BFF pattern can offer a solution.

Identity and access management Monday June 13, 16:00 - 17:30

OAuth for security critical applications

Lecture by Dr. Torsten Lodderstedt

This session discuss the challenges one faces when protecting security critical and large scale APIs with OAuth and present design options modern OAuth provides us with.

Identity and access management Tuesday June 14, 14:00 - 15:30

Recent developments in OAuth

Lecture by Dr. Torsten Lodderstedt

This session will introduce the audience to a couple of extensions to the OAuth standard that that help to build more secure systems in an easier and more interoperable way.

Identity and access management Wednesday June 15, 09:00 - 10:30