SecAppDev 2022 Lecture Details

OAuch - Analyzing the security of OAuth 2.0 implementations

Pieter Philippaerts
Schedule TBD
Short description

In this presentation, we introduce a tool to test and analyze the security of OAuth 2.0 authorization servers. We also present a summary of the results of our OAuth ecosystem analysis, and identify some lessons learned.

Abstract

The OAuth 2.0 protocol is a popular and widely adopted authorization protocol. It has been proven secure in a comprehensive formal security analysis, yet new vulnerabilities continue to appear in popular OAuth implementations.

In this presentation, we introduce a tool, called OAuch, that tests and analyzes the security of OAuth authorization servers. We show how the tool works and how it can help you to test and secure your implementations. We also present a summary of the results of our OAuth ecosystem analysis, and identify some lessons learned.

Key takeaway

Securely implementing and configuring OAuth services is difficult. Follow the OAuth Security Best Current Practices to properly mitigate threats.

Content level

Introductory

Target audience

Anyone who is using OAuth 2.0

Prerequisites

An understanding of OAuth 2.0

SecAppDev is the most immersive application security course you have ever seen

Book your seat now
Pieter Philippaerts

Pieter Philippaerts

Research Manager, DistriNet, KU Leuven

Pieter is employed as a research manager at imec-DistriNet, KU Leuven (BE). His main research interests lie in the field of software and web security. Pieter has worked on a range of topics, including software security policy enforcement on mobile devices, protecting native code from memory errors, and formal verification of source code. His current focus is on web security, with a particular interest in the security of (implementations of) authentication and authorization protocols.

Full speaker profile

Related identity and access management sessions

Introduction to OAuth 2.0 and OpenID Connect

Lecture by Philippe De Ryck

OAuth 2.0 and OIDC are confusing, which often results in confusion and implementation mistakes. In this session, we explore the purpose of these technologies and the current best practices of using them.

Identity and access management Schedule TBD

Securing OAuth 2.0 and OpenID Connect in Frontends

Lecture by Philippe De Ryck

Learn why SPAs as OAuth 2.0 clients are inherently insecure, and how moving responsibilities to a lightweight backend with the BFF pattern can offer a solution.

Identity and access management Schedule TBD