SecAppDev 2022 Lecture Details
Analyzing the security of OAuth 2.0 implementations
Pieter Philippaerts
Wednesday June 15, 11:00 - 12:30
Short description
In this presentation, we introduce a tool to test and analyze the security of OAuth 2.0 authorization servers. We also present a summary of the results of our OAuth ecosystem analysis, and identify some lessons learned.
Abstract
The OAuth 2.0 protocol is a popular and widely adopted authorization protocol. It has been proven secure in a comprehensive formal security analysis, yet new vulnerabilities continue to appear in popular OAuth implementations.
In this presentation, we introduce a tool, called OAuch, that tests and analyzes the security of OAuth authorization servers. We show how the tool works and how it can help you to test and secure your implementations. We also present a summary of the results of our OAuth ecosystem analysis, and identify some lessons learned.
Key takeaway
Securely implementing and configuring OAuth services is difficult. Follow the OAuth Security Best Current Practices to properly mitigate threats.
Content level
Introductory
Target audience
Anyone who is using OAuth 2.0
Prerequisites
An understanding of OAuth 2.0
Pieter Philippaerts
Research Manager, DistriNet, KU Leuven
Pieter is employed as a research manager at imec-DistriNet, KU Leuven (BE). His main research interests lie in the field of software and web security. Pieter has worked on a range of topics, including software security policy enforcement on mobile devices, protecting native code from memory errors, and formal verification of source code. His current focus is on web security, with a particular interest in the security of (implementations of) authentication and authorization protocols.
Related identity and access management sessions
Introduction to OAuth 2.0 and OpenID Connect
Lecture by Philippe De Ryck
OAuth 2.0 and OIDC are confusing, which often results in confusion and implementation mistakes. In this session, we explore the purpose of these technologies and the current best practices of using them.
Identity and access management Monday June 13, 09:00 - 10:30
Securing OAuth 2.0 and OpenID Connect in Frontends
Lecture by Philippe De Ryck
Learn why SPAs as OAuth 2.0 clients are inherently insecure, and how moving responsibilities to a lightweight backend with the BFF pattern can offer a solution.
Identity and access management Monday June 13, 16:00 - 17:30
OAuth for security critical applications
Lecture by Dr. Torsten Lodderstedt
This session discuss the challenges one faces when protecting security critical and large scale APIs with OAuth and present design options modern OAuth provides us with.
Identity and access management Tuesday June 14, 14:00 - 15:30
Recent developments in OAuth
Lecture by Dr. Torsten Lodderstedt
This session will introduce the audience to a couple of extensions to the OAuth standard that that help to build more secure systems in an easier and more interoperable way.
Identity and access management Wednesday June 15, 09:00 - 10:30