SecAppDev 2022 Lecture Details
OAuch - Analyzing the security of OAuth 2.0 implementations
Pieter Philippaerts
Schedule TBD
Short description
In this presentation, we introduce a tool to test and analyze the security of OAuth 2.0 authorization servers. We also present a summary of the results of our OAuth ecosystem analysis, and identify some lessons learned.
Abstract
The OAuth 2.0 protocol is a popular and widely adopted authorization protocol. It has been proven secure in a comprehensive formal security analysis, yet new vulnerabilities continue to appear in popular OAuth implementations.
In this presentation, we introduce a tool, called OAuch, that tests and analyzes the security of OAuth authorization servers. We show how the tool works and how it can help you to test and secure your implementations. We also present a summary of the results of our OAuth ecosystem analysis, and identify some lessons learned.
Key takeaway
Securely implementing and configuring OAuth services is difficult. Follow the OAuth Security Best Current Practices to properly mitigate threats.
Content level
Introductory
Target audience
Anyone who is using OAuth 2.0
Prerequisites
An understanding of OAuth 2.0
SecAppDev is the most immersive application security course you have ever seen
Book your seat now
Pieter Philippaerts
Research Manager, DistriNet, KU Leuven
Pieter is employed as a research manager at imec-DistriNet, KU Leuven (BE). His main research interests lie in the field of software and web security. Pieter has worked on a range of topics, including software security policy enforcement on mobile devices, protecting native code from memory errors, and formal verification of source code. His current focus is on web security, with a particular interest in the security of (implementations of) authentication and authorization protocols.
Related identity and access management sessions
Introduction to OAuth 2.0 and OpenID Connect
Lecture by Philippe De Ryck
OAuth 2.0 and OIDC are confusing, which often results in confusion and implementation mistakes. In this session, we explore the purpose of these technologies and the current best practices of using them.
Identity and access management Schedule TBD