SecAppDev 2022 Lecture Details

Introduction to OAuth 2.0 and OpenID Connect

Philippe De Ryck
Schedule TBD
Short description

OAuth 2.0 and OIDC are confusing, which often results in confusion and implementation mistakes. In this session, we explore the purpose of these technologies and the current best practices of using them.

Abstract

OAuth 2.0 is likely one of the most complex aspects of modern web applications. It is often mistakenly assumed that OAuth 2.0 offers authentication and authorization, while it only offers a delegation mechanism. On top of that, OpenID Connect (OIDC) redefines some of these flows to enable authentication explicitly.

In this session, we will clear up the confusion about OAuth 2.0 and OIDC. We explore how to use OAuth 2.0’s delegation mechanism to enable authorization on a backend. Finally, we will look at using OIDC for end-user authentication with a third-party provider.

Key takeaway

A solid understanding of OAuth 2.0/OIDC best practices and how to effectively use these technologies in your applications.

Content level

Introductory

Target audience

Anyone designing or building modern web applications and APIs

Prerequisites

A basic understanding of how web-based applications work

SecAppDev is the most immersive application security course you have ever seen

Book your seat now
Philippe De Ryck

Philippe De Ryck

Web Security Expert, Pragmatic Web Security

Philippe De Ryck helps developers protect companies through better web security. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional knowledge of the security landscape. As the founder of Pragmatic Web Security, Philippe delivers security training and security consulting to companies worldwide. His online course platform allows anyone to learn complex security topics at their own pace. Philippe is a Google Developer Expert and an Auth0 Ambassador for his community contributions on the security of web applications and APIs.

Full speaker profile

Related identity and access management sessions

Securing OAuth 2.0 and OpenID Connect in Frontends

Lecture by Philippe De Ryck

Learn why SPAs as OAuth 2.0 clients are inherently insecure, and how moving responsibilities to a lightweight backend with the BFF pattern can offer a solution.

Identity and access management Schedule TBD

OAuch - Analyzing the security of OAuth 2.0 implementations

Lecture by Pieter Philippaerts

In this presentation, we introduce a tool to test and analyze the security of OAuth 2.0 authorization servers. We also present a summary of the results of our OAuth ecosystem analysis, and identify some lessons learned.

Identity and access management Schedule TBD