SecAppDev 2022 Lecture Details

OAuth for security critical applications

Dr. Torsten Lodderstedt
Tuesday June 14, 14:00 - 15:30
Short description

This session discuss the challenges one faces when protecting security critical and large scale APIs with OAuth and present design options modern OAuth provides us with.

Abstract

OAuth 2 has long grown beyond the original scope in the area of social networks. Nowadays, it is well established as THE mechanism for protecting access to all kinds of APIs, which includes security critical areas like finance or health.

Based on the experience of the lecturer, this session will discuss the challenges one faces when protecting security critical and large scale APIs with OAuth and present design options modern OAuth provides us with. In this context, the interdependency between security and other important aspects, like performance, modularity and scalability will be discussed.

Key takeaway

OAuth 2 has the necessary features and flexibility to both properly protect security critical APIs while building scalable and performant systems.

Content level

Advanced

Target audience

Developers, architects, security experts

Prerequisites

A basic understanding of OAuth, or even better, practical experience

Download handouts


Dr. Torsten Lodderstedt

Dr. Torsten Lodderstedt

CTO, yes.com

Dr.-Ing. Torsten Lodderstedt is CTO of yes.com, a startup building an identity scheme for banks and their customers. Before joining yes.com, he served for a decade in different roles at Deutsche Telekom’s identity team, building and operating large-scale consumer identity services. Torsten has been contributing to identity standards for more than a decade. For example, he is co-author of OAuth 2.1, editor of OpenID Connect for Identity Assurance, co-author of OpenID for Verifiable Credentials, and co-chair of the PoC of the Global Assured Identity Network.

Full speaker profile


Related identity and access management sessions

Introduction to OAuth 2.0 and OpenID Connect

Lecture by Philippe De Ryck

OAuth 2.0 and OIDC are confusing, which often results in confusion and implementation mistakes. In this session, we explore the purpose of these technologies and the current best practices of using them.

Identity and access management Monday June 13, 09:00 - 10:30

Securing OAuth 2.0 and OpenID Connect in Frontends

Lecture by Philippe De Ryck

Learn why SPAs as OAuth 2.0 clients are inherently insecure, and how moving responsibilities to a lightweight backend with the BFF pattern can offer a solution.

Identity and access management Monday June 13, 16:00 - 17:30

Analyzing the security of OAuth 2.0 implementations

Lecture by Pieter Philippaerts

In this presentation, we introduce a tool to test and analyze the security of OAuth 2.0 authorization servers. We also present a summary of the results of our OAuth ecosystem analysis, and identify some lessons learned.

Identity and access management Wednesday June 15, 11:00 - 12:30

Recent developments in OAuth

Lecture by Dr. Torsten Lodderstedt

This session will introduce the audience to a couple of extensions to the OAuth standard that that help to build more secure systems in an easier and more interoperable way.

Identity and access management Wednesday June 15, 09:00 - 10:30