SecAppDev 2022 Lecture Details

Securing OAuth 2.0 and OpenID Connect in Frontends

Philippe De Ryck
Monday June 13, 16:00 - 17:30
Short description

Learn why SPAs as OAuth 2.0 clients are inherently insecure, and how moving responsibilities to a lightweight backend with the BFF pattern can offer a solution.


Since a few years, Single Page Applications (SPAs) have become first-class citizens in the world of OAuth 2.0 clients. Unfortunately, web frontends still suffer from XSS issues, which may not only compromise the security of the frontend, but also of the entire OAuth 2.0 configuration.

In this session, we take an in-depth look at the consequences of XSS on the security of OAuth 2.0 tokens. Advanced attack scenarios will focus on bypassing OAuth 2.0-specific features, such as Refresh Token Rotation. Towards the end, we elaborate on the Backend-For-Frontend pattern, which offers the best security guarantees for SPAs.

Key takeaway

The best approach to secure a Single Page Application with OAuth 2.0 is by using a Backend-For-Frontend

Content level


Target audience

Anyone designing or building sensitive Single Page Applications that rely on OAuth 2.0 and OpenID Connect


An understanding of OAuth 2.0 and the concepts of JavaScript frontends

Download handouts

Philippe De Ryck

Philippe De Ryck

Web Security Expert, Pragmatic Web Security

Philippe De Ryck helps developers protect companies through better web security. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional knowledge of the security landscape. As the founder of Pragmatic Web Security, Philippe delivers security training and security consulting to companies worldwide. His online course platform allows anyone to learn complex security topics at their own pace. Philippe is a Google Developer Expert and an Auth0 Ambassador for his community contributions on the security of web applications and APIs.

Full speaker profile

Related identity and access management sessions

Introduction to OAuth 2.0 and OpenID Connect

Lecture by Philippe De Ryck

OAuth 2.0 and OIDC are confusing, which often results in confusion and implementation mistakes. In this session, we explore the purpose of these technologies and the current best practices of using them.

Identity and access management Monday June 13, 09:00 - 10:30

Analyzing the security of OAuth 2.0 implementations

Lecture by Pieter Philippaerts

In this presentation, we introduce a tool to test and analyze the security of OAuth 2.0 authorization servers. We also present a summary of the results of our OAuth ecosystem analysis, and identify some lessons learned.

Identity and access management Wednesday June 15, 11:00 - 12:30

OAuth for security critical applications

Lecture by Dr. Torsten Lodderstedt

This session discuss the challenges one faces when protecting security critical and large scale APIs with OAuth and present design options modern OAuth provides us with.

Identity and access management Tuesday June 14, 14:00 - 15:30

Recent developments in OAuth

Lecture by Dr. Torsten Lodderstedt

This session will introduce the audience to a couple of extensions to the OAuth standard that that help to build more secure systems in an easier and more interoperable way.

Identity and access management Wednesday June 15, 09:00 - 10:30