SecAppDev 2026 lecture details
OAuth 2.1 Best Practices
A practical and up-to-date overview of OAuth 2.1, covering core concepts, modern security best practices, and key extensions like PAR and DPoP, with guidance on applying them in real-world architectures and preparing for what’s coming next.
Monday June 1st, 16:00 - 17:30
Room Lemaire
Add to calendar (ICS) Add to Google calendarAbstract
OAuth 2.1 brings together the current best practices of OAuth 2.0 into a more secure and streamlined baseline, further augmented by security technologies such as PAR and DPoP. In this session, you will get an accurate and timely overview of what OAuth 2.1 means in practice. We revisit the core concepts, highlight key security improvements, and explain how these patterns fit into modern architectures. We also point to emerging developments and upcoming standards to help you stay ahead.
Key takeaway
Learn how to apply OAuth 2.1 best practices and supporting technologies to build secure applications and stay aligned with evolving standards.
Content level
Deep-dive
Target audience
Developers and architects designing, building, or securing applications that rely on OAuth.
Prerequisites
None, but familiarity with OAuth 2.0 concepts and flows will be helpful.
Join us for SecAppDev. You will not regret it!
Grab your seat now
Philippe De Ryck
Security Expert, Pragmatic Web Security
Expertise: Web security, API security, OAuth 2.0, OpenID Connect
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
Designing "least-authority" JavaScript apps
Deep-dive lecture by Tom Van Cutsem in room West Wing
Tuesday June 2nd, 16:00 - 17:30
Learn the problems and solutions of combining "trusted" and "untrusted" JavaScript. We introduce secure dialects of JavaScript and practical tools that help to prevent supply-chain attacks from third-party modules.
Key takeaway: Learn how to get "trusted" and "untrusted" JavaScript to safely co-exist in your app.
Secure by Design — Ideas and Techniques
Introductory lecture by Dan Bergh Johnsson and Daniel Deogun in room West Wing
Monday June 1st, 11:00 - 12:30
Security is a design concern, not just an implementation concern. This session shows how domain modelling, type design, and boundary thinking can structurally eliminate entire classes of vulnerability - before attackers ever get a chance.
Key takeaway: Security is a quality aspect of software - like maintainability or correctness. Teams that design for quality get security as an emergent benefit
Model Context Protocol (MCP) Security
Advanced lecture by Jim Manico in room West Wing
Tuesday June 2nd, 11:00 - 12:30
An introduction to the Model Context Protocol (MCP) and its security risks. Covers MCP architecture, threat models, and practical defenses to prevent prompt injection, tool abuse, and data leakage in AI tool integrations.
Key takeaway: Understand MCP risks and apply concrete controls to secure AI tool integrations and prevent prompt injection, tool abuse, and data exfiltration.