OAuth 2.1 and Beyond

Explore the evolution of OAuth and its modern security enhancements in this NDC Oslo 2020 conference talk. Delve into the proposed OAuth 2.1 standard and advanced OAuth-related techniques, including strong client authentication, proof-of-possession access tokens, resource indicators, and identity delegation. Learn about hardening authorization requests using JWTs (JAR) and pushed parameters (PAR). Discover the implementation of high-security OAuth features, rich authorization requests (RAR), and JWT secured authorization requests. Examine the weaknesses of bearer tokens and explore proof-of-possession methods, including Mutual TLS (MTLS) and sender-constrained access tokens. Gain insights into creating and configuring X.509 client certificates, setting up MTLS endpoints, and implementing certificate authentication handlers. Understand how to enable MTLS in IdentityServer and verify access token ownership at the resource server level. By the end of this talk, acquire a comprehensive understanding of OAuth's latest security improvements and their practical applications in modern authentication scenarios.

Intro
High Security OAuth
Relevant Documents
OAuth 2.1
Rich Authorization Requests (RAR)
Example (2)
Example Authorization Request
JWT Secured Authorization Requests
Enabling JAR in IdentityServer
Pushed Authorization Requests PAR
Pushed Authorization Request & Respo
Authorization Request using request_
Shared Secrets
Recommendations
Sending a private_key_jwt
"Proof-of-Possession" History
Weakness of Bearer Tokens
Proof of Possession using MTLS
Mutual TLS
Sender Constrained Access Tokens w
Creating an X.509 Client Certificate
Setting a Client Certificate
Calling the Token Endpoint
MTLS Endpoints
Server Metadata
Choice of Web Server / Proxy
Example: Sub-domains with Nginx
Reading Certificate from Header
Certificate Authentication Handler
Enabling MTLS in IdentityServer
Verifying Access Token Ownership at Rese
Pipeline Overview
Summary