OAuth and Proof of Possession - The Long Way Round

Explore the evolution and implementation of proof of possession in OAuth 2.0 in this comprehensive conference talk from NDC Oslo 2023. Delve into the controversial decision to omit cryptographic binding of access tokens to owners in the initial OAuth 2.0 specification, and trace the decade-long journey to develop a solution. Examine the history of proof of possession, current implementation methods, and the growing demand for enhanced security features across various industries. Learn about sender constraining techniques, including OAuth Token Binding and OAuth 2.0 Mutual TLS. Gain insights into practical applications, potential drawbacks, and future developments in OAuth security. Conclude with a demo and Q&A session to solidify your understanding of this critical aspect of modern authentication protocols.

Intro
OAuth
Proof of Possession before OAuth
OAuth 10 version 1
OAuth 10 version 2
New OAuth hashtag
The last passing gift
OAuth Proof of Possession
OAuth Token Binding
The Industry Jumps In
OAuth 20 Mutual TLS
Mutual TLS
Mutual TLS in practice
CNF token
Client certificate
Summary
Fast forwarding
Token request
Proof token
Access token
Resource access
Json token
Token hash
Demo
The downside of Depop
Questions