OAuth2 and OIDC Security Weaknesses and Pitfalls

Explore common OAuth2 and OpenID Connect (OIDC) security weaknesses and pitfalls in this conference talk from NDC Security in Oslo. Delve into the evolving best current practices (BCPs) for implementing these protocols and learn why following them doesn't guarantee a secure implementation. Discover insights from real-world penetration tests and security reviews, with a focus on the Backend-for-Frontend (BFF) pattern and its potential vulnerabilities. Examine the risks associated with reverse proxy catch-all routing, OAuth2 clients with extensive scope access, and APIs that rely solely on valid tokens and scopes for authorization. Witness live demonstrations of both attacks and defenses on a locally running OAuth2/OIDC application, gaining practical knowledge to enhance your implementation's security.

OAuth2/OIDC security weaknesses and pitfalls - Tobias Ahnoff & Pontus Hanssen