OpenID Connect & OAuth 2.0 - Security Best Practices
Offered By: NDC Conferences via YouTube
Course Description
Overview
Explore the security best practices for OpenID Connect and OAuth 2.0 in this comprehensive conference talk. Delve into the evolution of these protocols since their initial publication, examining how they've become the standard for API protection and the foundation of OpenID Connect. Learn about the attacks on known implementation weaknesses and anti-patterns, as well as how changing technology has expanded their usage to new use cases and higher security environments. Discover the IETF's "Best Current Practices" (BCPs) that update the original specifications and threat models, providing more prescriptive guidance. Gain insights into topics such as the simplified attack model, implicit flow, machine-to-machine communication, client authentication, and sender-constrained access tokens. Examine interactive applications, redirect URI validation attacks, credential leakage, and authorization code injection. Understand mitigation strategies like Proof Key for Code Exchange (PKCE) and countermeasures for various attacks, including the Mix Up attack. Explore anti-patterns like native login dialogs and learn about different approaches for browser-based applications. Dive into anti-forgery protection, refresh token storage in browsers, and get a glimpse of what's next in the world of OpenID Connect and OAuth 2.0 security.
Syllabus
Intro
Some Context...
Simplified
Attack Model (3)
Implicit Flow Request
Implicit Flow Response
Grand Unification
Machine to Machine
Client Authentication
Sender Constrained Access Tokens w/ MTLS
Interactive Applications
Redirect URI Validation Attacks
Credential Leakage via Referrer Headers
Authorization Code Injection
Mitigation: Proof key for Code Exchange
Countermeasures Summary
Mix Up Attack (Variant 1)
Mix Up Countermeasures
How does ASP.NET Core prevent Mix Up Attacks?
Anti Pattern: Native Login Dialogs
Using a browser with Code Flow + PKCE
Different Approaches
Browser-based Applications (aka SPAs)
Anti-Forgery Protection
Refresh Token Storage in Browsers
What's next?
Taught by
NDC Conferences
Related Courses
Microservices: SecurityLinkedIn Learning Web Security: OAuth and OpenID Connect
LinkedIn Learning Web Security: OAuth and OpenID Connect
LinkedIn Learning Securing ASP.NET Core 6 with OAuth2 and OpenID Connect
Pluralsight Authentication and Authorization in PHP
Pluralsight