YoVDO

OpenID Connect & OAuth 2.0 - Security Best Practices

Offered By: NDC Conferences via YouTube

Tags

NDC Conferences Courses OAuth Courses OpenID Connect (OIDC) Courses

Course Description

Overview

Explore the security best practices for OpenID Connect and OAuth 2.0 in this comprehensive conference talk. Delve into the evolution of these protocols since their initial publication, examining how they've become the standard for API protection and the foundation of OpenID Connect. Learn about the attacks on known implementation weaknesses and anti-patterns, as well as how changing technology has expanded their usage to new use cases and higher security environments. Discover the IETF's "Best Current Practices" (BCPs) that update the original specifications and threat models, providing more prescriptive guidance. Gain insights into topics such as the simplified attack model, implicit flow, machine-to-machine communication, client authentication, and sender-constrained access tokens. Examine interactive applications, redirect URI validation attacks, credential leakage, and authorization code injection. Understand mitigation strategies like Proof Key for Code Exchange (PKCE) and countermeasures for various attacks, including the Mix Up attack. Explore anti-patterns like native login dialogs and learn about different approaches for browser-based applications. Dive into anti-forgery protection, refresh token storage in browsers, and get a glimpse of what's next in the world of OpenID Connect and OAuth 2.0 security.

Syllabus

Intro
Some Context...
Simplified
Attack Model (3)
Implicit Flow Request
Implicit Flow Response
Grand Unification
Machine to Machine
Client Authentication
Sender Constrained Access Tokens w/ MTLS
Interactive Applications
Redirect URI Validation Attacks
Credential Leakage via Referrer Headers
Authorization Code Injection
Mitigation: Proof key for Code Exchange
Countermeasures Summary
Mix Up Attack (Variant 1)
Mix Up Countermeasures
How does ASP.NET Core prevent Mix Up Attacks?
Anti Pattern: Native Login Dialogs
Using a browser with Code Flow + PKCE
Different Approaches
Browser-based Applications (aka SPAs)
Anti-Forgery Protection
Refresh Token Storage in Browsers
What's next?


Taught by

NDC Conferences

Related Courses

Microservices: Security
LinkedIn Learning
Web Security: OAuth and OpenID Connect
LinkedIn Learning
Web Security: OAuth and OpenID Connect
LinkedIn Learning
Securing ASP.NET Core 6 with OAuth2 and OpenID Connect
Pluralsight
Authentication and Authorization in PHP
Pluralsight