OpenID Connect & OAuth 2.0 - Security Best Practices

Explore OAuth 2.0 and OpenID Connect security best practices in this comprehensive NDC Oslo 2020 conference talk. Delve into the evolution of these protocols since their initial publication, examining known implementation weaknesses, anti-patterns, and emerging use cases in high-security environments. Learn about the IETF's Best Current Practices (BCPs) that update original specifications and threat models. Gain insights into topics such as high-security OAuth, attack models, flow modifications, client authentication, bearer tokens, and mitigation strategies for various security vulnerabilities. Discover the latest developments in OAuth 2.1 and understand how to implement robust security measures for API protection and identity management in modern applications.

Intro
High Security OAuth
Some Context...
Relevant Documents
The Big Picture
Simplified
Attack Model (3)
Implicit Flow Request
Implicit Flow Response
No more Password Grant
Original Flows
Grand Unification
Machine to Machine
Client Authentication
Bearer Tokens
Interactive Applications
Redirect URI Validation Attacks
Credential Leakage via Referrer Heade
Authorization Code Injection
Mitigation: Proof key for Code Exchan
Cross Site Request Forgery
Countermeasures Summary
MixUp Attack (Variant 1)
Mix Up Countermeasures
Public Clients
Anti Pattern: Native Login Dialogs
Using a browser with Code Flow + PKG
Different Approaches
Token Storage & Management
Browser-based Applications aka SPA
Same-Site Architecture
Anti-Forgery Protection
Access Token Storage in Browsers
OAuth 2.1