The Insecurity of OAuth 2.0 in Frontends

Explore the vulnerabilities of OAuth 2.0 in frontend applications through this comprehensive conference talk from NDC Security 2023. Delve into the often underestimated power of Cross-Site Scripting (XSS) attacks and their impact on OAuth 2.0 security mechanisms. Examine real-world attacker capabilities and learn how to map them against concrete threat models. Discover the limitations of common security measures like refresh token rotation and token isolation in workers when facing sophisticated XSS attacks. Gain insights into structural solutions such as the Backend-for-Frontend pattern and their effectiveness in enhancing frontend application security. By the end of this 57-minute session, acquire the knowledge necessary to evaluate the security of your frontend applications and implement appropriate defense strategies against OAuth 2.0 vulnerabilities.

The insecurity of OAuth 2.0 in frontends - Philippe de Ryck - NDC Security 2023