This course covers the best practices for security in OpenID Connect and OAuth 2.0 protocols. The learning outcomes include understanding the updated threat models, implementation weaknesses, and prescriptive guidance provided by the IETF's "Best Current Practices." The course teaches skills such as implementing security measures like Proof Key for Code Exchange, Sender Constrained Access Tokens with MTLS, and mitigating attacks like Authorization Code Injection. The teaching method includes an overview of Best Current Practices with in-depth discussions on specific topics. The intended audience for this course is developers, security professionals, and individuals working with API protection and higher security environments.
OpenID Connect & OAuth 2.0 - Security Best Practices
Overview
Syllabus
Intro
Some Context...
Simplified
Attack Model (1)
Implicit Flow Request
Implicit Flow Response
No more Password Grant
Grand Unification
Machine to Machine
Client Authentication
Sender Constrained Access Tokens w/ MTLS
Interactive Applications
Redirect URI Validation Attacks
Credential Leakage via Referrer Headers
Authorization Code Injection
Mitigation: Proof key for Code Exchange
Countermeasures Summary
Mix Up Attack (Variant 1)
How does ASP.NET Core prevent Mix Up Attacks?
Public Clients
Anti Pattern: Native Login Dialogs
Using a browser with Code Flow + PKCE
Different Approaches
Anti-Forgery Protection
Refresh Token Storage in Browsers
What's next?
JWT Secured Authorization Requests (JAR)
Pushed Authorization Requests (1)
Taught by
NDC Conferences
