Overview
Explore a comprehensive security conference talk that delves into the vulnerabilities and potential exploits within OpenID Connect (OIDC) implementations in cloud environments. Learn the fundamentals of OIDC, including its core components and interactions between different entities, particularly in CI/CD workflows. Discover various attack vectors stemming from misconfigurations and under-configurations, from both user and Identity Provider perspectives. Examine real-world examples of security vulnerabilities, including a significant finding in a major CI vendor that enabled unauthorized access to customer cloud environments. Master the understanding of OIDC security implications as organizations transition from static credentials to this more modern authentication method, with practical demonstrations of how seemingly secure configuration options can lead to system compromises. Gain insights into how leaked OIDC tokens from a single repository can be leveraged to access private clouds, and understand the security implications of Identity Provider misconfigurations.
Syllabus
DEF CON 32 - OH MY DC Abusing OIDC all the way to your cloud - Aviad Hahami
Taught by
DEFCONConference