Overview
Syllabus
Intro
Some Context...
Simplified
Attack Model (3)
Implicit Flow Request
Implicit Flow Response
Grand Unification
Machine to Machine
Client Authentication
Sender Constrained Access Tokens w/ MTLS
Interactive Applications
Redirect URI Validation Attacks
Credential Leakage via Referrer Headers
Authorization Code Injection
Mitigation: Proof key for Code Exchange
Countermeasures Summary
Mix Up Attack (Variant 1)
Mix Up Countermeasures
How does ASP.NET Core prevent Mix Up Attacks?
Anti Pattern: Native Login Dialogs
Using a browser with Code Flow + PKCE
Different Approaches
Browser-based Applications (aka SPAs)
Anti-Forgery Protection
Refresh Token Storage in Browsers
What's next?
Taught by
NDC Conferences