OpenID Connect & OAuth 2.0 - Security Best Practices

Explore the security best practices for OpenID Connect and OAuth 2.0 in this comprehensive conference talk. Delve into the evolution of these protocols since their initial publication, examining how they've become the standard for API protection and the foundation of OpenID Connect. Learn about the attacks on known implementation weaknesses and anti-patterns, as well as how changing technology has expanded their usage to new use cases and higher security environments. Discover the IETF's "Best Current Practices" (BCPs) that update the original specifications and threat models, providing more prescriptive guidance. Gain insights into topics such as the simplified attack model, implicit flow, machine-to-machine communication, client authentication, and sender-constrained access tokens. Examine interactive applications, redirect URI validation attacks, credential leakage, and authorization code injection. Understand mitigation strategies like Proof Key for Code Exchange (PKCE) and countermeasures for various attacks, including the Mix Up attack. Explore anti-patterns like native login dialogs and learn about different approaches for browser-based applications. Dive into anti-forgery protection, refresh token storage in browsers, and get a glimpse of what's next in the world of OpenID Connect and OAuth 2.0 security.