Overview
Syllabus
Intro
Some Context...
Simplified
Attack Model (1)
Implicit Flow Request
Implicit Flow Response
No more Password Grant
Grand Unification
Machine to Machine
Client Authentication
Sender Constrained Access Tokens w/ MTLS
Interactive Applications
Redirect URI Validation Attacks
Credential Leakage via Referrer Headers
Authorization Code Injection
Mitigation: Proof key for Code Exchange
Countermeasures Summary
Mix Up Attack (Variant 1)
How does ASP.NET Core prevent Mix Up Attacks?
Public Clients
Anti Pattern: Native Login Dialogs
Using a browser with Code Flow + PKCE
Different Approaches
Anti-Forgery Protection
Refresh Token Storage in Browsers
What's next?
JWT Secured Authorization Requests (JAR)
Pushed Authorization Requests (1)
Taught by
NDC Conferences