OpenID Connect & OAuth 2.0 - Security Best Practices

Explore the latest security best practices for OpenID Connect and OAuth 2.0 in this comprehensive conference talk. Delve into the evolution of these protocols since their initial publication, examining how they've become the standard for API protection and the foundation of OpenID Connect. Learn about the attacks targeting known implementation weaknesses and anti-patterns, and discover how technology changes have expanded their usage to new use cases and higher security environments. Gain valuable insights into the IETF's "Best Current Practices" (BCPs) that update the original specifications and threat models, providing more prescriptive guidance. Examine topics such as simplified attack models, the elimination of password grants, machine-to-machine authentication, sender-constrained access tokens, and interactive applications. Understand crucial security considerations including redirect URI validation attacks, credential leakage prevention, and authorization code injection mitigation techniques. Explore countermeasures for mix-up attacks, public client security, and anti-forgery protection. Discover the future of OAuth 2.0 and OpenID Connect, including JWT Secured Authorization Requests (JAR) and Pushed Authorization Requests.