Early-bird Discount
expires in
Register Now

Agenda

High-security & Interoperable OAuth 2: What’s the Latest?

High-security & Interoperable OAuth 2: What’s the Latest?

Combined Session
Thursday, June 06, 2024 18:10—18:30
Location: B 09
Watch the video
Log in to download presentations

OAuth is a widely used authorization framework that enables third-party applications to access resources on behalf of a user. However, it has historically been difficult to meet very high security and interoperability requirements when using OAuth. Daniel and Joseph have spent much of the last six years working to improve the state of the art and will present the latest developments in the field.

There are challenges when trying to achieve high security and interoperability with OAuth 2: There are many potential threats, some not part of the original OAuth threat model. For seamless authorizations, optionality must be minimized in OAuth itself and also in any extensions used.

Seven years ago, the IETF OAuth working group began work on the Security Best Current Practice document and more recently on OAuth 2.1. Meanwhile, the OpenID Foundation has created FAPI1 and FAPI2 security profiles.

We will help you understand the focus of each document and when to use which. We show how to achieve on-the-wire interoperability and security using techniques like asymmetric client authentication and sender-constraining via DPoP and MTLS, discussing the benefits and potential disadvantages of each. We highlight the benefits for implementers and the role of conformance testing tools.

Dr. Daniel Fett
Security and Standardization Expert
Authlete
Daniel holds a Ph.D. in Computer Science for the development of new methods for analyzing the security of web standards. Leveraging this background, he has worked for the past several years to...
Joseph Heenan
CTO
Authlete Inc
Joseph is a software engineer & architect with over 25 years’ experience, who started writing mobile apps before mobile apps existed. He contributes to IETF and OpenID Foundation working...
Almost Ready to Join EIC 2024?
Reach out to our team with any remaining questions
Get in touch