Session Abstract: OAuth is a widely used authorization framework that enables third-party applications to access resources on behalf of a user. However, it has been historically difficult to meet very high security and interoperability requirements when using OAuth. The presenters have worked much of the last five years to improve the state of OAuth and will discuss what's happening in the field.
There are challenges when trying to achieve high security and interoperability with OAuth 2: There are many potential threats, some of which were not part of the original OAuth threat model. Six years ago, the IETF OAuth working group started work on documenting security best practices document, most recently for OAuth 2.1. Meanwhile, the OpenID Foundation created FAPI1 and FAPI2 security profiles.
This presentation will help attendees understand best practices documents.We also will demonstrate how to achieve on-the-wire interoperability and security through the use of techniques like asymmetric client authentication and sender-constraining via DPoP and MTLS. Additionally, we'll discus the benefits and potential disadvantages of each. We highlight the benefits for implementers and the role of conformance testing tools.