PAR: Securing the OAuth and OpenID Connect Front-Channel - Dominick Baier - NDC Security 2024

Here is the metadata description: "Discover how to secure the OAuth and OpenID Connect front-channel with PAR, a simple solution that provides strong security benefits and reduces the attack surface."

Key takeaways
  • The OAuth and OpenID Connect front-channel is a problem that needs to be secured.
  • Request parameters in the front-channel can be manipulated, allowing attacks such as manipulations of the redirect URI and exploiting of reverse proxies.
  • Pushed Authorization Request (PAR) is a solution that allows clients to authenticate before sending an authorized request, making it harder to manipulate parameters.
  • PAR is a simple spec that is easy to implement, but provides strong security benefits.
  • The ratio of complexity to gain in security is good for PAR.
  • Implementing PAR can help to reduce the attack surface and prevent common attacks such as manipulating the redirect URI.
  • PAR is not a novel idea, but is officially published and implemented by some companies.
  • The concept of pushed authorization has been around since 2010 and has been adopted by some companies.
  • PAR can be used with OpenID Connect and OAuth, and can be implemented in a browser or mobile application.
  • The presentation shows a demo of a OAuth/OpenID Connect client that uses PAR, and discusses the benefits and advantages of using PAR.
  • PAR can help to prevent common attacks such as manipulating the redirect URI and exploiting of reverse proxies.
  • PAR is officially published and implemented by some companies, and has been adopted by Microsoft as part of their Azure AD.
  • Implementing PAR can help to reduce the attack surface and prevent common attacks.
  • PAR is a solution that is easy to implement and provides strong security benefits.
  • Using PAR can help to prevent attacks such as manipulating the redirect URI and exploiting of reverse proxies.
  • PAR can be used in a browser or mobile application, and can help to prevent common attacks.