We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
The insecurity of OAuth 2.0 in frontends - Philippe de Ryck - NDC Security 2023
Explore the security risks of OAuth 2.0 in front-end applications, including XSS and token exfiltration attacks, and learn about emerging patterns like Backend for Front-end (BFF) to improve security.
- OAuth 2.0 is insecure in front-end applications due to cross-site scripting (XSS) and token exfiltration attacks
- OAuth 2.0 uses a combination of authorization code flow and refresh token flow, which can be vulnerable to attacks
- Refresh token rotation is a common technique used to counter attacks, but it’s not foolproof
- Browser-based applications can use a backend for front-end (BFF) to improve security, but it’s not always possible
- Service workers can be used to improve security, but they have their own challenges and limitations
- It’s possible to implement a BFF, but it’s not always necessary
- OAuth 2.0 is not suitable for browser-only applications due to its vulnerabilities
- Cross-site request forgery (CSRF) attacks can be used to exploit OAuth 2.0 vulnerabilities
- Refresh token rotation is not always effective against attacks
- OAuth 2.0 is not secure by itself and requires additional security measures to ensure its integrity
- Backend for front-end (BFF) is an emerging pattern to improve security, but it needs more research and development to become widely accepted
- Cross-site scripting (XSS) is a common attack vector that can be used to exploit OAuth 2.0 vulnerabilities
- Refresh tokens can be used to access APIs, but they require careful management and security measures to prevent abuse
- It’s possible to use a combination of authorization code flow and refresh token flow to improve security, but it’s not always necessary
- OAuth 2.0 has its own benefits and drawbacks, and it’s not always suitable for every application