The Secrets of Advanced OAuth 2.0 • Aaron Parecki & Eric Johnson

Security

Discover the secrets of advanced OAuth 2.0 with experts Aaron Parecki and Eric Johnson, including secure grant flows, CSRF prevention, and best practices for implementing OAuth servers and handling client secrets.

Key takeaways
  • OAuth is often misunderstood, and its complexity stems from the need for a secure grant flow to protect user data.
  • OAuth 2.0 is more secure than OAuth 1.0, especially with the state parameter and Pixy.
  • Pixy is a mechanism to prevent CSRF attacks and phishing attacks, and it is recommended to use it for all OAuth servers.
  • OAuth grants are used to describe different authorization flows, such as the authorization_code grant.
  • A client secret is no longer necessary for confidential clients, but it is still important for security.
  • Open redirectors are a risk and should be validated to prevent attacks.
  • State parameters should be used to prevent CSRF attacks.
  • OAuth servers can be vulnerable to phishing attacks if not properly implemented.
  • Confidential clients do not require a client secret, but it is still recommended to use one for security.
  • Refresh tokens should be used to obtain new access tokens when the previous ones expire.
  • It is important to keep OAuth flows secure and Lucas recommend using a server to handle the flow.
  • The state parameter is a random string that is sent from the client to the server to prevent CSRF attacks.
  • OAuth servers should be implemented to protect user data and prevent attacks.
  • Authentication and authorization are two different concepts: authentication is about who you are, and authorization is about what you have access to.
  • There are many OAuth grants, and the authorization_code grant is the most common one.
  • The state parameter should be used to prevent CSRF attacks.
  • Confidential clients do not require a client secret, but it is still recommended to use one for security.
  • Bearer tokens are not suitable for all scenarios and should be used carefully.
  • OAuth servers should be implemented to protect user data and prevent attacks.
  • It is important to understand the basics of OAuth and how to implement it securely.

More talks

Sarah Drasner - The State of the JAMstack Nation

Power Angular with WebStorm Workshop | Paul Everitt | ng-conf 2023

Badge of Shame: Breaking into Secure Facilities with OSDP

Monad for dummies - Gina Peter Banyard

SAINTCON 2016 - Chris Larsen - Phishing with Dynamite

eBPF ELFs JMPing Through the Windows

Dora Militaru - Zen and the art of edge authentication

SAINTCON 2016 - Jerry Smith - Privacy and Security : Which comes first?