AppSec California 2020, January 21-24 at the Annenberg Beach House, Santa Monica, CA
Back To Schedule
Thursday, January 23 • 10:20am - 10:45am
Lightning Talk: OAuth 2.0 Misimplementation, Vulnerabilities and Best Practices

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
OAuth 2.0 is an authorization framework that enables third party applications to obtain temporary limited authorization to access a protected resource on behalf of a resource owner. The framework is defined by authorization interactions that are each restricted to the type of client obtaining authorization and the type resource owner that must grant access. Diverging from these defined restricted interactions can open up various interception and redirect attack vectors that can grant a malicious actor access to protected resources. For this talk, we will be discussing Public Clients vs Confidential Clients, User Authentication vs Client Authentication, Proof Key for Code Exchange (PKCE) for Public Clients, and how restricting certain OAuth flows to either Public or Confidential Clients is required to mitigate unauthorized access to protected resources.

avatar for Pak Foley

Pak Foley

Security Engineer, Procore Technologies
Pak Foley is a Security Engineer at Procore Technologies. He has specialized in Identity and Access Management with a focus on architecting enterprise OAuth and SAML solutions for authentication and authorization throughout distributed systems. With a passion for OAuth in particular... Read More →

Thursday January 23, 2020 10:20am - 10:45am PST
Sand and Sea Room