Name: Lightning Talk: OAuth 2.0 Misimplementation, Vulnerabilities and Best Practices
Start: 2020-01-23T10:20:00-0800
End: 2020-01-23T10:45:00-0800

AppSec California 2020, January 21-24 at the Annenberg Beach House, Santa Monica, CA

Back To Schedule

Lightning Talk: OAuth 2.0 Misimplementation, Vulnerabilities and Best Practices

Feedback form is now closed.

OAuth 2.0 is an authorization framework that enables third party applications to obtain temporary limited authorization to access a protected resource on behalf of a resource owner. The framework is defined by authorization interactions that are each restricted to the type of client obtaining authorization and the type resource owner that must grant access. Diverging from these defined restricted interactions can open up various interception and redirect attack vectors that can grant a malicious actor access to protected resources. For this talk, we will be discussing Public Clients vs Confidential Clients, User Authentication vs Client Authentication, Proof Key for Code Exchange (PKCE) for Public Clients, and how restricting certain OAuth flows to either Public or Confidential Clients is required to mitigate unauthorized access to protected resources.

Speakers

Pak Foley

Security Engineer, Procore Technologies

Pak Foley is a Security Engineer at Procore Technologies. He has specialized in Identity and Access Management with a focus on architecting enterprise OAuth and SAML solutions for authentication and authorization throughout distributed systems. With a passion for OAuth in particular... Read More →

Foley OAuth 2.0 Misimplementation, Vulnerabilities, and Best Practices pdf

Thursday January 23, 2020 10:20am - 10:45am PST
Sand and Sea Room

Talk: Protect It

AppSec California 2020

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Pak Foley