Part 2/3: OAuth 2.0 Security Best Practices

OAuth 2.0 is widely used and continuously evolving, making it challenging to keep up to date with the latest and greatest security best practices. This workshop fixes that, giving you an up-to-date overview of best practices for securing your OAuth 2.0 applications.

  • Oct 23
    Alfândega Porto Congress Centre
    2 hours
    11:30 - 13:30 UTC
    Philippe De Ryck
    -

This workshop is here to give you all the knowledge and skills to secure your OAuth 2.0 applications. We will discuss recent additions to the world of OAuth 2.0, such as JWT-Secured Authorization Requests (JAR), Pushed Authorization Requests (PAR), and Demonstration of Proof of Possession (DPoP). As the co-author of the spec on "OAuth 2.0 for browser-based applications", I'll guide you through the changes of the last two years, and discuss how to use a Backend-For-Frontend (BFF) to boost the security of your applications.

During this workshop, we'll explore:

- Recap of OAuth 2.0 common practices
- Security best practices for confidential OAuth 2.0 clients
- Using sender-constrained tokens with mTLS and DPoP
- Securing OAuth 2.0 flows with JAR and PAR
- Understanding OAuth 2.0 security in frontends
- Breaking OAuth 2.0 security in frontends
- Securing OAuth 2.0 with the Backend-For-Frontend pattern

This workshop also puts theory into practice. Throughout the workshop, we'll investigate the concepts we discuss in practical demos and practical exercises in a custom-built no-code/low-code environment. We keep things entertaining using playful quizzes and group discussions. By the end of this workshop, you'll be up-to-speed on the best practices for OAuth 2.0 security. You'll also leave with a handy list of steps to check and boost the security of your applications.

Who should attend?
This training is perfect for developers and architects who work with OAuth 2.0. If your role involves building, testing, or designing modern apps, this workshop will give you a thorough, up-to-date understanding of the best ways to keep things secure.

Prerequisites
To participate in this training, you should have some experience with OAuth 2.0 in practice, as we will not be going through a full introduction. Knowledge of application security can be helpful, but is not required.

Computer setup
To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (preferably Chrome).

Philippe De Ryck
Founder of Pragmatic Web Security, Google Developer Expert

Philippe De Ryck specializes in making web security accessible to developers and architects, leveraging his Ph.D. from KU Leuven to inform his comprehensive understanding of security challenges. As the founder of Pragmatic Web Security, he provides practical security training and consulting services to organizations worldwide.

His online course platform offers a self-paced approach to learning about security. Philippe also actively helps shape OAuth 2.0 best practices as the co-author of the best practices for browser-based apps specification.

Philippe is recognized as a Google Developer Expert, acknowledging his contributions to web application and API security. He also organizes SecAppDev, an annual week-long application security course in Belgium.

    NDC Conferences uses cookies to see how you use our website. We also have embeds from YouTube and Vimeo. How do you feel about that?
    All good!Don't want it