Authlete is the main sponsor of OAuth Security Workshop 2023, held between 22nd and 24th August 2023 in London.
The OAuth Security Workshop (OSW) aims to improve the security of OAuth, OpenID Connect, and related Internet protocols by facilitating a direct exchange among academic researchers, standardization group members, and industry experts.
Our specialists will give presentations in addition to the sponsorship.
The OAuth “scope” parameter was revolutionary at the time – it allowed limited access to an API in a world where the gold standard had been all-or-nothing. But scopes can only get you so far in describing access. Sometimes you need to be very specific for a single transaction, or be able to describe access to a variety of resources in different ways.
The Rich Authorization Request (RAR) extension to OAuth was recently published as RFC9396. We’ll go through the basics of how the extension works, how to design API access using it, and how it fits alongside other OAuth technologies.
OAuth is a widely used authorization framework that enables third-party applications to access resources on behalf of a user. However, it has been historically difficult to meet very high security and interoperability requirements when using OAuth. Daniel and Joseph have spent much of the last five years working to improve the state of the art and will present the latest developments in the field.
There are challenges when trying to achieve high security and interoperability with OAuth2: There are many potential threats, some not part of the original OAuth threat model. To seamless authorizations, optionality must be minimized OAuth itself and also in any extensions used.
Six years ago, the IETF OAuth working group started work on the Security Best Current Practice document and more recently on OAuth 2.1. Meanwhile, the OpenID Foundation has created FAPI1 and FAPI2 security profiles.
We will help you understand the focus of each document and when to use which. We show how to achieve on-the-wire interoperability and security through the use of techniques like asymmetric client authentication and sender-constraining via DPoP and MTLS, discussing the benefits and potential disadvantages of each. We highlight the benefits for implementers and the role of conformance testing tools.
Digital wallets and verifiable credentials are currently a hot topic in many jurisdictions around the world, with work ongoing in the EU, ISO, Japan, USA and many more that leverages OpenID Foundation (OIDF) standards. OIDF has a history of creating conformance tests and certification programmes for OpenID standards.
OIDF is currently working on tests for the OpenID for Verifiable Presentations, OpenID for Verifiable Credential Issuance and OpenID4VC High Assurance Interoperability Profile (HAIP) specifications to ensure that deployments of these protocols are both interoperable and correctly implement the security properties. Joseph talks about the approach being taken, demonstrates the progress to date, and shares the future roadmap and how implementors can run the current tests.
We have traditionally thought of federations as relatively static engagements, with significant effort being put into easing the onboarding of entities into the federation. But what about when the needs change over time? Can we build out a robust network of interconnected federation-driven environments for an ever-changing world?
We’ll talk about the federation bubbles concept and how it relates to existing and emerging security technologies including OAuth, OpenID Connect, Verifiable Credentials, SPIFFE, and others.