10:20 - 11:20 (UTC+11)
Talk (60 min)
Common mistakes and misconceptions in Web Application Security using OAuth 2.0 and OpenId Connect
Authorization and authentication are two of main problems on modern web application’s security,. They were both solved by OAuth 2.0 and OpenId Connect(OIDC). But this is not the end of story. Like most things, the devil is in the details. OAuth 2.0 is an open standard for authorization. OpenID Connect extends OAuth 2.0 for authentication scenarios. Anyone can implement them. Considering them being fundamentally complicated, and variety of implementation, this may cause developers making some mistakes. I want to discuss some details in the specs which may lead to misconceptions and also go over common mistakes. For demo the implementation I use IdentityServer4 which is one of most popular open source frameworks for OpenID Connect and OAuth 2.0 on ASP.NET Core.