Supported by Curity Logotype

Session

Workshop: Strong Security with OAuth and OpenID Connect

You should use strong security wherever or whenever extra effort is required to address security risks such as compliance violations for example. Consequently, strong security is commonly demanded in highly regulated sectors like finance, insurance, or healthcare. However, it should be implemented in any business with high risks.

 

In the case of access controls, strong security can mean requiring the user to present additional factors for authentication or to actively approve requests (consent) to get more confidence in the user’s identity and intentions. Strong access control can also mean improving the utilization of the protocols to reduce attack vectors.


In the workshop, you will learn about the advanced aspects of OAuth and OpenID Connect for achieving strong security. These will include such things as:

  • Advanced aspects of the code flow, for example:
    • acr_values and how this can be used for “step up” authentication
    • ui_locales
    • prompt=consent, prompt=none, prompt=login
    • max_age
    • variations on interactive user-consent
    • form response mode
  • Signed and unsigned metadata and how to use it to verify tokens
  • Advanced parameters for validation (at_hash, c_hash, nonce, s_hash)
  • By-value and by-reference request objects
    • JWT Secured Authorization Request (JAR)/Pushed Authorization Request (PAR)
    • JSON Web Encryption (JWE) vs JSON Web Signature (JWS)
  • JWT Secured Response Mode (JARM)
  • Proof-of-Possession (PoP), i.e., Holder of Key (HoK) (DPoP, or together with mTLS)
  • Mutual TLS (mTLS) and certificate-bound access tokens
  • JWT authorization grant for user and client authentication
  • Dynamic Client Registration (DCR) and early/late user-binding
  • Dynamic Client Registration Management (DCRM)
  • Client-Initiated Backchannel Authentication (CIBA)

 

We will solidify these concepts with the help of presentations, whiteboard drawings and workshop exercises using online resources. For this, you will need a laptop with a browser.

 

Knowledge prerequisite

Attendees are expected to have used or implemented these protocols before or to have at least attended a previous OAuth workshop. Extensive background info will not be provided.

Smarter Tech Decisions Using APIs

Smarter Tech Decisions Using APIs

API blog

High impact blog posts and eBooks on API business models, and tech advice

API conferences

Connect with market leading platform creators at our events

API community

Join a helpful community of API practitioners

API Insights Straight to Your Inbox!

Can't make it to the event? Signup to the Nordic APIs newsletter for quality content. High impact blog posts on API business models and tech advice.

Join Our Thriving Community

Become a part of our global community of API practitioners and enthusiasts. Share your insights on the blog, speak at an event or exhibit at our conferences and create new business relationships with decision makers and top influencers responsible for API solutions.

Nordic APIs Community Nordic APIs Community Nordic APIs Community Nordic APIs Community

Write

Speak

Sponsor