Supported by Curity Logotype

Session

Strong Security with OAuth & OpenID Connect

You should use strong security wherever or whenever extra effort is required to address security risks such as compliance violations, for example. Consequently, strong security is commonly demanded in highly regulated sectors like finance, insurance, or healthcare. However, strong security should be implemented in any business with high risks.

Regarding access controls, strong security can mean requiring the user to present additional factors for authentication or to actively approve requests (consent) to get more confidence in the user’s identity and intentions. Strong access control can also mean improving the utilization of the protocols to reduce attack vectors.

In the workshop, you will learn about the advanced aspects of OAuth and OpenID Connect for achieving strong security. These will include:

  • Advanced aspects of the code flow, for example:
    • acr_values and how this can be used for “step up” authentication
    • ui_locales
    • prompt=consent, prompt=none, prompt=login
    • max_age
    • variations on interactive user-consent
    • form response mode
  • Signed and unsigned metadata and how to use it to verify tokens
  • Advanced parameters for validation (at_hash, c_hash, nonce, s_hash)
  • By-value and by-reference request objects
    • JWT Secured Authorization Request (JAR)/Pushed Authorization Request (PAR)
    • JSON Web Encryption (JWE) vs JSON Web Signature (JWS)
  • JWT Secured Response Mode (JARM)
  • Proof-of-Possession (PoP), i.e., Holder of Key (HoK) (DPoP, or together with mTLS)
  • Mutual TLS (mTLS) and certificate-bound access tokens
  • JWT authorization grant for user and client authentication
  • Dynamic Client Registration (DCR) and early/late user-binding
  • Dynamic Client Registration Management (DCRM)
  • Client-Initiated Backchannel Authentication (CIBA)

To help solidify these concepts, they will be described verbally, with whiteboard drawings, and demonstrated. Attendees will also be able to implement them using a client application that will be provided together with written instructions. For this, attendees will need a laptop and the right to install software and run Docker containers on that machine.

Knowledge prerequisite
Attendees are expected to have used or implemented these protocols before or to have at least attended a previous OAuth workshop. Extensive background info will not be provided.

Smarter Tech Decisions Using APIs

Smarter Tech Decisions Using APIs

API blog

High impact blog posts and eBooks on API business models, and tech advice

API conferences

Connect with market leading platform creators at our events

API community

Join a helpful community of API practitioners

API Insights Straight to Your Inbox!

Can't make it to the event? Signup to the Nordic APIs newsletter for quality content. High impact blog posts on API business models and tech advice.

Subscribe

* indicates required

Nordic APIs will use the information you provide on this form to provide updates and news.

You can change your mind at any time by unsubscribing from any email you receive from us or by contacting us at info@nordicapis.com. We will treat your information with respect. By clicking below, you agree that we process your information per the terms in our Privacy Policy.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices.

Join Our Thriving Community

Become a part of our global community of API practitioners and enthusiasts. Share your insights on the blog, speak at an event or exhibit at our conferences and create new business relationships with decision makers and top influencers responsible for API solutions.

Nordic APIs Community Nordic APIs Community Nordic APIs Community Nordic APIs Community

Write

Speak

Sponsor