You should use strong security wherever or whenever extra effort is required to address security risks such as compliance violations, for example. Consequently, strong security is commonly demanded in highly regulated sectors like finance, insurance, or healthcare. However, strong security should be implemented in any business with high risks.

Regarding access controls, strong security can mean requiring the user to present additional factors for authentication or to actively approve requests (consent) to get more confidence in the user’s identity and intentions. Strong access control can also mean improving the utilization of the protocols to reduce attack vectors.

In the workshop, you will learn about the advanced aspects of OAuth and OpenID Connect for achieving strong security. These will include:

• Advanced aspects of the code flow, for example:
  • acr_values and how this can be used for “step up” authentication
  • ui_locales
  • prompt=consent, prompt=none, prompt=login
  • max_age
  • variations on interactive user-consent
  • form response mode

• Signed and unsigned metadata and how to use it to verify tokens
• Advanced parameters for validation (at_hash, c_hash, nonce, s_hash)
• By-value and by-reference request objects
  • JWT Secured Authorization Request (JAR)/Pushed Authorization Request (PAR)
  • JSON Web Encryption (JWE) vs JSON Web Signature (JWS)
• JWT Secured Response Mode (JARM)
• Proof-of-Possession (PoP), i.e., Holder of Key (HoK) (DPoP, or together with mTLS)
• Mutual TLS (mTLS) and certificate-bound access tokens
• JWT authorization grant for user and client authentication
• Dynamic Client Registration (DCR) and early/late user-binding
• Dynamic Client Registration Management (DCRM)
• Client-Initiated Backchannel Authentication (CIBA)

To help solidify these concepts, they will be described verbally, with whiteboard drawings, and demonstrated. Attendees will also be able to implement them using a client application that will be provided together with written instructions. For this, attendees will need a laptop and the right to install software and run Docker containers on that machine.

Knowledge prerequisite
Attendees are expected to have used or implemented these protocols before or to have at least attended a previous OAuth workshop. Extensive background info will not be provided.