Session

Strong Security with OAuth & OpenID Connect

You should use strong security wherever or whenever extra effort is required to address security risks such as compliance violations, for example. Consequently, strong security is commonly demanded in highly regulated sectors like finance, insurance, or healthcare. However, strong security should be implemented in any business with high risks.

Regarding access controls, strong security can mean requiring the user to present additional factors for authentication or to actively approve requests (consent) to get more confidence in the user’s identity and intentions. Strong access control can also mean improving the utilization of the protocols to reduce attack vectors.

In the workshop, you will learn about the advanced aspects of OAuth and OpenID Connect for achieving strong security. These will include:

  • Advanced aspects of the code flow, for example:
    • acr_values and how this can be used for “step up” authentication
    • ui_locales
    • prompt=consent, prompt=none, prompt=login
    • max_age
    • variations on interactive user-consent
    • form response mode
  • Signed and unsigned metadata and how to use it to verify tokens
  • Advanced parameters for validation (at_hash, c_hash, nonce, s_hash)
  • By-value and by-reference request objects
    • JWT Secured Authorization Request (JAR)/Pushed Authorization Request (PAR)
    • JSON Web Encryption (JWE) vs JSON Web Signature (JWS)
  • JWT Secured Response Mode (JARM)
  • Proof-of-Possession (PoP), i.e., Holder of Key (HoK) (DPoP, or together with mTLS)
  • Mutual TLS (mTLS) and certificate-bound access tokens
  • JWT authorization grant for user and client authentication
  • Dynamic Client Registration (DCR) and early/late user-binding
  • Dynamic Client Registration Management (DCRM)
  • Client-Initiated Backchannel Authentication (CIBA)

To help solidify these concepts, they will be described verbally, with whiteboard drawings, and demonstrated. Attendees will also be able to implement them using a client application that will be provided together with written instructions. For this, attendees will need a laptop and the right to install software and run Docker containers on that machine.

Knowledge prerequisite
Attendees are expected to have used or implemented these protocols before or to have at least attended a previous OAuth workshop. Extensive background info will not be provided.

Smarter Tech Decisions Using APIs

Smarter Tech Decisions Using APIs

API blog

High impact blog posts and eBooks on API business models, and tech advice

API conferences

Connect with market leading platform creators at our events

API community

Join a helpful community of API practitioners

API Insights Straight to Your Inbox!

Can't make it to the event? Signup to the Nordic APIs newsletter for quality content. High impact blog posts on API business models and tech advice.

Join Our Thriving Community

Become a part of our global community of API practitioners and enthusiasts. Share your insights on the blog, speak at an event or exhibit at our conferences and create new business relationships with decision makers and top influencers responsible for API solutions.