Room 1 

13:40 - 14:40 


Talk (60 min)

OAuth and the long way to Proof of Possession

One of the most controversial decisions around OAuth 2.0 was the omission of a mechanism to cryptographically bind access tokens to their owners.


In favor of simplicity, only the Bearer token type was specified with the firm plan to add proof of possession at a later point. Turns out the problem was harder than expected and for the better part of the following decade there was no solution. Today multiple industries and verticals require that extra security feature and there are now two fundamental ways how to achieve sender constraining. This talk looks at the history of proof of possession and the ways to implement it today.

Dominick Baier

Dominick spent most of his professional career implementing security systems for his customers and reading protocol specifications. This resulted in a number of popular open-source projects like IdentityServer and IdentityModel. Since 2020 he runs Duende Software Inc together with his longtime friend and colleague Brock Allen. Duende provides a sustainable home for the IdentityServer project and is the one-stop-shop for all things OpenID Connect and OAuth for .NET-based companies.

Steinar Noem

Steinar is a programmer at heart but spends most of his time on the "softer" parts of development. He has been working for the health sector in Norway for the past six years, where he has been involved in the development and establishment of the authentication service HelseID, and for the past couple of years, he has been involved in conceptualizing and establishing a common trust framework for data sharing for the health sector.

Steinar feels a genuine love for the OAuth Framework and OpenID Connect protocol and has a profound interest in the security mechanisms that make the protocols safer.