13:40 - 14:40
Talk (60 min)
PAR: Securing the OAuth and OpenID Connect Front-Channel
OAuth flows need to be initiated anonymously using a Browser. To give the user the optimal experience, various request parameters are required. Manipulating those requests has been one of the most common attack vectors in OAuth.
Pushed Authorize Requests (PAR) is a new specification from the OAuth protocol family that solves those problems by adding client authentication to the initial request, and removing the request parameters from the URL altogether.
Learn how PAR works, why we think it should be the default going forward, and which additional scenarios it enables.