OpenID Connect & OAuth 2.0 – Security Best Practices
Since its publication in RFC6749 and RFC6750, OAuth 2.0 has gotten massive traction in the market and became the standard for API protection and the foundation of OpenID Connect.
In the meantime, the protocols have been attacked through known implementation weaknesses and anti-patterns, technology has changed and their usage has been expanded to use-cases and higher security environments than originally considered and anticipated. That’s the reason why the IETF has published a number of so called “Best Current Practices” (BCPs) which update the original specs and threat models and give more prescriptive guidance. This talk gives an overview over those BCPs and picks out a couple of the topics for more in-depth discussion.