{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2025.2.2"}, "schedule": {"url": "https://talks.secworkshop.events/osw2025/schedule/", "version": "0.7", "base_url": "https://talks.secworkshop.events", "conference": {"acronym": "osw2025", "title": "OAuth Security Workshop 2025", "start": "2025-02-26", "end": "2025-02-28", "daysCount": 3, "timeslot_duration": "00:05", "time_zone_name": "UTC", "colors": {"primary": "#033888"}, "rooms": [{"name": "Kaldal\u00f3n", "slug": "1-kaldalon", "guid": "e4fecc1a-4a86-54d8-9212-19d69bdc7e0c", "description": "Main Room", "capacity": 100}, {"name": "R\u00edma", "slug": "2-rima", "guid": "981af90b-e3b0-56c6-a5d8-eb853463616c", "description": null, "capacity": 100}, {"name": "Side room 2", "slug": "3-side-room-2", "guid": "43b0c067-2c4b-5f78-bb34-3a1890ed8cb7", "description": null, "capacity": 50}], "tracks": [{"name": "Session", "slug": "1-session", "color": "#00831C"}], "days": [{"index": 1, "date": "2025-02-26", "day_start": "2025-02-26T04:00:00+00:00", "day_end": "2025-02-27T03:59:00+00:00", "rooms": {"Kaldal\u00f3n": [{"guid": "043ce2ab-307a-5905-8a54-54c406596cae", "code": "AAPHFY", "id": 30, "logo": null, "date": "2025-02-26T09:00:00+00:00", "start": "09:00", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-30-welcome-session", "url": "https://talks.secworkshop.events/osw2025/talk/AAPHFY/", "title": "Welcome Session", "subtitle": "", "track": null, "type": "Special", "language": "en", "abstract": "Welcome Session", "description": "Welcome Session", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/AAPHFY/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/AAPHFY/", "attachments": []}, {"guid": "254882cb-3123-5cf3-99b5-7bebfa390673", "code": "7PPDHV", "id": 10, "logo": null, "date": "2025-02-26T09:30:00+00:00", "start": "09:30", "duration": "01:00", "room": "Kaldal\u00f3n", "slug": "osw2025-10-hope-fulfilled-hype-dispelled-identity-standards-past-present-and-future", "url": "https://talks.secworkshop.events/osw2025/talk/7PPDHV/", "title": "Hope Fulfilled, Hype Dispelled: Identity Standards Past, Present, and Future", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "Revisit pronouncements made in the seminal CIS 2013 \u201cHope or Hype?\" presentation and look at similarities to today's hope and hype surrounding wallets and credentials.", "description": "In 2013, the Cloud Identity Summit (the precursor to Identiverse) hosted the seminal \u201cHope or Hype?\u201d session, a humorous yet insightful examination of emerging standards like OAuth, OIDC, JOSE, and JWT. The recently late but forever great Vittorio Bertocci described the session as \"hilarious & very informative!\" in praise that the humbled presenter has aspired to live up to every day since. In tribute to Vittorio, this session will strive to be funny and informative as it takes a retrospective look at the pronouncements made in 2013 and considers similarities to today's hope and hype surrounding wallets and ~~verifiable~~ digital credentials.", "recording_license": "", "do_not_record": false, "persons": [{"code": "RUNRDN", "name": "Brian Campbell", "avatar": "https://talks.secworkshop.events/media/avatars/RUNRDN_LDjWscH.webp", "biography": "As a Distinguished Engineer for Ping Identity, Brian aspires to one day know what a Distinguished Engineer actually does for a living. In the meantime, he's tried to make himself useful with little things like designing and building much of PingFederate, the product that put Ping Identity on the map, and developing jose4j, the popularish open source JWT library. When not making himself useful, he attempts to build a legacy by sneaking his name onto specification documents that very few people will actually ever read, including various identity and security related standards in the IETF, OpenID Foundation and OASIS. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell \"Massachusetts\" every time he writes it.", "public_name": "Brian Campbell", "guid": "0b908101-79fd-55cb-9e44-8d05f0c54b8f", "url": "https://talks.secworkshop.events/osw2025/speaker/RUNRDN/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/7PPDHV/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/7PPDHV/", "attachments": []}, {"guid": "29513c9c-15fc-5311-bbd3-9b638c98d35a", "code": "CSEVCD", "id": 36, "logo": null, "date": "2025-02-26T11:00:00+00:00", "start": "11:00", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-36-eids-in-europe-a-crash-course", "url": "https://talks.secworkshop.events/osw2025/talk/CSEVCD/", "title": "eIDs in Europe - A Crash Course", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "A grand tour of all the different eIDs in Europe, big and small.", "description": "It's not a given that everyone working with OAuth, OIDC and related technology or specifications are fully aware of the thriving eID landscape in Europe. Certainly very few people will have seen and worked with all the different eIDs. This talk will an informal \"fly-through\" where we look at most of the eIDs in Europe. Talk about their strengths and weaknesses, popularity and some of their quirks. We will even live demonstrate some of them!\r\nI suspect this will be a useful session for everyone, especially those working in the identity space but perhaps not fully aware of all the different European eIDs.", "recording_license": "", "do_not_record": false, "persons": [{"code": "97QADT", "name": "Dag Sneeggen", "avatar": "https://talks.secworkshop.events/media/avatars/IMG202405271752352_OrhdA8f.jpg", "biography": "I'm the main guy from Signicat who arranged OSW 2025 in Reykjavik, so if you have any complaints (or compliments) these can be directed to me! \ud83d\ude05\r\n\r\nMy actual job is \"Technical Product Owner\" of a lovely team in Signicat called \"Team Connect\". My team owns the Signicat OIDC server along with a host of other internal services. In practise I'm part architect, team lead and product owner. My team has 5 developers based in Lisboa Portugal, and myself I'm based in Trondheim Norway. \r\n\r\nI'm passionate about OIDC, agile/lean development, open standards, cycling, football, history, gaming and nerdy geeky stuff in general.", "public_name": "Dag Sneeggen", "guid": "49e83218-cccf-5d07-be62-c475816f1beb", "url": "https://talks.secworkshop.events/osw2025/speaker/97QADT/"}, {"code": "JWCLZY", "name": "Allard Keuter", "avatar": "https://talks.secworkshop.events/media/avatars/10-10-2019_portret_Allard_yxQ4MbW.png", "biography": "", "public_name": "Allard Keuter", "guid": "689856cc-582f-5132-af98-0e8b58fe188e", "url": "https://talks.secworkshop.events/osw2025/speaker/JWCLZY/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/CSEVCD/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/CSEVCD/", "attachments": []}, {"guid": "7535f5c5-e66c-5b54-aa63-60a5448b6e3a", "code": "GP3QTB", "id": 21, "logo": null, "date": "2025-02-26T11:30:00+00:00", "start": "11:30", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-21-on-the-security-of-identity-brokers-in-single-sign-on", "url": "https://talks.secworkshop.events/osw2025/talk/GP3QTB/", "title": "On the Security of Identity Brokers in Single Sign-On", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "In this talk, we present our S&P'25 paper, exploring the brokered SSO ecosystem and its security. This new flow introduces a broker that mediates interactions between websites and Identity Providers. We uncovered 249 brokers and found 50 vulnerable.", "description": "Single Sign-On (SSO) is an authentication process that allows users to access multiple services with a single set of login credentials. Although SSO improves the user experience, it poses challenges to developers to implement complex authentication protocols securely. External services, called brokers, simplify the integration of SSO.\r\n\r\nIn this talk, we shed light on the emerging brokered SSO ecosystem, focusing on the security of the newly introduced actor, the broker. We systematically evaluate the landscape of brokered SSO, uncovering significant blind spots in previous research. Our study reveals that 25% of the websites with SSO integrate brokers for authentication, an area that has not been covered by any previous research.\r\n\r\nThrough our comprehensive security evaluation, we identify three categories of threats associated with brokered SSO: (1) insufficient validation of redirect chains enabling injection attacks, (2) unauthorized data access enabling account takeovers, and (3) violations of security best current practices.\r\n\r\nWe expose vulnerabilities in over 50 brokers, compromising the security of more than 2k websites. These findings represent only a lower bound of a critical situation, underscoring the urgent need for improved security measures and protocols to safeguard the integrity of brokered SSO systems.", "recording_license": "", "do_not_record": false, "persons": [{"code": "K39HUH", "name": "Louis Jannett", "avatar": null, "biography": "", "public_name": "Louis Jannett", "guid": "5ca8ec3b-cd66-552f-80a9-724779e9acc1", "url": "https://talks.secworkshop.events/osw2025/speaker/K39HUH/"}, {"code": "WD97MR", "name": "Tommaso Innocenti", "avatar": "https://talks.secworkshop.events/media/avatars/30100DD2-ADE7-4043-AE11-7FE685E35290_7nTe3OA.jpeg", "biography": "", "public_name": "Tommaso Innocenti", "guid": "0fdb63d1-02c3-59e2-915f-24930ca6d4b0", "url": "https://talks.secworkshop.events/osw2025/speaker/WD97MR/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/GP3QTB/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/GP3QTB/", "attachments": []}, {"guid": "07a97ca4-8edb-5362-bd6c-98420a650420", "code": "FRE3QD", "id": 24, "logo": null, "date": "2025-02-26T12:00:00+00:00", "start": "12:00", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-24-gnap-a-retrospective", "url": "https://talks.secworkshop.events/osw2025/talk/FRE3QD/", "title": "GNAP: A Retrospective", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "The Grant Negotiation and Authorization Protocol (GNAP) is officially an RFC, let's look at how we got here and what the future holds.", "description": "GNAP was proposed as a delegation protocol that would apply the lessons learned from a decade of OAuth experience and allow expansion into new use cases underserved by OAuth. Now that GNAP is an RFC, we'll look back at its journey, look around to its influence on the community, and look forward to its future.", "recording_license": "", "do_not_record": false, "persons": [{"code": "WEKQAY", "name": "Justin Richer", "avatar": "https://talks.secworkshop.events/media/avatars/Justin-2-sm_4zY4nF3.jpg", "biography": "Justin Richer is a security architect, software engineer, standards editor, and systems designer with over two decades of industry experience. He is the lead author of OAuth2 In Action and contributor to OAuth 2.0 and OpenID Connect. Justin is the editor of a variety of standards including GNAP, HTTP Message Signatures, and OAuth extensions RFC7591, RFC7592, RFC7662, and RFC9396. Justin is a co-author to NIST SP 800-63, FIPS201, and NIST SP 800-217.", "public_name": "Justin Richer", "guid": "63e0395d-81f5-5b3f-a94f-3108318237b1", "url": "https://talks.secworkshop.events/osw2025/speaker/WEKQAY/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/FRE3QD/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/FRE3QD/", "attachments": []}, {"guid": "740e31f9-173c-5291-b998-7e00c816a543", "code": "J8DM7P", "id": 31, "logo": null, "date": "2025-02-26T13:30:00+00:00", "start": "13:30", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-31-unconference-planning-day-1", "url": "https://talks.secworkshop.events/osw2025/talk/J8DM7P/", "title": "Unconference Planning Day 1", "subtitle": "", "track": null, "type": "Special", "language": "en", "abstract": "Unconference Planning Day 1", "description": "Unconference Planning Day 1", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/J8DM7P/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/J8DM7P/", "attachments": []}, {"guid": "4e1fb663-94b8-5fca-83aa-fdd0ea475ce9", "code": "BV8TFQ", "id": 51, "logo": null, "date": "2025-02-26T14:30:00+00:00", "start": "14:30", "duration": "01:00", "room": "Kaldal\u00f3n", "slug": "osw2025-51-unconference-sessions", "url": "https://talks.secworkshop.events/osw2025/talk/BV8TFQ/", "title": "Unconference Sessions", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "Unconference Sessions", "description": "Unconference Sessions", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/BV8TFQ/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/BV8TFQ/", "attachments": []}, {"guid": "17e43310-e72a-5934-9d44-55f953e6b2ad", "code": "JAEJC7", "id": 32, "logo": null, "date": "2025-02-26T16:00:00+00:00", "start": "16:00", "duration": "01:30", "room": "Kaldal\u00f3n", "slug": "osw2025-32-unconference-sessions", "url": "https://talks.secworkshop.events/osw2025/talk/JAEJC7/", "title": "Unconference Sessions", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "Unconference Sessions", "description": "Unconference Sessions", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/JAEJC7/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/JAEJC7/", "attachments": []}], "R\u00edma": [{"guid": "e8508583-5fd5-5927-9284-febbe73ba9d4", "code": "XVJHCJ", "id": 5, "logo": null, "date": "2025-02-26T11:00:00+00:00", "start": "11:00", "duration": "00:30", "room": "R\u00edma", "slug": "osw2025-5-how-to-enhance-security-with-transaction-tokens", "url": "https://talks.secworkshop.events/osw2025/talk/XVJHCJ/", "title": "How to Enhance Security with Transaction Tokens", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "This presentation will delve into the concept of transaction tokens, why Yahoo implemented them at scale, and the security benefits they offer.", "description": "By replacing cookies and access tokens with short-lived, encrypted JWT tokens, Yahoo aims to reduce vulnerabilities such as internal cookie exposure, replay attacks, and server-side request forgery. The session will provide a comprehensive overview of the end-to-end solution, use cases, and the lessons learned during the adoption journey. We will cover the following key areas:\r\n1. The problem: An overview of Yahoo's current authorization model, and the security gaps identified.\r\nThe solution \u2014 What are Transaction Tokens?: Definition, structure, and comparison with existing authorization methods.\r\n2. The solution \u2014 How Transaction Tokens Work: Detailed explanation of the end-to-end solution, including the process of obtaining and verifying transaction tokens.\r\n3. The solution \u2014 Use Cases and benefits: Practical applications in different services, highlighting the reduction of security risks.\r\n4. Implementation and integration: Steps for integrating transaction tokens, including the development of validation libraries and transition plans.\r\n5. Challenges and solutions: Addressing potential challenges, and strategies for a smooth rollout.", "recording_license": "", "do_not_record": false, "persons": [{"code": "JK8LD3", "name": "Mert Coskuner", "avatar": "https://talks.secworkshop.events/media/avatars/avatar_MoJ6YWX.jpg", "biography": "", "public_name": "Mert Coskuner", "guid": "2adc4f82-47d7-5983-a50a-aeecb1e1490e", "url": "https://talks.secworkshop.events/osw2025/speaker/JK8LD3/"}, {"code": "EXWQQ7", "name": "Naveen CM", "avatar": null, "biography": null, "public_name": "Naveen CM", "guid": "c793cef7-543e-59ba-be61-4cb1c3bc5258", "url": "https://talks.secworkshop.events/osw2025/speaker/EXWQQ7/"}, {"code": "Q3Y3SG", "name": "Naveen CM", "avatar": "https://talks.secworkshop.events/media/avatars/Naveen_headshot_5TCf8Px.png", "biography": "", "public_name": "Naveen CM", "guid": "7d322adf-ec73-5efc-b895-bd4b36ed711a", "url": "https://talks.secworkshop.events/osw2025/speaker/Q3Y3SG/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/XVJHCJ/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/XVJHCJ/", "attachments": []}, {"guid": "5ea2136d-a048-58c4-9a25-3fbe236bc736", "code": "3PJDLB", "id": 29, "logo": null, "date": "2025-02-26T11:30:00+00:00", "start": "11:30", "duration": "00:30", "room": "R\u00edma", "slug": "osw2025-29-securing-delegated-workload-identities", "url": "https://talks.secworkshop.events/osw2025/talk/3PJDLB/", "title": "Securing Delegated Workload Identities", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "Workloads increasingly delegate obtaining and using credentials to brokers. This talk present common delegation models, resulting security risks, possible mitigations and invites research into new mechanisms to secure delegated workload identities.", "description": "The changing threat environment put workload identities in the spotlight. New standards are being developed to address some of the most immediate challenges to improve the authentication and authorisation capabilities for workloads. This includes the work progressing in WIMSE and OAuth and is expected to be adopted by SPIFFE in the Cloud Native Compute foundation.\r\n\r\nHowever, as these standards are being developed, and adoption of workload identities proliferate, it is also becoming clear that some of the assumptions about the security model needs to be re-visited. \r\n\r\nArchitectural patterns like egress gateways often request and operate identities on-behalf-of workloads. Similarly, modern lightweight service meshes like Istio Ambient Mode acts as a broker for workload identities, both in terms of requesting, but also in terms of using credentials. In some deployment models, a platform broker may request OAuth access tokens, but then provision those to workloads on the platform. Sender constraining these access tokens requires a form of delegated key binding where the broker can request access tokens to be bound to a key it does not control. \r\n\r\nIn this session, we will introduce the different delegation models commonly seen, discuss the security challenges that come with those modes of operation, and discuss mitigations ranging from proposals to watermark tokens so that recipients can take into account how identities were provisioned, what protocols were used and what attestation or authentication levels were achieved, through to new sender constraining mechanisms for delegated key binding to enable brokers to request sender constrained tokens on-behalf-of the workloads.", "recording_license": "", "do_not_record": false, "persons": [{"code": "BJXP8F", "name": "Pieter Kasselman", "avatar": "https://talks.secworkshop.events/media/avatars/DSC01046_F4h3Koc.jpg", "biography": "Pieter Kasselman is an Identity Enthusiast, focused on standards based identity products. Pieter has over 25 years' experience as a technologist and engineer, working on bringing new technologies and business models to market. Pieter's first encounter with identity was his final year project which used neural networks to identify users based on typing patterns. Since then he worked in a number of roles as an information security analyst, software engineer and program manager in industries that include finance, software, silicon and cloud. His diverse background gives him a unique perspective of the importance of identity and the role of identity standards as both a business enabler and the first line of defence for organizations. Pieter recently joined SPIRL where he is focused on developing standards, technologies and products that allow non-human identities, especially workload identities, to be governed to a least privilege profile.", "public_name": "Pieter Kasselman", "guid": "20bb65a8-3038-5b9e-a411-06c96e16b0d6", "url": "https://talks.secworkshop.events/osw2025/speaker/BJXP8F/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/3PJDLB/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/3PJDLB/", "attachments": []}, {"guid": "948bc53e-915d-508b-942d-645ec1286f02", "code": "LEK33J", "id": 40, "logo": null, "date": "2025-02-26T12:00:00+00:00", "start": "12:00", "duration": "00:30", "room": "R\u00edma", "slug": "osw2025-40-call-for-action-review-oauth-and-oidc-related-requirements-for-owasp-asvs-v5-0", "url": "https://talks.secworkshop.events/osw2025/talk/LEK33J/", "title": "Call for action - review OAuth- and OIDC-related requirements for OWASP ASVS v5.0", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "Soon to be released OWASP ASVS v5.0 contains a new chapter of requirements related to OAuth and OIDC. The talk is about - what is (not) ASVS, how it covers OAuth and OIDC, and most importantly - calling you to review the related chapter.", "description": "Today, the majority of web applications use OAuth and OIDC in some way. A web application must be security tested, and that\u2019s where the OWASP Application Security Verification Standard (ASVS) gets involved. A new chapter of soon-to-be-released ASVS v5.0 addresses widespread OAuth and OIDC-related problems.\r\n\r\nExtracting security requirements for ASVS from tens of published and not-published OAuth-related RFCs or OIDC documents has not been an easy walk in the park. There are many updates to previously published RFCs, and there are frequently new RFCs published on the topic that make it challenging to pick and fix the security requirements into the ASVS to stay valid for years.\r\n\r\nIt would have been easy to write into the ASVS document that \"follow the latest RFCs and security updates\". From a security tester's point of view, OAuth- and OIDC-related implementations on the web application side have been so often on the naive level \"but it works\", misconfigured, over-engineered or technology is in incorrect use. To have the ASVS version without addressing those problems did not feel right and there is motivation to send clear messages with security requirements to point those problems out.\r\n\r\nAnd here we are now - (hopefully) only a few months away from releasing the ASVS v5.0 and it is important to review and validate, is the hard work we did valid and correct also for others, before we \"force\" everyone to use those requirements.\r\n\r\nIn the talk it is explained, what is (and what is not) ASVS, what are the rules and expectations for security requirements, what kind of journey has been to develop those requirements, and how you can contribute.\r\n\r\nThis is a call for action - for specialists in the OAuth and OIDC fields to review ASVS security requirements that will be in the must-have rules list for many web applications. Using your knowledge to make a review and give feedback is highly appreciated!", "recording_license": "", "do_not_record": false, "persons": [{"code": "TF7TYS", "name": "Elar Lang", "avatar": "https://talks.secworkshop.events/media/avatars/elar-lang_fK862jQ.jpg", "biography": "Elar Lang is a web application security specialist and enthusiast who has been working for more than 13 years in different aspects of web application security. A full-time security tester, training architect, and web application security developer educator (close to 3000 hours of training). Likes to research and write proof-of-concepts for attacks. More than 5 years actively developing and co-leading a security standard - OWASP Application Security Verification Standard (ASVS).\r\n\r\nOut of business hours, to \"escape\" the screens and keyboards, takes a photo camera and stays or hikes in nature. Favorite places - Iceland and North Scandinavia.", "public_name": "Elar Lang", "guid": "c5226c51-abcd-5baf-83cf-d1a17b7b42ea", "url": "https://talks.secworkshop.events/osw2025/speaker/TF7TYS/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/LEK33J/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/LEK33J/", "attachments": []}]}}, {"index": 2, "date": "2025-02-27", "day_start": "2025-02-27T04:00:00+00:00", "day_end": "2025-02-28T03:59:00+00:00", "rooms": {"Kaldal\u00f3n": [{"guid": "fc1ea4e9-f881-5549-b113-50401cb462b8", "code": "WG9TEW", "id": 37, "logo": null, "date": "2025-02-27T09:00:00+00:00", "start": "09:00", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-37-cross-app-oauth-attacks-in-integration-platforms-mix-up-attacks-reloaded", "url": "https://talks.secworkshop.events/osw2025/talk/WG9TEW/", "title": "Cross-app OAuth Attacks in Integration Platforms: Mix-up Attacks Reloaded", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "OAuth Mix-up attacks *were* considered hard to exploit.\r\nIn this talk, we focus on open ecosystems like integration platforms that enable practical variants of mix-up attacks via malicious app integrations, and discuss potential tailored spec changes.", "description": "Co-authors: Xianbo Wang, Adonis Fung, Julien Lecomte, Wing Cheong Lau\r\nMore information: https://mobitec.ie.cuhk.edu.hk/osw2025/\r\n\r\nIn this talk, we will cover how the uses of OAuth 2.0 in emerging *integration platforms* have arisen severe new attacks and defenses that impact the majority of big Internet players and billions of their users. In general, the OAuth mix-up attacks [1] were considered of low real-world impact, and thus resulting in limited adoption of defenses [2,3]. This is because the attack assumes that an OAuth client interacts with multiple authorization servers (e.g., login with Google and Facebook), in which some of them is either malicious or compromised\u2014something difficult to achieve in practice. However, this situation has shifted within integration platforms.\r\n\r\nIntegration platforms are cloud-based platforms that aggregate multiple third-party apps or services, providing users with unified control. Common types include Workflow Automation platforms, Virtual Voice Assistants, Smart Homes and Large Language Model (LLM) platforms with plugins support. For instance, users can configure the Microsoft Power Automate platform to automatically save their Gmail attachments to Dropbox.\r\n\r\nThese platforms employ OAuth 2.0-based Account Linking to connect end-users' app accounts to their platform account, enabling authorized API calls to app servers. This allows the platform to orchestrate a wide range of external services on behalf of end-users. As most integration platforms are *open ecosystems* that welcome any developers to integrate their apps in a marketplace, this openness leaves room for malicious apps (and thus malicious authorization servers) to infiltrate.\r\n\r\nThe first half of the talk will cover our work to appear in USENIX Security 2025 [4]. Within integration platforms, we identified new variants of mix-up attacks: Cross-app OAuth Account Takeover (COAT) and Request Forgery (CORF). As long as a victim user establishes account linking with a malicious app, or potentially with just a click on a crafted link, they risk unauthorized access or privacy leakage of any apps on the platform. The vulnerabilities are prevalent across 15+ mainstream vendors. For example, an attacker can compromise victims' Microsoft 365 suite or Azure services with their single click on an unassuming link (CVE-2023-36019 [5], CVSS: 9.6).\r\n\r\nIn the second half, we will highlight the changes needed from a specification perspective. We believe that OAuth specifications, such as the OAuth Security BCP, could be updated to include practical defenses tailored for integration platforms to address mix-up attacks. We will provide concrete recommendations to [3] for these updates.\r\n\r\nOur preliminary study was presented in Black Hat USA 2024 [6].\r\n\r\n[1] Daniel Fett, Ralf K\u00fcsters, and Guido Schmitz. 2016. A Comprehensive Formal Security Analysis of OAuth 2.0. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). https://doi.org/10.1145/2976749.2978385\r\n[2] https://datatracker.ietf.org/doc/html/rfc9207\r\n[3] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.4\r\n[4] Kaixuan Luo, Xianbo Wang, Pui Ho Adonis Fung, Wing Cheong Lau, and Julien Lecomte. 2025. Universal Cross-app Attacks: Exploiting and Securing OAuth 2.0 in Integration Platforms. 34th USENIX Security Symposium (USENIX Security 25).\r\n[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019\r\n[6] Kaixuan Luo, Xianbo Wang, Adonis Fung, Julien Lecomte, and Wing Cheong Lau. 2024. One Hack to Rule Them All: Pervasive Account Takeovers in Integration Platforms for Workflow Automation, Virtual Voice Assistant, IoT, & LLM Services. Black Hat USA 2024. https://www.blackhat.com/us-24/briefings/schedule/#one-hack-to-rule-them-all-pervasive-account-takeovers-in-integration-platforms-for-workflow-automation-virtual-voice-assistant-iot--llm-services-38994", "recording_license": "", "do_not_record": false, "persons": [{"code": "LEMRJG", "name": "Kaixuan Luo", "avatar": "https://talks.secworkshop.events/media/avatars/KaixuanLUO_1x1_GVYcsqS.jpg", "biography": "PhD Candidate @ Mobile Technologies Centre (MobiTeC), The Chinese University of Hong Kong (CUHK)\r\nFormer Intern @ Samsung Research America", "public_name": "Kaixuan Luo", "guid": "9bb10600-7faa-5087-a400-72ca43f7e567", "url": "https://talks.secworkshop.events/osw2025/speaker/LEMRJG/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/WG9TEW/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/WG9TEW/", "attachments": []}, {"guid": "1c343c09-5665-56d4-a7cf-017593b90df9", "code": "ABRBUN", "id": 25, "logo": null, "date": "2025-02-27T09:30:00+00:00", "start": "09:30", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-25-http-message-signatures-rfc9421", "url": "https://talks.secworkshop.events/osw2025/talk/ABRBUN/", "title": "HTTP Message Signatures (RFC9421)", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "Signing HTTP Messages: How Hard Could It Be?", "description": "It's really hard, actually, because HTTP is super weird. We'll talk through how it works, why it works how it does, and how it could be applied to the OAuth and OIDC worlds. We'll also look back at one year of the RFC to see how people are applying, misapplying, confusing, and expanding HTTP signatures in the wild.", "recording_license": "", "do_not_record": false, "persons": [{"code": "WEKQAY", "name": "Justin Richer", "avatar": "https://talks.secworkshop.events/media/avatars/Justin-2-sm_4zY4nF3.jpg", "biography": "Justin Richer is a security architect, software engineer, standards editor, and systems designer with over two decades of industry experience. He is the lead author of OAuth2 In Action and contributor to OAuth 2.0 and OpenID Connect. Justin is the editor of a variety of standards including GNAP, HTTP Message Signatures, and OAuth extensions RFC7591, RFC7592, RFC7662, and RFC9396. Justin is a co-author to NIST SP 800-63, FIPS201, and NIST SP 800-217.", "public_name": "Justin Richer", "guid": "63e0395d-81f5-5b3f-a94f-3108318237b1", "url": "https://talks.secworkshop.events/osw2025/speaker/WEKQAY/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/ABRBUN/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/ABRBUN/", "attachments": []}, {"guid": "6ae96678-022c-5bad-8ee1-9a317c1a06bf", "code": "R8D9BS", "id": 33, "logo": null, "date": "2025-02-27T10:00:00+00:00", "start": "10:00", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-33-client-assertions-gone-wrong-when-the-audience-takes-over-the-show", "url": "https://talks.secworkshop.events/osw2025/talk/R8D9BS/", "title": "Client Assertions Gone Wrong: When the Audience Takes Over the Show", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "We present and discuss **Audience Injection Attacks** on signature-based client authentication, in which an honest client is tricked into providing the attacker with a valid client credential for an honest authorization server.", "description": "As part of a recent formal analysis of an OAuth/OIDC-based protocol, we discovered Audience Injection Attacks, a new class of vulnerabilities affecting asymmetric signature-based client authentication. These attacks exploit weaknesses in client authentication to trick an honest client into generating a client assertion that is valid for an honest authorization server\u2014allowing the attacker to impersonate the client and access user resources. In this talk, we present simple instances of audience injection attacks, analyze their root cause, and discuss how they can\u2014and cannot\u2014be mitigated.", "recording_license": "", "do_not_record": false, "persons": [{"code": "MZDSEX", "name": "Tim W\u00fcrtele", "avatar": "https://talks.secworkshop.events/media/avatars/Tim_W%C3%BCrtele_SD_8tqmk5q.jpg", "biography": "Web and Identity Protocols Security Researcher", "public_name": "Tim W\u00fcrtele", "guid": "bd9e7859-4384-5c4c-b18c-f35d10e3fab3", "url": "https://talks.secworkshop.events/osw2025/speaker/MZDSEX/"}, {"code": "8NHPGP", "name": "Pedram Hosseyni", "avatar": null, "biography": null, "public_name": "Pedram Hosseyni", "guid": "5ac72daf-6b64-50ff-830b-0737beb35c41", "url": "https://talks.secworkshop.events/osw2025/speaker/8NHPGP/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/R8D9BS/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/R8D9BS/", "attachments": []}, {"guid": "c0da7f89-d87d-5530-a154-54aa7eed0a7a", "code": "8TKQM3", "id": 41, "logo": null, "date": "2025-02-27T11:00:00+00:00", "start": "11:00", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-41-seamless-native-to-browser-sessions-with-session-tokens", "url": "https://talks.secworkshop.events/osw2025/talk/8TKQM3/", "title": "Seamless Native-to-Browser Sessions with Session Tokens", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "Proposing a short-lived, single-use session token mechanism to transfer a user\u2019s native OAuth/OIDC session into in-app browser tabs, ensuring consistent, secure sign-on and minimizing re-authentication prompts.", "description": "## Overview\r\nIn many native (mobile) applications, users authenticate via an OpenID Connect flow\u2014launching a system or in-app browser to sign in at the OpenID Provider (OP). The app receives ID tokens, refresh tokens, and access tokens. Yet, when the same app later opens a web page (in a custom tab or SFSafariViewController), there is no straightforward mechanism to transfer the established \u201capp session\u201d into a browser session. This often forces re-authentication or leaves the user in an unauthenticated state in the browser context.\r\n\r\n## Proposed Solution\r\nTo bridge this gap, we propose a short-lived, single-use Session Transfer Token that an OIDC Client (the native app) can request and then pass to a new web context, allowing the browser to seamlessly create or refresh an SSO session at the OP. This approach leverages existing OIDC components and session management concepts while improving user experience and security.\r\n\r\n## Outline\r\n1. **Token Issuance**: Short-lived, single-use token from the IdP.\r\n2. **Token Redemption**: \r\n    - **RP-Initiated Flow**: The Relying Party (RP) begins a standard OpenID Connect (OIDC) or OAuth 2.0 flow, passing the STT to the Identity Provider (IdP) (e.g., via `login_hint`) so that user interaction is minimized or avoided entirely.\r\n    - **IdP-Initiated Flow**: The native app directly navigates to the IdP with the STT. The IdP sets an SSO cookie (or refreshes the existing one), then redirects the user to the RP, which completes an OIDC flow silently, recognizing the already-authenticated user.\r\n\r\nThis session explores the design considerations, flow diagrams, security measures, and practical scenarios needed to implement frictionless single-sign-on across native apps and in-app browsers.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KJDMPQ", "name": "Fabian Aggeler", "avatar": "https://talks.secworkshop.events/media/avatars/aggeler_V2hhd1t.jpg", "biography": "Fabian Aggeler and Patrick Amrein focus on digital identity / credentials, security and mobile development. At Ubique Innovation, they contribute to architecting secure and seamless solutions that enhance user experiences across a variety of digital products.", "public_name": "Fabian Aggeler", "guid": "49995cc0-38d6-5339-946a-aa1da9caa8a3", "url": "https://talks.secworkshop.events/osw2025/speaker/KJDMPQ/"}, {"code": "XXJMNU", "name": "Patrick Amrein", "avatar": "https://talks.secworkshop.events/media/avatars/1000024030_AlI9RnR.jpg", "biography": "", "public_name": "Patrick Amrein", "guid": "216c10bc-3334-58be-a299-a6ee897c9d8d", "url": "https://talks.secworkshop.events/osw2025/speaker/XXJMNU/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/8TKQM3/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/8TKQM3/", "attachments": []}, {"guid": "6082e403-5943-5e82-83d1-0de94fbfd921", "code": "TUC7RP", "id": 7, "logo": null, "date": "2025-02-27T11:30:00+00:00", "start": "11:30", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-7-oauth-cross-device-flow-for-enhanced-authorization-in-electric-vehicle-charging", "url": "https://talks.secworkshop.events/osw2025/talk/TUC7RP/", "title": "OAuth Cross-Device Flow for Enhanced Authorization in Electric Vehicle Charging", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "This talk proposes Electric Vehicle (EV) charging authorization using the OAuth Device Authorization Grant and Rich Authorization Requests to simplify credential installation and enhancing security of the Plug and Charge (PnC) ISO 15118 standard.", "description": "The Plug-and-Charge (PnC) process, as defined by the ISO 15118 standard, automates Electric Vehicle (EV) charging by enabling seamless authentication with X.509 certificates between EVs and Charge Points (CPs). However, the current X.509 credential installation process is complex, relying on a non-uniform Public Key Infrastructure (PKI) and lacking fine-grained authorization capabilities. This talk proposes a streamlined approach to the initial charging authorization and X.509 certificate installation process by leveraging the OAuth Device Authorization Grant (RFC 8628) and Rich Authorization Requests (RFC 9396) with the Authlete Authorization Server API. The proposed solution simplifies PnC\u2019s X.509 credential installation process, reduces technical complexity, introduces flexible authorization constraints (e.g., const and time limits), and facilitates payment through OpenID Connect (OIDC). A proof-of-concept implementation will be presented along with a performance evaluation. Moreover, the Device Authorization Grant implementation represents a blueprint for a formally verified solution to common issues introduced by cross-device flows.", "recording_license": "", "do_not_record": false, "persons": [{"code": "7SAB7Y", "name": "Jonas Primbs", "avatar": "https://talks.secworkshop.events/media/avatars/7SAB7Y_jFa1EBQ.webp", "biography": null, "public_name": "Jonas Primbs", "guid": "8cfc4d4f-220d-5858-9da4-c78bfe66a5fd", "url": "https://talks.secworkshop.events/osw2025/speaker/7SAB7Y/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/TUC7RP/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/TUC7RP/", "attachments": []}, {"guid": "d05157e5-ab3a-58f4-b139-7e6cebce835d", "code": "MMRCQW", "id": 19, "logo": null, "date": "2025-02-27T12:00:00+00:00", "start": "12:00", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-19-privacy-preserving-single-sign-on", "url": "https://talks.secworkshop.events/osw2025/talk/MMRCQW/", "title": "Privacy-Preserving Single Sign-On", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "We present recent advances that improve the privacy of SSO protocols such as OIDC: our approach supports RP authentication, RP-bound tokens and RP-specific pseudonyms - all without the IdP learning the identity of the RP the user wants to access.", "description": "OpenID Connect (OIDC) is a Single Sign-On (SSO) protocol that allows users to authenticate to various Relying Parties (RPs) via an Identity Provider (IdP). The main drawback of SSO is its lack of privacy, as the IdP learns the RP's identity at each user's login. OIDC supports several protocol flows, of which only one, the Implicit Flow, gives hope for any privacy, as it does not require direct communication between the IdP and RP. This design was initially intended for RPs with technical limitations that prevent them from storing credentials and thus authenticating to the IdP. However, RP authentication is crucial to ensure that users only access properly registered RPs. As a result, the Implicit Flow has been deprecated in the ongoing OIDC/OAuth specification process.\r\n\r\nWe propose a privacy-preserving protocol that incorporates RP authentication into the Implicit Flow. That is, the IdP can restrict its service to authenticated RPs and tie each authentication token to a specific RP, but without learning which RP the user is accessing. Our work further  supports unlinkable authentication towards RPs. In SSO, this is realized via Pairwise Pseudonymous Identifiers (PPID), where the IdP assigns the user an RP-specific pseudonym. We propose the first SSO system that can provide such pseudonymous authentication in an unobservable yet strongly secure manner. That is, the IdP blindly derives the user's pairwise pseudonym for the targeted RP without learning the RP's identity. Our protocol maintains the convenience of classic SSO, as it does not require any key material handled by the user.\r\n\r\nOur construction combines signatures with efficient proofs-of-knowledge with a blind, yet verifiable, evaluation of the Hashed-Diffie-Hellman PRF. We have proven the security of our protocol and demonstrated its efficiency through a prototypical implementation, which requires a running time of 2-12ms per involved party.\r\n\r\n\r\nThis talk is based on joined work with Anja Lehmann and Cavit \u00d6zbay:\r\n- Maximilian Kroschewski, Anja Lehmann. Save The Implicit Flow? Enabling Privacy-Preserving RP Authentication in OpenID Connect. PETS 2023. https://petsymposium.org/popets/2023/popets-2023-0100.php\r\n- Maximilian Kroschewski, Anja  Lehmann, Cavit \u00d6zbay. OPPID: Single Sign-On with Oblivious Pairwise Pseudonyms. https://eprint.iacr.org/2024/1124", "recording_license": "", "do_not_record": false, "persons": [{"code": "W7HFT3", "name": "Maximilian Kroschewski", "avatar": "https://talks.secworkshop.events/media/avatars/profile-2025-small_Dbsv9ju.jpg", "biography": "", "public_name": "Maximilian Kroschewski", "guid": "500a3545-1b35-533c-9d6f-d58960ca03ea", "url": "https://talks.secworkshop.events/osw2025/speaker/W7HFT3/"}, {"code": "VL3HRV", "name": "Anja Lehmann", "avatar": null, "biography": null, "public_name": "Anja Lehmann", "guid": "4c996287-29a3-5063-a5fc-e6623e1f5906", "url": "https://talks.secworkshop.events/osw2025/speaker/VL3HRV/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/MMRCQW/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/MMRCQW/", "attachments": []}, {"guid": "57e4749a-fb8f-5396-8986-e6f28be6dfa7", "code": "R3JPLR", "id": 46, "logo": null, "date": "2025-02-27T13:30:00+00:00", "start": "13:30", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-46-unconference-planning-day-2", "url": "https://talks.secworkshop.events/osw2025/talk/R3JPLR/", "title": "Unconference Planning Day 2", "subtitle": "", "track": null, "type": "Special", "language": "en", "abstract": "Unconference Planning Day 2", "description": "Unconference Planning Day 2", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/R3JPLR/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/R3JPLR/", "attachments": []}, {"guid": "c792f8d1-0c29-5730-aa7e-0be94acf7440", "code": "WVQYQL", "id": 48, "logo": null, "date": "2025-02-27T14:00:00+00:00", "start": "14:00", "duration": "01:30", "room": "Kaldal\u00f3n", "slug": "osw2025-48-unconference-sessions", "url": "https://talks.secworkshop.events/osw2025/talk/WVQYQL/", "title": "Unconference Sessions", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "Unconference Sessions", "description": "Unconference Sessions", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/WVQYQL/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/WVQYQL/", "attachments": []}, {"guid": "2495dda7-2fa8-5098-963a-62d3c0b08cb0", "code": "GZJEAK", "id": 49, "logo": null, "date": "2025-02-27T16:00:00+00:00", "start": "16:00", "duration": "00:45", "room": "Kaldal\u00f3n", "slug": "osw2025-49-unconference-sessions", "url": "https://talks.secworkshop.events/osw2025/talk/GZJEAK/", "title": "Unconference Sessions", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "Unconference Sessions", "description": "Unconference Sessions", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/GZJEAK/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/GZJEAK/", "attachments": []}], "R\u00edma": [{"guid": "63b86f1f-a640-54eb-8c42-8d46363dfbcb", "code": "73GFAU", "id": 39, "logo": null, "date": "2025-02-27T09:30:00+00:00", "start": "09:30", "duration": "00:30", "room": "R\u00edma", "slug": "osw2025-39-key-attestations", "url": "https://talks.secworkshop.events/osw2025/talk/73GFAU/", "title": "Key Attestations", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "In this talk, we look back on the recent developments around key attestations in eIDAS and OpenID4VCI and the motivation behind them. Afterwards we will discuss whether key attestations deserve their own, separate drafts for broader interoperability.", "description": "In this talk, we look back on the recent developments around key attestations in eIDAS and OpenID4VCI and the motivation behind them. Furthermore, we will investigate the lessons learned from from OpenID4VCI designs and the Attestation-Based Client Authentication draft. Afterwards we will discuss whether key attestations deserve their own, separate drafts for broader interoperability and if it's worth it to extract them from the OpenID4VCI specification. Which other use cases, existing or upcoming specifications could benefit from such interoperable key attestations? We will also present our thinking about what properties and features such an interoperable key attestation could require and hopefully spark a debate.", "recording_license": "", "do_not_record": false, "persons": [{"code": "9UJP88", "name": "Paul Bastian", "avatar": "https://talks.secworkshop.events/media/avatars/Paul-Bastian_0094_yVNPQKI.jpg", "biography": "", "public_name": "Paul Bastian", "guid": "5c89e8e9-c331-515d-aa68-bdcc30c779aa", "url": "https://talks.secworkshop.events/osw2025/speaker/9UJP88/"}, {"code": "HNCGF3", "name": "Christian Bormann", "avatar": "https://talks.secworkshop.events/media/avatars/8774236_FsJBeqO.jpeg", "biography": "", "public_name": "Christian Bormann", "guid": "a054b800-fefe-58ca-8042-2b7cf5c569dc", "url": "https://talks.secworkshop.events/osw2025/speaker/HNCGF3/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/73GFAU/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/73GFAU/", "attachments": []}, {"guid": "650b8725-f637-5111-9d96-9ebe61b019b6", "code": "ZBATKZ", "id": 20, "logo": null, "date": "2025-02-27T10:00:00+00:00", "start": "10:00", "duration": "00:30", "room": "R\u00edma", "slug": "osw2025-20-building-the-authentication-layer-for-oauth-2-0-for-first-party-applications", "url": "https://talks.secworkshop.events/osw2025/talk/ZBATKZ/", "title": "Building the Authentication Layer for OAuth 2.0 for First-Party Applications", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "This session explores building an API-centric authentication layer for the OAuth 2.0 for First-Party Applications specification. Discusses an authentication API designed to handle diverse authentication needs in a flexible, API-driven manner.", "description": "OAuth 2.0, paired with OpenID Connect, is the standard for user authentication. However, its reliance on browser redirects for communication among parties often results in a suboptimal user experience particularly for native applications. This has led developers to seek alternative, and sometimes less secure, methods to implement OAuth in an API-centric manner.\r\n\r\nThe upcoming \u201cOAuth 2.0 for First-Party Applications\u201d specification aims to bridge this gap by introducing an extension to OAuth for API-centric authorization. However, the scope of OAuth 2.0 for FiPA does not include user authentication in an API-centric way. This session will dive into bridging this gap by designing a flexible, API-centric authentication layer to complement the OAuth 2.0 for First-Party Applications specification. \r\n\r\nThe session will explore:\r\n\r\n- Designing an API-centric authentication layer that supports various authentication methods such as passkeys, Email OTP, social logins, etc. in a generic manner.\r\n- Handling multi-factor authentication (MFA).\r\n- Handling multi-option selection for authentication.\r\n- Handling social and enterprise federated login scenarios.\r\n- Leveraging the authentication API to dynamically build UI representations in login interfaces.\r\n\r\nThe session will include a demo showcasing a mobile application that integrates the discussed authentication API. It will show the enhanced user login experience that can be achieved when implementing OAuth 2.0 for First-Party Application specification along with an authentication API as discussed in this session.", "recording_license": "", "do_not_record": false, "persons": [{"code": "PJGUSL", "name": "Janak Amarasena", "avatar": "https://talks.secworkshop.events/media/avatars/IMG-20230324-WA0000_1_5czm97p.jpg", "biography": "Janak is a Software Engineer and a Technical Lead at WSO2, where he focuses on the design and development of the Identity and Access Management solution. With over six years of experience in the IAM domain, he is passionate about creating secure, user-centric, and scalable systems. Through his work, he strives to advance IAM solutions, helping organizations deliver secure and seamless digital experiences. Janak currently leads the authentication and registration aspects of the Identity and Access Management team.", "public_name": "Janak Amarasena", "guid": "eee02588-f083-575e-917c-c44ee690dd11", "url": "https://talks.secworkshop.events/osw2025/speaker/PJGUSL/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/ZBATKZ/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/ZBATKZ/", "attachments": []}, {"guid": "ea2c9069-5663-5167-939e-cf590126e690", "code": "JUT8NM", "id": 23, "logo": null, "date": "2025-02-27T11:30:00+00:00", "start": "11:30", "duration": "00:30", "room": "R\u00edma", "slug": "osw2025-23-openid-for-verifiable-credentials-achieving-interoperability-security-and-scalability", "url": "https://talks.secworkshop.events/osw2025/talk/JUT8NM/", "title": "OpenID for Verifiable Credentials: Achieving interoperability, security and scalability", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "Latest updates on conformance tests for OpenID for Verifiable Credentials family of standards, live demonstration of the current tests and discussion about planned future work.", "description": "Digital wallets and verifiable credentials are currently a hot topic in many jurisdictions around the world, with work ongoing in ISO, the EU, Japan, USA and many more that leverages the OpenID Foundation (OIDF) for Verifiable Credentials standards. OIDF has a history of creating conformance tests and certification programmes for OpenID standards that can be used to ensure that ecosystems made of up many potentially divergent implementations of the standard can scale up quickly. \r\n\r\nOIDF is currently working on tests for the OpenID for Verifiable Presentations, OpenID for Verifiable Credential Issuance and OpenID4VC High Assurance Interoperability Profile (HAIP) specifications to ensure that deployments of these protocols are both interoperable and correctly implement the security properties. Joseph talks about the approach being taken, demonstrates the progress to date, shares the future roadmap and how implementors can run the current tests.", "recording_license": "", "do_not_record": false, "persons": [{"code": "PFEU9U", "name": "Joseph Heenan", "avatar": "https://talks.secworkshop.events/media/avatars/Joseph-1_uZyfWoz.jpg", "biography": "Joseph is a software engineer & architect with over 25 years\u2019 experience, who started writing mobile apps before mobile apps existed.\r\n\r\nHe contributes to IETF and OpenID Foundation working groups, including the FAPI group where he helped write the security profiles used by most OpenBanking ecosystems and is a co-chair of the Digital Credentials Protocols working group. He\u2019s helped companies around the globe architect and deploy secure systems, particularly when mobile apps are involved. More recently he\u2019s been focussed on verifiable credentials, in particular the OpenID for Verifiable Credentials family of specs, along with the associated specifications like mdoc/mdl, SD-JWT VC and the interoperability profiles. \r\n\r\nJoseph is CTO at Authlete and Standards Specialist & Certification Director at the OpenID Foundation.", "public_name": "Joseph Heenan", "guid": "132c44b3-f648-591d-b9ef-3dab977c888c", "url": "https://talks.secworkshop.events/osw2025/speaker/PFEU9U/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/JUT8NM/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/JUT8NM/", "attachments": []}, {"guid": "9763e0b4-4a22-5395-b822-19286dd66bbc", "code": "HBZMVK", "id": 9, "logo": null, "date": "2025-02-27T12:00:00+00:00", "start": "12:00", "duration": "00:30", "room": "R\u00edma", "slug": "osw2025-9-how-to-confirm-an-oauth2-oidc-product-is-secure-a-conformance-test-and-vulnerability-test", "url": "https://talks.secworkshop.events/osw2025/talk/HBZMVK/", "title": "How to confirm an OAuth2/OIDC product is secure - a conformance test and vulnerability test", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "The talk describes research on conformance tests and vulnerability tests for OAuth2/OIDC and its related specifications to confirm a product supporting such specification is secure. Audience can gain insight into how they check the product is secure.", "description": "To securely deploy a product that supports OAuth2/OIDC and their associated security specifications into commercial services, we need to ensure that the product is implemented according to the specifications. To confirm that, we need to perform conformance tests for the specifications on the product and ensure that the product passes the conformance tests.\r\n \r\n Some security specifications have their conformance tests provided by the standardization body (e.g., The OpenID Foundation provides conformance tests of OpenID Connect and FAPI security profiles) while others do not have. If we cannot obtain conformance tests for the specifications, how could we be sure that the product that implements the specifications is compliant with the specifications? This is an issue.\r\n \r\nEven if it is confirmed that a product is compliant with security specifications, this does not necessarily mean that the product is free from vulnerabilities. Therefore, we need to scan the product with a vulnerability scanner. However, these commonly available scanners may not be able to detect vulnerabilities related to OAuth2/OIDC and its related specifications. This is another issue.\r\n\r\n To solve the issues, I would like to explain academic research on a conformance test and vulnerability test for OAuth2/OIDC and its related specifications to confirm a product that supports such the specifications is secure. The audience facing the issues could gain insight into how to confirm the product is secure.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CJX8KF", "name": "Takashi Norimatsu", "avatar": "https://talks.secworkshop.events/media/avatars/25092005_yUr6hDD.jpg", "biography": "Takashi Norimatsu, Senior OSS Specialist, Hitachi, Ltd. is a maintainer of Keycloak, identity and access management OSS. He has implemented and contributed security features like FAPI security profiles, W3C Web Authentication (WebAuthn) API support. He leads Keycloak's community \"OAuth SIG\" (Ex FAPI-SIG) as Tech Lead for supporting OAuth/OIDC and its related security features to Keycloak. He has experience constructing high security banking API systems.", "public_name": "Takashi Norimatsu", "guid": "81c6d582-bd0a-5bc9-84d2-db1064ca6648", "url": "https://talks.secworkshop.events/osw2025/speaker/CJX8KF/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/HBZMVK/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/HBZMVK/", "attachments": []}]}}, {"index": 3, "date": "2025-02-28", "day_start": "2025-02-28T04:00:00+00:00", "day_end": "2025-03-01T03:59:00+00:00", "rooms": {"Kaldal\u00f3n": [{"guid": "44d4c650-5f84-588e-8d1d-1c9ea41cd1c1", "code": "FFQ3K9", "id": 16, "logo": null, "date": "2025-02-28T09:30:00+00:00", "start": "09:30", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-16-from-manual-to-marvelous-improving-security-through-conformance-testing", "url": "https://talks.secworkshop.events/osw2025/talk/FFQ3K9/", "title": "From Manual to Marvelous: Improving Security Through Conformance Testing", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "HelseID enables secure health data sharing in Norway but poses integration challenges due to our strict security profile. We address this by developing an automated conformance testing system, combining practical development and academic research.", "description": "The Norwegian Health Network (NHN) has an authentication server, HelseID, that provides access control for all health personnel in Norway. The service is a highly secure OAuth and OpenID Connect provider which ensures that health information can be shared safely and easily. \r\n\r\nAt last year's OSW, we held a presentation on the challenges of using HelseID due to our strict security profile. This year we would like to go a step further and present a possible solution to help with these challenges. We have started to develop a system for automated conformance testing against our security profile. The goal is to make the process of integrating with HelseID easier, while making sure the integrations fulfill every security requirement.\r\n\r\nWe currently run two parallel approaches on this subject. The first is a practical approach. We are building upon our experience from code reviews and the security profile to develop an application used by software vendors to automate conformance testing. The second approach is an academic research project where two master students are researching the current process and how to optimize it.", "recording_license": "", "do_not_record": false, "persons": [{"code": "SEXWDY", "name": "Anne Marie Skaar Hasund", "avatar": "https://talks.secworkshop.events/media/avatars/_DSC5818-profile2_K1oIorr.jpg", "biography": "", "public_name": "Anne Marie Skaar Hasund", "guid": "bba14865-91b0-5073-8a0e-a4aca1edc3c0", "url": "https://talks.secworkshop.events/osw2025/speaker/SEXWDY/"}, {"code": "VEL7FR", "name": "Helene Bj\u00f8rnsen", "avatar": "https://talks.secworkshop.events/media/avatars/Skjermbilde_2025-02-12_kl._15.08.05_R2g2OCl.png", "biography": "", "public_name": "Helene Bj\u00f8rnsen", "guid": "6a9aefb6-22dc-5741-8f90-9a03cb3cc720", "url": "https://talks.secworkshop.events/osw2025/speaker/VEL7FR/"}, {"code": "7T97V7", "name": "Eva Kval\u00f8", "avatar": "https://talks.secworkshop.events/media/avatars/Skjermbilde_2025-02-12_kl._11.05.03_lljPl4J.png", "biography": "", "public_name": "Eva Kval\u00f8", "guid": "f80f741c-0003-5dce-b044-c87f578645f2", "url": "https://talks.secworkshop.events/osw2025/speaker/7T97V7/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/FFQ3K9/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/FFQ3K9/", "attachments": []}, {"guid": "57068b91-7eac-59ef-8d79-94405553324a", "code": "87XFAJ", "id": 22, "logo": null, "date": "2025-02-28T10:00:00+00:00", "start": "10:00", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-22-the-cambrian-explosion-of-oauth-and-openid-specifications", "url": "https://talks.secworkshop.events/osw2025/talk/87XFAJ/", "title": "The Cambrian Explosion of OAuth and OpenID Specifications", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "The number of OAuth and OpenID specs continues to grow.  We will discuss how people and organizations have gone about selecting and curating the specs to implement in an attempt to create coherent and useful open source and commercial offerings.", "description": "The number of OAuth and OpenID specifications continues to grow.  At present there are 30 OAuth RFCs, two more in the RFC Editor queue, 13 OAuth working group drafts, and another eight individual OAuth drafts that may advance.  There are nine JOSE RFCs and seven working group drafts.  There are four SecEvent RFCs.  On the OpenID side, there are 12 final OpenID Connect specs, three final FAPI specs, one final MODRNA spec, three final eKYC-IDA specs, and 24 Implementer\u2019s drafts across the OpenID working groups, plus another ten working group drafts.\r\n\r\nThe number of possible combinations boggles the mind.  And there\u2019s no end in sight!\r\n\r\nWhat\u2019s a developer to do?  How have people and organizations gone about selecting and curating the specs to implement in an attempt to create coherent and useful open source and commercial offerings?  And faced with such an array of combinations and choices, how are application developers to make sense of it all?  How can interoperability be achieved in the face of continued innovation?\r\n\r\nThis session will prime the pump by discussing choices made by some existing open source and commercial offerings in the OAuth and OpenID space and lead to an open discussion of choices made by the workshop attendees and the reasoning behind them.  It\u2019s our goal that useful strategies emerge from the discussion that help people grapple with the ever-expanding sets of specifications and make informed implementation choices, while still fostering the innovation and problem-solving that these specifications represent.\r\n\r\nBetween now and the workshop, we plan to gather data from multiple organizations offering OAuth and OpenID libraries and products to try to understand how they\u2019re wrestling with the situation.  We\u2019ll present a summary of that data to help kick off the discussions at the workshop.  It\u2019s possible that people from some of the organizations we gather data from will be added as co-presenters.", "recording_license": "", "do_not_record": false, "persons": [{"code": "TSMMHY", "name": "Michael B. Jones", "avatar": "https://talks.secworkshop.events/media/avatars/Identiverse_2022_Cropped_RwkarPA.jpg", "biography": "Michael B. Jones is on a quest to build the Internet's missing identity layer. He is an editor of the OpenID Connect specifications, IETF OAuth specifications, including JSON Web Token (JWT) and DPoP, the IETF JSON Object Signing and Encryption (JOSE)  specifications, FIDO 2.0, and W3C Web Authentication.  Michael was recognized as Distinguished Engineer by OpenID Foundation and was granted a lifetime achievement award by Kuppinger Cole for creating simple, secure, ubiquitous, interoperable digital identity solutions since 2005.  As a long-time member of the OpenID Board of Directors, he architected the award-winning and globally adopted OpenID Certification program.  He chairs the IETF COSE working group.  Michael's Ph.D. in Computer Science from Carnegie Mellon University led to a lifelong career in digital identity, computer security, privacy, and networking.  He is passionate about mentoring the next generation of identity leaders.  His professional Web site is https://self-issued.consulting/, he blogs at https://self-issued.info/ and tweets at @selfissued.", "public_name": "Michael B. Jones", "guid": "808625ce-2921-5db8-86e3-7f964f6e1af9", "url": "https://talks.secworkshop.events/osw2025/speaker/TSMMHY/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/87XFAJ/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/87XFAJ/", "attachments": []}, {"guid": "6b5fb442-306b-501c-b25f-967b6a268f85", "code": "QPQWRL", "id": 38, "logo": null, "date": "2025-02-28T11:00:00+00:00", "start": "11:00", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-38-api-security-patterns-real-world-patterns-used-for-building-token-based-architectures", "url": "https://talks.secworkshop.events/osw2025/talk/QPQWRL/", "title": "API Security Patterns - Real world patterns used for building token based architectures", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "A real-world view of the existing patterns used for large scale API security setups using OAuth. Covering gateway patterns, inter-API communication patterns as well as integrations with entitlement management systems (ABAC/PBAC).", "description": "We have been deploying API security patterns over the past 13 years. These OAuth based patterns utilize token structures and formats to build secure token based architectures. With the emergence of workload identities it is important to understand and utilize the power that OAuth already provides.\r\n\r\nThis presentation will walk through the phantom token pattern, the split token pattern for CDN based systems, token propagation techniques in the API network, and commonly used integration techniques for how OAuth integrates with PBAC/ABAC systems in larger scale entitlement management systems.\r\n\r\nThe goal of this presentation is to make sure that future standards build on and consider existing techniques that may prove to solve problems existing already today.", "recording_license": "", "do_not_record": false, "persons": [{"code": "RGERW8", "name": "Jacob Ideskog", "avatar": null, "biography": "Jacob Ideskog is an Identity Specialist and CTO at Curity. Most of his time is spent working with security solutions in the API-, Mobile and Web space. He has worked with both designing and implementing OAuth and OpenID Connect solutions for large enterprise deployments as well as small startup", "public_name": "Jacob Ideskog", "guid": "e2012f76-8c91-524f-aca0-1afd8228ab81", "url": "https://talks.secworkshop.events/osw2025/speaker/RGERW8/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/QPQWRL/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/QPQWRL/", "attachments": []}, {"guid": "65bab526-f1c6-5ee8-82ea-5424c7ee6f4e", "code": "ZMCW9Y", "id": 6, "logo": null, "date": "2025-02-28T11:30:00+00:00", "start": "11:30", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-6-real-life-openid-connect-for-microservices", "url": "https://talks.secworkshop.events/osw2025/talk/ZMCW9Y/", "title": "Real-life OpenID Connect for microservices", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "ID-porten, Norway\u2019s national IDP, uses OAuth2.1/OIDC as the integration protocol between micro services and frontends. Our OIDC profile helped us create a flexible, robust and secure system running 24/7 for 2000 public services and 4,7 million users.", "description": "The Norwegian Digitalization Agency runs the OpenID Provider \"ID-porten\" for 2000+ clients, 4.7 million users and 300 million unique logins each year. Building on what we've learned from visiting OSW conferences, reading specifications and previous experiences with how hard it is to implement an OpenID Connect server from scratch, we have rewritten our system to microservices using OAuth2.1 and OpenID Connect as the integration protocol. The new system can change the login experience by adding or removing individual OIDC servers.\r\n\r\nWe want to share how the specifications have guided our new architecture, extensions we have made, and problems we are facing.", "recording_license": "", "do_not_record": false, "persons": [{"code": "FUZTAF", "name": "Thomas Reppesg\u00e5rd", "avatar": "https://talks.secworkshop.events/media/avatars/TNSQ6Q0KG-U012D03HE93-99c508d6018b-512_sbUOQvm.png", "biography": "Thomas Reppesg\u00e5rd has been a developer for 25 years.  The last 12 years with OAuth2, OIDC and SAML2-based identity providers in the Norwegian Digitalization Agency.  He has a masters degree (Cand. Philol.) in Computational Linguistics, Mathematical Logic and Programming from the University of Oslo, Norway.", "public_name": "Thomas Reppesg\u00e5rd", "guid": "226027d7-c605-5326-961f-879145f92328", "url": "https://talks.secworkshop.events/osw2025/speaker/FUZTAF/"}, {"code": "MUYCFR", "name": "Anne Marte Hjem\u00e5s", "avatar": "https://talks.secworkshop.events/media/avatars/IMG_1378_9NzvZ6L.jpeg", "biography": "Developer and solution architect on the ID-porten team. She\u2019s a consultant from JPro, has a M.Sc. in Engineering Cybernetics from NTNU and has worked in the IT-industry for 25 years. She\u2019s been implementing security solutions in the private and public sector in Norway using OAuth and OpenId Connect for over a decade.", "public_name": "Anne Marte Hjem\u00e5s", "guid": "7e16b228-92e2-531d-9768-ad99c373dd24", "url": "https://talks.secworkshop.events/osw2025/speaker/MUYCFR/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/ZMCW9Y/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/ZMCW9Y/", "attachments": []}, {"guid": "aae946dc-c862-515f-bbed-2280f523542b", "code": "CNCWHF", "id": 14, "logo": null, "date": "2025-02-28T12:00:00+00:00", "start": "12:00", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-14-reaching-better-access-control-through-oauth2-clients-extensions-in-jwt-profiled-tokens-and-step-up-authorization-signalling", "url": "https://talks.secworkshop.events/osw2025/talk/CNCWHF/", "title": "Reaching better access control through OAuth2 clients extensions in JWT profiled tokens and Step-Up Authorization signalling", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "RPs receive requests from various origins/contexts and control access using subject metadata. But Client ones (grant flow type, client authentication methods) are out of reach. We propose to improve this state, enabling new signalling capabilities.", "description": "OAuth2 is a framework. It has been enriched step by step over the years, to solve new cases. As part of its evolution, it has gained and loose grant types, win new Client authentication methods (mTLS, private JWT), as long as new high assurance protection mechanisms (PKCE, DPOP, RAR/PAR). Knowing and signalling into which context OAuth2 tokens have been issued is now mandatory to ensure the best access control possible over protected resources. This has been done for end-users with the introduction of Authentication Context Class Reference (ACR) and Authentication Methods Reference (AMR). Still, this has never been propagated to OAuth2 clients. In this discussion, we will:\r\n\r\n- Justify the needs for extensions to JWT profiled OAuth2 tokens with real life example;\r\n- Propose new claims and example of value to propagate those signals from the Authorization Servers to the Resource Providers;\r\n- Propose new metadata for Authorization Servers to advertise their ability to provide those metadata.\r\n\r\nIn the response flow, UMA 2.0 demonstrated that Resource owner mut need to consent before a resource is disclosed; RAR and PAR demonstrated more details should be included inside the delegated authorization before a resource is disclosed; WIMSE might require another type of delegated authorization proof before a resource is disclosed; at the very least, scope changes would be a common use case for talking to the Authorization Server again before reattempting to request a resource. The Client cannot know those requirements beforehand as they could be related to Access Control constraints at the Resource Provider. So how can the Resource Provider can signal those required behavior to the Client?\r\n\r\nRFC 9470 - OAuth 2.0 Step Up Authentication Challenge Protocol introduced the ability to expand HTTP code to request a more assured authentication process of the subject. Nothing was said for the content nor context of the request, even less for the authentication process of the Client and format of the delegated authorization proof. Still, we can rely on this RFC as a step stone to create an authorization staircase for the Client to meet the Resource Provider expectation if possible.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KCEPZK", "name": "Jeff Lombardo", "avatar": "https://talks.secworkshop.events/media/avatars/Jeff_YCPxRXM.png", "biography": "Jeff is a Solutions Architect expert in IAM, Application Security, and Data Protection. Through 20 years as an IAM consultant for French, Canadian, and US enterprises of all sizes and business verticals, he delivered innovative solutions with respect to standards and governance frameworks. Since the last 4 years at AWS, he helps organizations enforce best practices and defense in depth for secure cloud adoption.", "public_name": "Jeff Lombardo", "guid": "dd861ec5-436d-56a1-8147-b6ff0bc73c25", "url": "https://talks.secworkshop.events/osw2025/speaker/KCEPZK/"}, {"code": "HTNNXD", "name": "Alex Babeanu", "avatar": "https://talks.secworkshop.events/media/avatars/AR_Babeanu_Portrait_dMasBzw.jpg", "biography": "Alex has been involved in IAM Product Development for over twenty years now, 10 of which spent specifically using Graphs and Graph databases for Identity and Access Management. As a graph-certified and IAM-accredited consultant, he has implemented solutions for clients in the field in both Cloud and Hybrid environments. Over the years, Alex has been evangelizing the Graph approach for Access Management at various Graph and IAM conferences and published many papers and blogs on the topic. As an active and founding member of the IDPro organization and a member of its editorial committee, Alex helps review and publish content for the monthly IDPro publications. Alex now leads the research and development of the 3Edges startup, which created the best and easiest to use Graph platform on the market, specifically for building identity-aware graph-based applications. Alex holds an MSc in Knowledge Based Systems from the University of Edinburgh, UK, and is an avid Sci-Fi enthusiast.", "public_name": "Alex Babeanu", "guid": "86eecc97-7d20-5851-9e18-0f2f2805254a", "url": "https://talks.secworkshop.events/osw2025/speaker/HTNNXD/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/CNCWHF/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/CNCWHF/", "attachments": []}, {"guid": "2e5087bf-67d6-59ff-a313-96f847100ba4", "code": "GEEN7C", "id": 47, "logo": null, "date": "2025-02-28T13:30:00+00:00", "start": "13:30", "duration": "00:30", "room": "Kaldal\u00f3n", "slug": "osw2025-47-unconference-planning-day-3", "url": "https://talks.secworkshop.events/osw2025/talk/GEEN7C/", "title": "Unconference Planning Day 3", "subtitle": "", "track": null, "type": "Special", "language": "en", "abstract": "Unconference Planning Day 3", "description": "Unconference Planning Day 3", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/GEEN7C/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/GEEN7C/", "attachments": []}, {"guid": "fe869a57-a108-5c44-bd55-4dcc162b1d55", "code": "WAHCWT", "id": 50, "logo": null, "date": "2025-02-28T14:00:00+00:00", "start": "14:00", "duration": "01:30", "room": "Kaldal\u00f3n", "slug": "osw2025-50-unconference-sessions", "url": "https://talks.secworkshop.events/osw2025/talk/WAHCWT/", "title": "Unconference Sessions", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "Unconference Sessions", "description": "Unconference Sessions", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/WAHCWT/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/WAHCWT/", "attachments": []}, {"guid": "52102af4-4593-5f27-a87c-54ce1ddb5251", "code": "JA7VW7", "id": 52, "logo": null, "date": "2025-02-28T16:00:00+00:00", "start": "16:00", "duration": "01:30", "room": "Kaldal\u00f3n", "slug": "osw2025-52-unconference-sessions", "url": "https://talks.secworkshop.events/osw2025/talk/JA7VW7/", "title": "Unconference Sessions", "subtitle": "", "track": null, "type": "Talk/Discussion", "language": "en", "abstract": "Unconference Sessions", "description": "Unconference Sessions", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/JA7VW7/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/JA7VW7/", "attachments": []}, {"guid": "a71f7a41-27ef-5bb1-95f8-6cf0c45ecfce", "code": "XGWAZF", "id": 53, "logo": null, "date": "2025-02-28T17:30:00+00:00", "start": "17:30", "duration": "00:15", "room": "Kaldal\u00f3n", "slug": "osw2025-53-conclusion-and-final-remarks", "url": "https://talks.secworkshop.events/osw2025/talk/XGWAZF/", "title": "Conclusion and Final Remarks", "subtitle": "", "track": null, "type": "Special", "language": "en", "abstract": "Conclusion and Final Remarks", "description": "Conclusion and Final Remarks", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/XGWAZF/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/XGWAZF/", "attachments": []}], "R\u00edma": [{"guid": "3e738ec7-9ede-563f-a849-06ddee7ba08c", "code": "8BKQRJ", "id": 15, "logo": null, "date": "2025-02-28T09:30:00+00:00", "start": "09:30", "duration": "03:00", "room": "R\u00edma", "slug": "osw2025-15-openid4vc-a-road-to-final", "url": "https://talks.secworkshop.events/osw2025/talk/8BKQRJ/", "title": "OpenID4VC: a road to Final", "subtitle": "", "track": null, "type": "Tutorial", "language": "en", "abstract": "This tutorial will cover all the changes made in OpenID4VC specifications in the past year. This is a perfect opportunity to get an overview of how a Final specification would look like and provide feedback. It is not OpenID4VC 101.", "description": "OpenID4VC specifications are widely used to issue and present verifiable credentials. The WG has been working hard towards publishing final versions of three main OpenID4VC specifications: OpenID4VP, OpenID4VCI and HAIP.\r\n\r\nThis tutorial will cover all major changes that were made in the specification in the past year. Below is a non-exhaustive list of the changes that will be covered:\r\n\r\nIn OpenID4VP:\r\n- a new query language (DCQL)\r\n- OpenID4VP over the W3C Digital Credentials API\r\n- Wallet Authentication towards the Verifier\r\n- transaction authorization (QES, payments use-cases)\r\n- communicating wallet capabilities before verifier sends authorization request\r\n- supporting multiple RP Authentication mechanisms in one request\r\n\r\nIn OpenID4VCI:\r\n- key attestation in the Credential Request\r\n- wallet attestation in the Token Request\r\n- incorporating batch issuance functionality into credential endpoint and removing batch credential endpoint\r\n- identifying requested credential configuration throughout the flow\r\n- structural changes to credential request and response\r\n\r\nMajor learnings obtained throughout the process of making these changes will also be share. These include current assumptions about:\r\n- credential lifecycle management\r\n- wallet architecture (mainly the usage of a backend)\r\n- authentication requirements for each entity (issuer, wallet, verifier)\r\n\r\nThe talk will also cover topics that the WG plans to continue working on after publishing a Final specification such as OpenID4VP over proximity (CTAP Hybrid), etc.", "recording_license": "", "do_not_record": false, "persons": [{"code": "F3VWAA", "name": "Kristina Yasuda", "avatar": "https://talks.secworkshop.events/media/avatars/Screenshot_2024-04-30_at_12.11.42_fZCAyu5.png", "biography": "", "public_name": "Kristina Yasuda", "guid": "fe0840e6-6504-5a13-aa81-b98fcb191a3e", "url": "https://talks.secworkshop.events/osw2025/speaker/F3VWAA/"}], "links": [], "feedback_url": "https://talks.secworkshop.events/osw2025/talk/8BKQRJ/feedback/", "origin_url": "https://talks.secworkshop.events/osw2025/talk/8BKQRJ/", "attachments": []}]}}]}}}