To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
08:30
08:30
30min
Breakfast
Kaldalón
09:00
09:00
30min
Welcome Session

Welcome Session

Kaldalón
09:30
09:30
60min
Hope Fulfilled, Hype Dispelled: Identity Standards Past, Present, and Future
Brian Campbell

Revisit pronouncements made in the seminal CIS 2013 “Hope or Hype?" presentation and look at similarities to today's hope and hype surrounding wallets and credentials.

Kaldalón
10:30
10:30
30min
Coffee Break
Kaldalón
11:00
11:00
30min
How to Enhance Security with Transaction Tokens
Mert Coskuner, Naveen CM, Naveen CM

This presentation will delve into the concept of transaction tokens, why Yahoo implemented them at scale, and the security benefits they offer.

Ríma
11:00
30min
eIDs in Europe - A Crash Course
Dag Sneeggen, Allard Keuter

A grand tour of all the different eIDs in Europe, big and small.

Kaldalón
11:30
11:30
30min
On the Security of Identity Brokers in Single Sign-On
Louis Jannett, Tommaso Innocenti

In this talk, we present our S&P'25 paper, exploring the brokered SSO ecosystem and its security. This new flow introduces a broker that mediates interactions between websites and Identity Providers. We uncovered 249 brokers and found 50 vulnerable.

Kaldalón
11:30
30min
Securing Delegated Workload Identities
Pieter Kasselman

Workloads increasingly delegate obtaining and using credentials to brokers. This talk present common delegation models, resulting security risks, possible mitigations and invites research into new mechanisms to secure delegated workload identities.

Ríma
12:00
12:00
30min
Call for action - review OAuth- and OIDC-related requirements for OWASP ASVS v5.0
Elar Lang

Soon to be released OWASP ASVS v5.0 contains a new chapter of requirements related to OAuth and OIDC. The talk is about - what is (not) ASVS, how it covers OAuth and OIDC, and most importantly - calling you to review the related chapter.

Ríma
12:00
30min
GNAP: A Retrospective
Justin Richer

The Grant Negotiation and Authorization Protocol (GNAP) is officially an RFC, let's look at how we got here and what the future holds.

Kaldalón
12:30
12:30
60min
Lunch Break
Kaldalón
13:30
13:30
30min
Unconference Planning Day 1

Unconference Planning Day 1

Kaldalón
14:00
14:00
30min
Sponsor Presentations
Kaldalón
14:30
14:30
60min
Unconference Sessions

Unconference Sessions

Kaldalón
15:30
15:30
30min
Coffee Break
Kaldalón
16:00
16:00
90min
Unconference Sessions

Unconference Sessions

Kaldalón
18:00
18:00
120min
Reception (drinks and fingerfood)
Kaldalón
08:30
08:30
30min
Breakfast
Kaldalón
09:00
09:00
30min
Cross-app OAuth Attacks in Integration Platforms: Mix-up Attacks Reloaded
Kaixuan Luo

OAuth Mix-up attacks were considered hard to exploit.
In this talk, we focus on open ecosystems like integration platforms that enable practical variants of mix-up attacks via malicious app integrations, and discuss potential tailored spec changes.

Kaldalón
09:30
09:30
30min
HTTP Message Signatures (RFC9421)
Justin Richer

Signing HTTP Messages: How Hard Could It Be?

Kaldalón
09:30
30min
Key Attestations
Paul Bastian, Christian Bormann

In this talk, we look back on the recent developments around key attestations in eIDAS and OpenID4VCI and the motivation behind them. Afterwards we will discuss whether key attestations deserve their own, separate drafts for broader interoperability.

Ríma
10:00
10:00
30min
Building the Authentication Layer for OAuth 2.0 for First-Party Applications
Janak Amarasena

This session explores building an API-centric authentication layer for the OAuth 2.0 for First-Party Applications specification. Discusses an authentication API designed to handle diverse authentication needs in a flexible, API-driven manner.

Ríma
10:00
30min
Client Assertions Gone Wrong: When the Audience Takes Over the Show
Tim Würtele, Pedram Hosseyni

We present and discuss Audience Injection Attacks on signature-based client authentication, in which an honest client is tricked into providing the attacker with a valid client credential for an honest authorization server.

Kaldalón
10:30
10:30
30min
Coffee Break
Kaldalón
11:00
11:00
30min
Seamless Native-to-Browser Sessions with Session Tokens
Fabian Aggeler, Patrick Amrein

Proposing a short-lived, single-use session token mechanism to transfer a user’s native OAuth/OIDC session into in-app browser tabs, ensuring consistent, secure sign-on and minimizing re-authentication prompts.

Kaldalón
11:30
11:30
30min
OAuth Cross-Device Flow for Enhanced Authorization in Electric Vehicle Charging
Jonas Primbs

This talk proposes Electric Vehicle (EV) charging authorization using the OAuth Device Authorization Grant and Rich Authorization Requests to simplify credential installation and enhancing security of the Plug and Charge (PnC) ISO 15118 standard.

Kaldalón
11:30
30min
OpenID for Verifiable Credentials: Achieving interoperability, security and scalability
Joseph Heenan

Latest updates on conformance tests for OpenID for Verifiable Credentials family of standards, live demonstration of the current tests and discussion about planned future work.

Ríma
12:00
12:00
30min
How to confirm an OAuth2/OIDC product is secure - a conformance test and vulnerability test
Takashi Norimatsu

The talk describes research on conformance tests and vulnerability tests for OAuth2/OIDC and its related specifications to confirm a product supporting such specification is secure. Audience can gain insight into how they check the product is secure.

Ríma
12:00
30min
Privacy-Preserving Single Sign-On
Maximilian Kroschewski, Anja Lehmann

We present recent advances that improve the privacy of SSO protocols such as OIDC: our approach supports RP authentication, RP-bound tokens and RP-specific pseudonyms - all without the IdP learning the identity of the RP the user wants to access.

Kaldalón
12:30
12:30
60min
Lunch Break
Kaldalón
13:30
13:30
30min
Unconference Planning Day 2

Unconference Planning Day 2

Kaldalón
14:00
14:00
90min
Unconference Sessions

Unconference Sessions

Kaldalón
15:30
15:30
30min
Coffee Break
Kaldalón
16:00
16:00
45min
Unconference Sessions

Unconference Sessions

Kaldalón
17:00
17:00
120min
Guided Walking Tour
Kaldalón
19:00
19:00
120min
Dinner @ Kol Restaurant
Kaldalón
09:00
09:00
30min
Breakfast
Kaldalón
09:30
09:30
30min
From Manual to Marvelous: Improving Security Through Conformance Testing
Anne Marie Skaar Hasund, Helene Bjørnsen, Eva Kvalø

HelseID enables secure health data sharing in Norway but poses integration challenges due to our strict security profile. We address this by developing an automated conformance testing system, combining practical development and academic research.

Kaldalón
09:30
180min
OpenID4VC: a road to Final
Kristina Yasuda

This tutorial will cover all the changes made in OpenID4VC specifications in the past year. This is a perfect opportunity to get an overview of how a Final specification would look like and provide feedback. It is not OpenID4VC 101.

Ríma
10:00
10:00
30min
The Cambrian Explosion of OAuth and OpenID Specifications
Michael B. Jones

The number of OAuth and OpenID specs continues to grow. We will discuss how people and organizations have gone about selecting and curating the specs to implement in an attempt to create coherent and useful open source and commercial offerings.

Kaldalón
10:30
10:30
30min
Coffee Break
Kaldalón
11:00
11:00
30min
API Security Patterns - Real world patterns used for building token based architectures
Jacob Ideskog

A real-world view of the existing patterns used for large scale API security setups using OAuth. Covering gateway patterns, inter-API communication patterns as well as integrations with entitlement management systems (ABAC/PBAC).

Kaldalón
11:30
11:30
30min
Real-life OpenID Connect for microservices
Thomas Reppesgård, Anne Marte Hjemås

ID-porten, Norway’s national IDP, uses OAuth2.1/OIDC as the integration protocol between micro services and frontends. Our OIDC profile helped us create a flexible, robust and secure system running 24/7 for 2000 public services and 4,7 million users.

Kaldalón
12:00
12:00
30min
Reaching better access control through OAuth2 clients extensions in JWT profiled tokens and Step-Up Authorization signalling
Jeff Lombardo, Alex Babeanu

RPs receive requests from various origins/contexts and control access using subject metadata. But Client ones (grant flow type, client authentication methods) are out of reach. We propose to improve this state, enabling new signalling capabilities.

Kaldalón
12:30
12:30
60min
Lunch Break
Kaldalón
13:30
13:30
30min
Unconference Planning Day 3

Unconference Planning Day 3

Kaldalón
14:00
14:00
90min
Unconference Sessions

Unconference Sessions

Kaldalón
15:30
15:30
30min
Coffee Break
Kaldalón
16:00
16:00
90min
Unconference Sessions

Unconference Sessions

Kaldalón
17:30
17:30
15min
Conclusion and Final Remarks

Conclusion and Final Remarks

Kaldalón