Welcome Session
Revisit pronouncements made in the seminal CIS 2013 “Hope or Hype?" presentation and look at similarities to today's hope and hype surrounding wallets and credentials.
This presentation will delve into the concept of transaction tokens, why Yahoo implemented them at scale, and the security benefits they offer.
A grand tour of all the different eIDs in Europe, big and small.
In this talk, we present our S&P'25 paper, exploring the brokered SSO ecosystem and its security. This new flow introduces a broker that mediates interactions between websites and Identity Providers. We uncovered 249 brokers and found 50 vulnerable.
Workloads increasingly delegate obtaining and using credentials to brokers. This talk present common delegation models, resulting security risks, possible mitigations and invites research into new mechanisms to secure delegated workload identities.
Soon to be released OWASP ASVS v5.0 contains a new chapter of requirements related to OAuth and OIDC. The talk is about - what is (not) ASVS, how it covers OAuth and OIDC, and most importantly - calling you to review the related chapter.
The Grant Negotiation and Authorization Protocol (GNAP) is officially an RFC, let's look at how we got here and what the future holds.
Unconference Planning Day 1
Unconference Sessions
Unconference Sessions
OAuth Mix-up attacks were considered hard to exploit.
In this talk, we focus on open ecosystems like integration platforms that enable practical variants of mix-up attacks via malicious app integrations, and discuss potential tailored spec changes.
Signing HTTP Messages: How Hard Could It Be?
In this talk, we look back on the recent developments around key attestations in eIDAS and OpenID4VCI and the motivation behind them. Afterwards we will discuss whether key attestations deserve their own, separate drafts for broader interoperability.
This session explores building an API-centric authentication layer for the OAuth 2.0 for First-Party Applications specification. Discusses an authentication API designed to handle diverse authentication needs in a flexible, API-driven manner.
We present and discuss Audience Injection Attacks on signature-based client authentication, in which an honest client is tricked into providing the attacker with a valid client credential for an honest authorization server.
Proposing a short-lived, single-use session token mechanism to transfer a user’s native OAuth/OIDC session into in-app browser tabs, ensuring consistent, secure sign-on and minimizing re-authentication prompts.
This talk proposes Electric Vehicle (EV) charging authorization using the OAuth Device Authorization Grant and Rich Authorization Requests to simplify credential installation and enhancing security of the Plug and Charge (PnC) ISO 15118 standard.
Latest updates on conformance tests for OpenID for Verifiable Credentials family of standards, live demonstration of the current tests and discussion about planned future work.
The talk describes research on conformance tests and vulnerability tests for OAuth2/OIDC and its related specifications to confirm a product supporting such specification is secure. Audience can gain insight into how they check the product is secure.
We present recent advances that improve the privacy of SSO protocols such as OIDC: our approach supports RP authentication, RP-bound tokens and RP-specific pseudonyms - all without the IdP learning the identity of the RP the user wants to access.
Unconference Planning Day 2
Unconference Sessions
Unconference Sessions
HelseID enables secure health data sharing in Norway but poses integration challenges due to our strict security profile. We address this by developing an automated conformance testing system, combining practical development and academic research.
This tutorial will cover all the changes made in OpenID4VC specifications in the past year. This is a perfect opportunity to get an overview of how a Final specification would look like and provide feedback. It is not OpenID4VC 101.
The number of OAuth and OpenID specs continues to grow. We will discuss how people and organizations have gone about selecting and curating the specs to implement in an attempt to create coherent and useful open source and commercial offerings.
A real-world view of the existing patterns used for large scale API security setups using OAuth. Covering gateway patterns, inter-API communication patterns as well as integrations with entitlement management systems (ABAC/PBAC).
ID-porten, Norway’s national IDP, uses OAuth2.1/OIDC as the integration protocol between micro services and frontends. Our OIDC profile helped us create a flexible, robust and secure system running 24/7 for 2000 public services and 4,7 million users.
RPs receive requests from various origins/contexts and control access using subject metadata. But Client ones (grant flow type, client authentication methods) are out of reach. We propose to improve this state, enabling new signalling capabilities.
Unconference Planning Day 3
Unconference Sessions
Unconference Sessions
Conclusion and Final Remarks