A Deep Dive into the Past, Present & Future of OAuth • Aaron Parecki • GOTO 2024

This presentation was recorded at GOTO Chicago 2024. #GOTOcon #GOTOchgo https://gotochgo.com Aaron Parecki - Director of Identity Standards at Okta @aaronpk RESOURCES https://aaronpk.tv https://bsky.app/profile/aaronpk.com https://twitter.com/aaronpk https://instagram.com/aaronpk_tv https://github.com/aaronpk https://www.linkedin.com/in/aaronparecki Links https://oauth.net/2 https://oauth.net/2.1 https://oauth.net/2/pushed-authorization-requests https://oauth.net/2/rich-authorization-requests https://datatracker.ietf.org/doc/html/draft-ietf-oauth-step-up-authn-challenge https://oauth.net/2/jwt-access-tokens https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps https://blog.google/threat-analysis-group/phishing-campaign-targets-youtube-creators-cookie-theft-malware https://oauth.net/2/dpop https://oauth.net/http-signatures https://blog.chromium.org/2024/04/fighting-cookie-theft-using-device.html https://github.com/WICG/dbsc https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/BindingContext/explainer.md https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant https://datatracker.ietf.org/doc/draft-parecki-oauth-global-token-revocation ABSTRACT Aaron is at the forefront of shaping the standards that govern online authentication. In this session, Aaron will share his insights into the evolving landscape of identity and access management, highlighting key trends, challenges, and best practices. Drawing on his experience as the editor of OAuth 2.1 and other specifications, Aaron will discuss the future of OAuth and its impact on developers and security professionals. This session will cover everything from the origins of OAuth to protect users from having to share their credentials with third-party apps, to modern-day uses of OAuth ranging everywhere from advanced token exchange use cases to being the underpinnings of secure identity in the enterprise. Expect takeaways on securing applications at scale and understanding the next generation of identity protocols. [...] TIMECODES 00:00 Intro 01:29 The password anti-pattern 02:05 Why is this bad? 03:27 Solution 05:13 OAuth 2.0 12:38 OAuth 2.1 13:36 OpenID Connect 16:19 Front channel vs Back channel 21:50 Recent OAuth extensions 32:09 Nearly-final specifications 36:15 Sender-constrained access tokens 40:40 Emerging themes 43:10 Is your app enterprise-ready? 45:59 Outro Download slides and read the full abstract here: https://gotochgo.com/2024/sessions/3364 RECOMMENDED BOOKS Aaron Parecki • OAuth 2.0 Simplified • https://amzn.to/2A3IMOf Aaron Parecki • OAuth 2.0 Servers • https://amzn.to/3ecHEsz Aaron Parecki • The Little Book of OAuth 2.0 RFCs • https://amzn.to/3i7qnlC Erdal Ozkaya • Cybersecurity: The Beginner's Guide • https://amzn.to/2T6OIj3 Richer & Sanso • OAuth 2 in Action • https://amzn.to/3hXiAH6 Wilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 • https://amzn.to/2U8iLY2 https://bsky.app/profile/gotocon.com https://twitter.com/GOTOcon https://www.linkedin.com/company/goto- https://www.instagram.com/goto_con https://www.facebook.com/GOTOConferences #OAuth2 #OAuth #Security #Privacy #SecureWebServer #AWS #Serverless #Okta #AWSserverless #AuthZ #AuthN #OpenIDconnect #OpenID #Cybersecurity #Encryption #JWT #JSONWebTokens #RFC #PKCE #AaronParecki CHANNEL MEMBERSHIP BONUS Join this channel to get early access to videos & other perks: https://www.youtube.com/channel/UCs_tLP3AiwYKwdUHpltJPuA/join Looking for a unique learning experience? Attend the next GOTO conference near you! Get your ticket at https://gotopia.tech Sign up for updates and specials at https://gotopia.tech/newsletter SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily. https://www.youtube.com/user/GotoConferences/?sub_confirmation=1