PAR: Securing the OAuth and OpenID Connect Front-Channel - Dominick Baier - NDC Security 2024

This talk was recorded at NDC Security in Oslo, Norway. #ndcsecurity #ndcconferences #security #developer #softwaredeveloper Attend the next NDC conference near you: https://ndcconferences.com https://ndcporto.com/ Subscribe to our YouTube channel and learn every day: /@NDC OAuth flows need to be initiated anonymously using a Browser. To give the user the optimal experience, various request parameters are required. Manipulating those requests has been one of the most common attack vectors in OAuth. Pushed Authorize Requests (PAR) is a new specification from the OAuth protocol family that solves those problems by adding client authentication to the initial request, and removing the request parameters from the URL altogether. Learn how PAR works, why we think it should be the default going forward, and which additional scenarios it enables.