A Deep Dive into the Past, Present & Future of OAuth • Aaron Parecki • GOTO 2024

This presentation was recorded at GOTO Chicago 2024. #GOTOcon #GOTOchgo
https://gotochgo.com

Aaron Parecki – Director of Identity Standards at Okta @aaronpk

RESOURCES
https://aaronpk.tv
https://bsky.app/profile/aaronpk.com
Tweets by aaronpk
https://instagram.com/aaronpk_tv
https://github.com/aaronpk
https://www.linkedin.com/in/aaronparecki

Links
https://oauth.net/2
https://oauth.net/2.1
https://oauth.net/2/pushed-authorization-requests
https://oauth.net/2/rich-authorization-requests
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-step-up-authn-challenge
https://oauth.net/2/jwt-access-tokens
https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps
https://blog.google/threat-analysis-group/phishing-campaign-targets-youtube-creators-cookie-theft-malware
https://oauth.net/2/dpop
https://oauth.net/http-signatures
https://blog.chromium.org/2024/04/fighting-cookie-theft-using-device.html
https://github.com/WICG/dbsc
https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/BindingContext/explainer.md
https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth
https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining
https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant
https://datatracker.ietf.org/doc/draft-parecki-oauth-global-token-revocation

ABSTRACT
Aaron is at the forefront of shaping the standards that govern online authentication. In this session, Aaron will share his insights into the evolving landscape of identity and access management, highlighting key trends, challenges, and best practices. Drawing on his experience as the editor of OAuth 2.1 and other specifications, Aaron will discuss the future of OAuth and its impact on developers and security professionals.

This session will cover everything from the origins of OAuth to protect users from having to share their credentials with third-party apps, to modern-day uses of OAuth ranging everywhere from advanced token exchange use cases to being the underpinnings of secure identity in the enterprise. Expect takeaways on securing applications at scale and understanding the next generation of identity protocols. […]

TIMECODES
00:00 Intro
01:29 The password anti-pattern
02:05 Why is this bad?
03:27 Solution
05:13 OAuth 2.0
12:38 OAuth 2.1
13:36 OpenID Connect
16:19 Front channel vs Back channel
21:50 Recent OAuth extensions
32:09 Nearly-final specifications
36:15 Sender-constrained access tokens
40:40 Emerging themes
43:10 Is your app enterprise-ready?
45:59 Outro

Download slides and read the full abstract here:
https://gotochgo.com/2024/sessions/3364

RECOMMENDED BOOKS
Aaron Parecki • OAuth 2.0 Simplified • https://amzn.to/2A3IMOf
Aaron Parecki • OAuth 2.0 Servers • https://amzn.to/3ecHEsz
Aaron Parecki • The Little Book of OAuth 2.0 RFCs • https://amzn.to/3i7qnlC
Erdal Ozkaya • Cybersecurity: The Beginner’s Guide • https://amzn.to/2T6OIj3
Richer & Sanso • OAuth 2 in Action • https://amzn.to/3hXiAH6
Wilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 • https://amzn.to/2U8iLY2

https://bsky.app/profile/gotocon.com
Tweets by GOTOcon
https://www.linkedin.com/company/goto-
https://www.instagram.com/goto_con
https://www.facebook.com/GOTOConferences
#OAuth2 #OAuth #Security #Privacy #SecureWebServer #AWS #Serverless #Okta #AWSserverless #AuthZ #AuthN #OpenIDconnect #OpenID #Cybersecurity #Encryption #JWT #JSONWebTokens #RFC #PKCE #AaronParecki

CHANNEL MEMBERSHIP BONUS
Join this channel to get early access to videos & other perks:
https://www.youtube.com/channel/UCs_tLP3AiwYKwdUHpltJPuA/join

Looking for a unique learning experience?
Attend the next GOTO conference near you! Get your ticket at https://gotopia.tech
Sign up for updates and specials at https://gotopia.tech/newsletter

SUBSCRIBE TO OUR CHANNEL – new videos posted almost daily.
https://www.youtube.com/user/GotoConferences/?sub_confirmation=1