Oh! Auth: Implementation pitfalls of OAuth 2.0 & the Auth Providers who have fell in it presented at GreHack 2019

by Samit Anwer,

Summary : Since the beginning of distributed personal computer networks, one of the toughest problem has been to provide a secure SSO and authorization experience between unrelated servers/services. The OAuth 2.0 authorization framework enables 3rd party apps to obtain discretionary access to a web service. Built on top of OAuth, OpenID Connect is a helpful “identity layer” that provides developers with a framework to build an authentication system. In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild because of which relying parties and users face myriad of issues ranging from authorization code compromise (unauthorized resource access) to account takeovers. In this talk we will discuss common malpractices that "relying party" and "authorization service provider" developers perform when implementing OAuth/OpenID based solutions. We will learn the attacks that can happen thereof and mitigation.