OAuth2 demystified

Pandora Foyer

Almost every developer will have to face this at some point in his or her

career: authorization with OAuth2. It doesn’t matter if you build mobile apps, web applications or even develop for embedded systems in the IoT, everybody seems to use OAuth2 nowadays. But how does this protocol work and what’s up with all these different flows? Can’t you just use your favorite library XYZ and go for it? Yes you can, but you will probably do it wrong and you will end up vulnerable to some form of attack.

In this presentation I will show you the world of the OAuth2 specifications, yes plural, there are multiple specifications. I will explain what flow (or grant types as they are actually called) will work for what situation, what flows you should not use – yes the specification even defines flows nobody should use – and how these flows work. I will also shed some light on auxiliary specifications for OAuth2 in mobile apps and in-browser applications, because those applications warrant special treatment.

But the fun does not stop here. For example, did you know that recently a specification was finalized that allows severely constrained devices to perform an OAuth2 flow? Or that you can bind your access token to a client certificate to constrain its usage to a single server? And all of this does not yet even touch OpenID Connect: the authentication protocol built on top of OAuth2. As you can see, there’s plenty to tell and talk about and I hope you will all go home with just a little more understanding of the OAuth2 protocol family.