OAuth Security Workshop: Schedule

Invited Talks

Karthikeyan Bhargavan

Breaking and Fixing HTTPS Compound Authentication: TLS 1.3, Token Binding, and OAuth 2.0

Although transport layer protocols such as TLS allow client authentication based on strong credentials such as public-key certificates, application protocols such as HTTPS more commonly employ a compound authentication protocol that composes server authentication at the transport layer with user authentication within the application, based on bearer tokens such as passwords or OAuth tokens. We will discuss the strengths and weaknesses of such compound authentication protocols via recent attacks on TLS, HTTPS, and popular websites. We will then see how new protocols such as TLS 1.3 and Token Binding offer a new way of building compound authentication modes for OAuth 2.0 that prevent a large class of credential forwarding attacks.

Andrey Labunets

Lessons from breaking and defending OAuth in practice

Although the risks of bearer token protocols are widely acknowledged by the security community, the adaptability of bearer tokens to different transports has led them, especially OAuth 2.0, to dominate the ecosystem. Published research and the author's own experience have demonstrated repeated weaknesses arising from misuse or missing security properties in a variety of the client-side communication channels employed by these protocols. This talk surveys how flaws and variations in the browser and app platforms implementing these channels further complicate the task of trying to secure popular OAuth 2 implementations and explores several ways large classes of these problems could be significantly mitigated for already deployed systems, at large scale, through improvements at the HTTP protocol level.

Schedule

Thursday, July 14 Friday, July 15
9:15 Coffee Coffee
9:30
9:45 Opening Remarks
10:00 Invited Talk: Karthikeyan Bhargavan
Breaking and Fixing HTTPS Compound Authentication: TLS 1.3, Token Binding, and OAuth 2.0 slides
Invited Talk: Andrey Labunets
Lessons from breaking and defending OAuth in practice slides
10:15
10:30
10:45
11:00 Break Break
11:15
11:30 Oliver Pfaff:
OAuth for Operational Technology? pdf slides
Kaoru Maeda:
Design Guidelines Wanted for Group Service IdP pdf slides
11:45
12:00
12:15 Lunch Lunch
12:30
12:45
13:00
13:15
13:30 Daniel Fett, Ralf Küsters, and Guido Schmitz:
A Comprehensive Formal Security Analysis of OAuth 2.0 pdf slides
Hannes Tschofenig:
Solving IoT Security Challenges with OAuth 2.0 slides
13:45
14:00
14:15 Wanpeng Li and Chris Mitchell:
Does the IdP Mix-Up attack really work? pdf slides
Michael Jones:
OAuth 2.0 Mix-Up Mitigation: Status and Next Steps (Discussion) pdf
14:30
14:45
15:00 Break Break
15:15
15:30 Giada Sciarretta, Roberto Carbone, Silvio Ranise, and Alessandro Armando:
An OAuth-based Single Sign-On solution for Mobile Applications pdf slides
Tobias Wich, Christian Mainka, Vladislav Mladenov:
PrOfESSOS: Automated OpenID Connect Security Assessment pdf slides
15:45
16:00
16:15 Discussion with the IETF OAuth Working Group about recent attacks on OAuth
16:30
16:45
17:00 Social Event (Sightseeing Tour of the roman city of Trier)
Meeting point: inside the Tourist Information at Porta Nigra (from the workshop venue, take Bus 4 to Porta Nigra at 16:25)
19:00
19:15
19:30 Dinner