Introduction to OAuth 2.0 and OpenID Connect

This page contains the resources for the talk titled "Introduction to OAuth 2.0 and OpenID Connect".

Abstract

OAuth is a delegation framework that appears on the radar of security professionals and developers more and more every day. OAuth intersects with authentication and access control, yet you would not likely use OAuth in and of itself for authentication, session management or access control in your applications. Even more confusing, OAuth is not a standard, and various service providers will likely have different implementations. Let's say it again, OAuth is not a standard - its a framework for delegation. So this leaves us with questions! What is delegation? Where does OAuth fit in? How can I securely use OAuth?

To add more confusion to this topic, OpenID Connect was built on top of OAuth 2.0. OpenID Connect has become an industry-leading standard for user identification. It is used by many of the largest organizations on the web. When implemented properly, OpenID Connect can be a reliable and secure solution for user identification. When used improperly, OpenID Connect can leave a gaping hole in your infrastructure that leaks significant capabilities to unwanted parties.

This talk will provide an introduction to both topics and what their intended use is really for.

About Philippe De Ryck

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.