Passwords and pixie dust - A look at OAuth 2.0 security in Angular

This page contains the resources for the talk titled "Passwords and pixie dust - A look at OAuth 2.0 security in Angular".


OAuth 2.0 is a complex beast. The original OAuth 2.0 specification introduces four different flow, each with their respective use cases. Since its release, one of the flows has been deprecated, and a few additional flows have been proposed. But which flow is right for an Angular application? Which flow should you stay away from? And more importantly, why are some flows considered to be insecure?

In this talk, we give a brief overview of a few flows within OAuth 2.0. From a high-level point of view, we point out their use cases and differences. In the second part, we dive into a recent addition: PKCE ('pixie'). This new PKCE-based flow enhances the security properties for OAuth 2.0 flows for public clients. Everyone working with OAuth 2.0 should be aware of it, and use it when available.

About Philippe De Ryck

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.