OpenID Connect and OAuth 2.0 is a lot more complicated than most people realise. This talk discusses common attacks (and mitigations!) for scenarios where you find yourself faced with “federation”-style authentication and authorisation flows, using the two most common protocols: OpenID Connect and OAuth 2.0.

This talk covers the perspective of an attacker with various levels of access, including pre-compromise scenarios and post-compromise of a website or an API server.

$ whoami⌗

Matt Cotterell is a Security Consultant and Software Engineer working for ZX Security in Wellington. His work involves breaking web applications, APIs and cloud configurations looking for security vulnerabilities. Beyond that, he enjoys exploring various authentication patterns and practices, software frameworks and public cloud providers in order to craft beautiful, secure and maintainable solutions to challenging technical problems.

In his spare time, he can be found watching bad movies, gleefully overusing the word “cyber,” and feeling awkward writing biographies in a third-person perspective.