Advanced OAuth

OAuth 2.0, 2.1 and beyond

Duration: 1 day

Target audience: developers, application architects, security architects, security officers

Since its publication in RFC 6749 and RFC 6750, OAuth 2.0 has gotten massive traction in the market and became the standard for API protection and the foundation of OpenID Connect. Its usage has been expanded to use-cases and higher security environments than originally considered and anticipated including financial industry and health care.

In the meantime, the protocols and implementations have been attacked through known implementation weaknesses and anti-patterns, as well as very targeted attacks.

That’s the reason both the IETF (BCPs) and the OpenID Foundation (FAPI) started working on a number of documents which update the original specs and threat models and give more prescriptive guidance. The discussion during creation of those documents led to the conclusion that OAuth itself needs updates to provide a better security baseline for the things to come.

The first update will be called “OAuth 2.1”, which removes some problematic protocol features and provides stricter security guidelines. On top of this work, several add-on protocols have been specified to reinforce OAuth for higher-security scenarios.

Ultimately, this will lead to “OAuth 3.0”, which incorporates the lessons learned and the add-on specs into a single coherent protocol, but this is still a couple of years ahead.

This full day workshop gives an overview of common OAuth attacks and countermeasures, details the OAuth 2.1 changes, and has a look at all the additional specifications that make up the “higher security OAuth” stack.

Includes slides covering protocols and specifications, and sample code for ASP.NET Core and IdentityServer (where applicable)

Documents covered:

Upcoming Dates

This workshop can be delivered in-house/remote (contact us for more info).


This training course covers the following advanced topics:

  • OAuth in high-security scenarios
  • OAuth security best practices
  • Common attacks & countermeasures
  • OAuth 2.1
  • Scopes, resources & audience restrictions
  • Rich authorization requests
  • JWT secured authorization requests & request objects
  • Pushed Authorization Requests
  • Strong client authentication
  • Proof-of-possession access tokens
  • Delegation, impersonation & token exchange
  • “OAuth 3.0” outlook