You’ve probably heard of OAuth before. And if you took the time to look into it, there was a bunch of diagrams with arrows pointing in every direction. Add to that a very specific terminology and you get a spec that is barely understandable for a lot of people. The learning curve to OAuth is quite steep and that is part of the reason why a lot of developers don’t bother implementing it. However, understanding the basics will make you life as a developer so much simpler. In this talk, the presenter will try to explain the basic principles of OAuth in simple terms and, hopefully, in a way that is easy to understand for the real software developers that don’t necessarily have a passion for security.
So you’ve finally implemented your own authorization server. And it uses JWT because everyone else does. But is it secure? JWTs are the new great thing that everyone is talking about but you need to use them correctly. During this talk, we will see how we can use various attacks to hack into OAuth systems that use JWTs as a token mechanism. From token validation to brute forcing HS256, by seeing the attackers’ point of view, the attendees will learn how to better defend themselves and make more secure servers.