Abstract image of a woman sitting on books and studying on a laptop

OAuth & OpenID Connect Deep Dive

Download as PDF, PPTX
Nordic APIs, profile picture
Nordic APIs

The document provides an in-depth overview of OAuth and OpenID Connect, including terminology, common flows, and advanced specifications. It discusses different types of tokens, their usage, and highlights the importance of scopes within the protocol. Additionally, it addresses improper and proper uses of OAuth and outlines advanced security measures such as PKCE and mutual TLS.

Software
Related topics:
Nordic APIs Austin API Summit
1 of 27
Download as PDF, PPTX
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Most read
20
21
22
Most read
23
24
25
26
27
OAuth & OpenID Connect Deep Dive Copyright © 2018 Curity AB By Travis Spencer, CEO @travisspencer, @curityio
Agenda Terminology & some basics Common flows Some more advanced, related specs @travis / @curityio Copyright © 2018 Curity AB
Framework for other specifications Request tokens from a token server Present them to an API Allows delegated access, revocation, no password sharing Obsoletes OAuth 1.0a @travis / @curityio Copyright © 2018 Curity AB
OAuth Actors 1. Resource Owner (RO) 2. Client 3. Authorization Server (AS) 4. Resource Server (RS) (i.e., API) Get a token Use a token @travis / @curityio Copyright © 2018 Curity AB
Request, Authenticate & Consent Request Access Login Consent @travis / @curityio Copyright © 2018 Curity AB
User is redirected to OAuth server Code Flow APIs & microservices @travis / @curityio Copyright © 2018 Curity AB
User logs in and delegates access Code Flow APIs & microservices @travis / @curityio Copyright © 2018 Curity AB
Code Flow Short-lived access code is issued to client APIs & microservices @travis / @curityio Copyright © 2018 Curity AB
Code Flow Code is exchanged for an access token APIs & microservices @travis / @curityio Copyright © 2018 Curity AB
Code Flow Access token can be used to call APIs APIs & microservices @travis / @curityio Copyright © 2018 Curity AB
Scopes • Like permissions • Scopes specify extent of tokens’ usefulness • Listed on consent UI (if shown) • No standardized scopes @travis / @curityio Copyright © 2018 Curity AB
Kinds of Tokens Like a session Refresh TokensAccess Tokens Like a Password Used to secure API calls Used to get new access tokens @travis / @curityio Copyright © 2018 Curity AB
Profiles of Tokens Holder of Key HoK tokens are like credit cards Bearer Bearer tokens are like cash $ @travis / @curityio Copyright © 2018 Curity AB
Types of Tokens • WS-Security & SAML • Custom • Home-grown • Oracle Access Manager • SiteMinder • CBOR Web Tokens (CWT) • JWT @travis / @curityio Copyright © 2018 Curity AB
JWT = JWS/E/K/A@travis / @curityio Copyright © 2018 Curity AB
JWT Type Tokens • Pronounced like the English word “jot” • Lightweight tokens passed in HTTP headers & query strings • Encoded as JSON • Compact • Encrypted, signed, or neither • Not the only kind of token allowed by OAuth @travis / @curityio Copyright © 2018 Curity AB
Passing Tokens By Value User attributes are in the token By Reference User attributes are referenced by an identifier @travis / @curityio Copyright © 2018 Curity AB
Improper Usage of OAuth Not for authentication Not for federation Not really for authorization @travis / @curityio Copyright © 2018 Curity AB
Proper Usage or OAuth For delegation @travis / @curityio Copyright © 2018 Curity AB
Profiles: Basic, Implicit, Hybrid flow, FAPI Form POST response model Dynamic client registration Logout Session management Discovery @travis / @curityio Copyright © 2018 Curity AB
Copyright Curity AB 2017 OIDC & OAuth versions WebFinger Well-known URIs Discovery Metadata Copyright Curity AB 2017
OpenID Connect Examples Get user info using access token OAuth AS / OpenID Provider RP / Client Browser Access code Send code to get access token Access token & ID token Check audience restriction of ID token Request login, providing “openid” scope & user info scopes User info @travis / @curityio Copyright © 2018 Curity AB
ID Token is for the Client • Access token is for API • ID token is for client • ID token provides client with info about • Intended client recipient • Username • Credential used to login • Issuer of token • Expiration time @travis / @curityio Copyright © 2018 Curity AB
User Info Endpoint • Token issuance and user discovery endpoint • Authenticate using access token issued by OpenID Provider • Output depends on requested and authorized scopes • sub claim must match sub claim in ID token @travis / @curityio Copyright © 2018 Curity AB
For High Security PoP Token binding Proof Key for Code Exchange (PKCE or “pixie”) Mutual TLS Profile for OAuth @travis / @curityio Copyright © 2018 Curity AB
Around 50 RFCs, drafts & other specs 26 Hopefully this has been a helpful overview to start digging deeper @travis / @curityio Copyright © 2018 Curity AB
Visit curity.io and stop by our booth @travis / @curityio Copyright © 2018 Curity AB

More Related Content

PDF
Introduction to OpenID Connect
Nat Sakimura
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PPT
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
PDF
Introduction to kubernetes
Gabriel Carro
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PPTX
IdP, SAML, OAuth
Dan Brinkmann
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PDF
Graphql
Niv Ben David
 
Introduction to OpenID Connect
Nat Sakimura
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Introduction to kubernetes
Gabriel Carro
 
OAuth 2.0
Uwe Friedrichsen
 
IdP, SAML, OAuth
Dan Brinkmann
 
OAuth2 - Introduction
Knoldus Inc.
 
Graphql
Niv Ben David
 

What's hot (20)

PPTX
An Introduction to OAuth 2
Aaron Parecki
 
PPTX
OAuth2 + API Security
Amila Paranawithana
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PDF
OAuth 2.0 and OpenID Connect
Jacob Combs
 
PPTX
OpenID Connect: An Overview
Pat Patterson
 
PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
PPTX
Secure your app with keycloak
Guy Marom
 
PDF
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
PPTX
OAuth 2
ChrisWood262
 
PDF
Introduction to SAML 2.0
Mika Koivisto
 
PPTX
An Introduction to OAuth2
Aaron Parecki
 
PPTX
OpenId Connect Protocol
Michael Furman
 
PPTX
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
PDF
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
PPTX
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
PDF
OAuth
Iván Fernández Perea
 
PPTX
Building secure applications with keycloak
Abhishek Koserwal
 
PPTX
Building an Authorization Solution for Microservices Using Neo4j and OPA
Neo4j
 
PPTX
Azure AD Presentation - @ BITPro - Ajay
Anoop Nair
 
An Introduction to OAuth 2
Aaron Parecki
 
OAuth2 + API Security
Amila Paranawithana
 
Demystifying OAuth 2.0
Karl McGuinness
 
OAuth 2.0 and OpenID Connect
Jacob Combs
 
OpenID Connect: An Overview
Pat Patterson
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Secure your app with keycloak
Guy Marom
 
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
OAuth 2
ChrisWood262
 
Introduction to SAML 2.0
Mika Koivisto
 
An Introduction to OAuth2
Aaron Parecki
 
OpenId Connect Protocol
Michael Furman
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OAuth
Iván Fernández Perea
 
Building secure applications with keycloak
Abhishek Koserwal
 
Building an Authorization Solution for Microservices Using Neo4j and OPA
Neo4j
 
Azure AD Presentation - @ BITPro - Ajay
Anoop Nair
 
Ad

Similar to OAuth & OpenID Connect Deep Dive (20)

PDF
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit
 
PDF
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
 
PDF
Secure your APIs using OAuth 2 and OpenID Connect
Nordic APIs
 
PDF
Launching a Successful and Secure API
Nordic APIs
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
PDF
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
PDF
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
PDF
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible
 
PDF
170724 JP/UK Open Banking Summit English Translation
Nat Sakimura
 
PPTX
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Ping Identity
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PDF
Auth proxy pattern on Kubernetes
Michał Wcisło
 
PDF
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 
PPTX
APIs_ An Introduction.pptx
AkashThorat25
 
PPTX
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
APIsecure_ Official
 
PPTX
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
PDF
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
PDF
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Tatsuo Kudo
 
PDF
OAuth in the Real World featuring Webshell
CA API Management
 
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
 
Secure your APIs using OAuth 2 and OpenID Connect
Nordic APIs
 
Launching a Successful and Secure API
Nordic APIs
 
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible
 
170724 JP/UK Open Banking Summit English Translation
Nat Sakimura
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Ping Identity
 
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Auth proxy pattern on Kubernetes
Michał Wcisło
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 
APIs_ An Introduction.pptx
AkashThorat25
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Tatsuo Kudo
 
OAuth in the Real World featuring Webshell
CA API Management
 
Ad

More from Nordic APIs (20)

PPTX
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
Nordic APIs
 
PPTX
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
Nordic APIs
 
PDF
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
Nordic APIs
 
PPTX
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
Nordic APIs
 
PPTX
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
Nordic APIs
 
PDF
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
Nordic APIs
 
PPTX
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
Nordic APIs
 
PPTX
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
Nordic APIs
 
PPTX
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
Nordic APIs
 
PPTX
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
Nordic APIs
 
PPTX
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
Nordic APIs
 
PPTX
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
Nordic APIs
 
PPTX
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
Nordic APIs
 
PPTX
APIs Vs Events - Bala Bairapaka, Sandvik AB
Nordic APIs
 
PPTX
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
Nordic APIs
 
PPTX
From Good API Design to Secure Design - Axel Grosse, 42Crunch
Nordic APIs
 
PPTX
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
Nordic APIs
 
PPTX
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
Nordic APIs
 
PDF
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
Nordic APIs
 
PPTX
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
Nordic APIs
 
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
Nordic APIs
 
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
Nordic APIs
 
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
Nordic APIs
 
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
Nordic APIs
 
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
Nordic APIs
 
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
Nordic APIs
 
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
Nordic APIs
 
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
Nordic APIs
 
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
Nordic APIs
 
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
Nordic APIs
 
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
Nordic APIs
 
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
Nordic APIs
 
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
Nordic APIs
 
APIs Vs Events - Bala Bairapaka, Sandvik AB
Nordic APIs
 
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
Nordic APIs
 
From Good API Design to Secure Design - Axel Grosse, 42Crunch
Nordic APIs
 
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
Nordic APIs
 
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
Nordic APIs
 
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
Nordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
Nordic APIs
 

Recently uploaded (20)

PDF
Ragic Data Security Overview: Certifications, Compliance, and Network Safegua...
Ragic
 
PDF
Software Development Company - swapdigit | Best Mobile App Development In India
Digital India
 
PPTX
AI Tools Revolutionizing Software Development Workflows
amngrg0511
 
PDF
Enscape 3D Crack + With 2025 Activation Key free
bobykhan786g
 
PDF
solman-7.0-ehp1-sp21-incident-management
Giuseppe Caselli
 
PDF
WhatsApp Chatbots The Key to Scalable Customer Support.pdf
Quick Message
 
PDF
Coding with GPT-5- What’s New in GPT 5 That Benefits Developers.pdf
DianApps Technologies
 
PPTX
Beige and Black Minimalist Project Deck Presentation (1).pptx
omchoksi99
 
PPTX
MCP empowers AI Agents from Zero to Production
innovaterz
 
PDF
Streamlining Project Management in Microsoft Project, Planner, and Teams with...
OnePlan Solutions
 
PDF
DOWNLOAD—IOBit Uninstaller Pro Crack Download Free
henryc1122g
 
PDF
Multiverse AI Review 2025_ The Ultimate All-in-One AI Platform.pdf
THEMESMO
 
PDF
Difference Between Website and Web Application.pdf
Secuodsoft
 
PDF
MaterialX Virtual Town Hall - August 2025
AcademySoftwareFoundation
 
PPTX
Presentation - Summer Internship at Samatrix.io_template_2.pptx
omchoksi99
 
PPTX
Relevance Tuning with Genetic Algorithms
TimAllison16
 
PDF
IObit Driver Booster Pro Crack Latest Version Download
henryc1122g
 
PPTX
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
PDF
Science is Not Enough SPLC2009 Richard P. Gabriel
Marek569301
 
PPT
introduction of sql, sql commands(DD,DML,DCL))
Rukhmanisahu5
 
Ragic Data Security Overview: Certifications, Compliance, and Network Safegua...
Ragic
 
Software Development Company - swapdigit | Best Mobile App Development In India
Digital India
 
AI Tools Revolutionizing Software Development Workflows
amngrg0511
 
Enscape 3D Crack + With 2025 Activation Key free
bobykhan786g
 
solman-7.0-ehp1-sp21-incident-management
Giuseppe Caselli
 
WhatsApp Chatbots The Key to Scalable Customer Support.pdf
Quick Message
 
Coding with GPT-5- What’s New in GPT 5 That Benefits Developers.pdf
DianApps Technologies
 
Beige and Black Minimalist Project Deck Presentation (1).pptx
omchoksi99
 
MCP empowers AI Agents from Zero to Production
innovaterz
 
Streamlining Project Management in Microsoft Project, Planner, and Teams with...
OnePlan Solutions
 
DOWNLOAD—IOBit Uninstaller Pro Crack Download Free
henryc1122g
 
Multiverse AI Review 2025_ The Ultimate All-in-One AI Platform.pdf
THEMESMO
 
Difference Between Website and Web Application.pdf
Secuodsoft
 
MaterialX Virtual Town Hall - August 2025
AcademySoftwareFoundation
 
Presentation - Summer Internship at Samatrix.io_template_2.pptx
omchoksi99
 
Relevance Tuning with Genetic Algorithms
TimAllison16
 
IObit Driver Booster Pro Crack Latest Version Download
henryc1122g
 
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
Science is Not Enough SPLC2009 Richard P. Gabriel
Marek569301
 
introduction of sql, sql commands(DD,DML,DCL))
Rukhmanisahu5
 

OAuth & OpenID Connect Deep Dive

  • 1. OAuth & OpenID Connect Deep Dive Copyright © 2018 Curity AB By Travis Spencer, CEO @travisspencer, @curityio
  • 2. Agenda Terminology & some basics Common flows Some more advanced, related specs @travis / @curityio Copyright © 2018 Curity AB
  • 3. Framework for other specifications Request tokens from a token server Present them to an API Allows delegated access, revocation, no password sharing Obsoletes OAuth 1.0a @travis / @curityio Copyright © 2018 Curity AB
  • 4. OAuth Actors 1. Resource Owner (RO) 2. Client 3. Authorization Server (AS) 4. Resource Server (RS) (i.e., API) Get a token Use a token @travis / @curityio Copyright © 2018 Curity AB
  • 5. Request, Authenticate & Consent Request Access Login Consent @travis / @curityio Copyright © 2018 Curity AB
  • 6. User is redirected to OAuth server Code Flow APIs & microservices @travis / @curityio Copyright © 2018 Curity AB
  • 7. User logs in and delegates access Code Flow APIs & microservices @travis / @curityio Copyright © 2018 Curity AB
  • 8. Code Flow Short-lived access code is issued to client APIs & microservices @travis / @curityio Copyright © 2018 Curity AB
  • 9. Code Flow Code is exchanged for an access token APIs & microservices @travis / @curityio Copyright © 2018 Curity AB
  • 10. Code Flow Access token can be used to call APIs APIs & microservices @travis / @curityio Copyright © 2018 Curity AB
  • 11. Scopes • Like permissions • Scopes specify extent of tokens’ usefulness • Listed on consent UI (if shown) • No standardized scopes @travis / @curityio Copyright © 2018 Curity AB
  • 12. Kinds of Tokens Like a session Refresh TokensAccess Tokens Like a Password Used to secure API calls Used to get new access tokens @travis / @curityio Copyright © 2018 Curity AB
  • 13. Profiles of Tokens Holder of Key HoK tokens are like credit cards Bearer Bearer tokens are like cash $ @travis / @curityio Copyright © 2018 Curity AB
  • 14. Types of Tokens • WS-Security & SAML • Custom • Home-grown • Oracle Access Manager • SiteMinder • CBOR Web Tokens (CWT) • JWT @travis / @curityio Copyright © 2018 Curity AB
  • 15. JWT = JWS/E/K/A@travis / @curityio Copyright © 2018 Curity AB
  • 16. JWT Type Tokens • Pronounced like the English word “jot” • Lightweight tokens passed in HTTP headers & query strings • Encoded as JSON • Compact • Encrypted, signed, or neither • Not the only kind of token allowed by OAuth @travis / @curityio Copyright © 2018 Curity AB
  • 17. Passing Tokens By Value User attributes are in the token By Reference User attributes are referenced by an identifier @travis / @curityio Copyright © 2018 Curity AB
  • 18. Improper Usage of OAuth Not for authentication Not for federation Not really for authorization @travis / @curityio Copyright © 2018 Curity AB
  • 19. Proper Usage or OAuth For delegation @travis / @curityio Copyright © 2018 Curity AB
  • 20. Profiles: Basic, Implicit, Hybrid flow, FAPI Form POST response model Dynamic client registration Logout Session management Discovery @travis / @curityio Copyright © 2018 Curity AB
  • 21. Copyright Curity AB 2017 OIDC & OAuth versions WebFinger Well-known URIs Discovery Metadata Copyright Curity AB 2017
  • 22. OpenID Connect Examples Get user info using access token OAuth AS / OpenID Provider RP / Client Browser Access code Send code to get access token Access token & ID token Check audience restriction of ID token Request login, providing “openid” scope & user info scopes User info @travis / @curityio Copyright © 2018 Curity AB
  • 23. ID Token is for the Client • Access token is for API • ID token is for client • ID token provides client with info about • Intended client recipient • Username • Credential used to login • Issuer of token • Expiration time @travis / @curityio Copyright © 2018 Curity AB
  • 24. User Info Endpoint • Token issuance and user discovery endpoint • Authenticate using access token issued by OpenID Provider • Output depends on requested and authorized scopes • sub claim must match sub claim in ID token @travis / @curityio Copyright © 2018 Curity AB
  • 25. For High Security PoP Token binding Proof Key for Code Exchange (PKCE or “pixie”) Mutual TLS Profile for OAuth @travis / @curityio Copyright © 2018 Curity AB
  • 26. Around 50 RFCs, drafts & other specs 26 Hopefully this has been a helpful overview to start digging deeper @travis / @curityio Copyright © 2018 Curity AB
  • 27. Visit curity.io and stop by our booth @travis / @curityio Copyright © 2018 Curity AB