OAuth & OpenID Connect

  • TYPE: Combined Session DATE: Thursday, May 16, 2019 TIME: 12:00-13:00 LOCATION: AMMERSEE I


The OpenID Foundation has created a test and self-certification program for OpenID Connect protocol implementations to stimulate interoperability, deployment and robustness of these implementations. This presentation provides an introduction into the OpenID Foundation and the OpenID Connect self-certification program and will cover the following topics:
- what is the OpenID Foundation and how does it compare to other standardization organizations
- what is OpenID Connect self-certification and why does it matter
- how can self-certification be achieved by implementations and deployments
- how certification can be achieved by implementations

Key takeaways:

  • What is OpenID Connect self-certification.
  • Why is OpenID Connect self-certification important.
  • How can OpenID Connect self-certification be achieved.


Hans Zandbelt is CTO at ZmartZone IAM. He holds an MSc. degree in Computer Science, Tele-Informatics and Open Systems from Twente University (1993). He has over 20 years experience as a technical leader in research and innovation projects, including digital identity initiatives. In 2007 he...

The OAuth working group recently decided to discourage use of the implicit grant. But that’s just the most prominent recommendation the working group is about to publish in the upcoming OAuth 2.0 Security Best Current Best Practice (https://tools.ietf.org/html/draft-ietf-oauth-security-topics), which will elevate OAuth security to the next level. The code flow shall be used with PKCE only and tokens should be sender constraint to just mention a few. Development of this enhanced recommendations was driven by several factors, including experiences gathered in the field, security research results, the increased dynamics and sensitivity of the use cases OAuth is used protect and technological changes. This session will present the new security recommendations in detail along with the underlying rationales.
Key takeaways:

  • the OAuth working group is publishing new security guidelines for OAuth 2.0
  • the implicit grant should no longer be used, so especially the way OAuth is used for Single Page Applications (SPAs) must be changed
  • other practices, like the code flow and bearer access tokens, will need to change as well
  • reasons for the changes: deployment experiences, security research, increased security requirements due to more sensitive use cases and dynamic scenarios


Dr.-Ing. Torsten Lodderstedt is CTO of yes.com, a startup building an identity scheme for banks and their customers. Before joining yes.com, he served for a decade in different roles at Deutsche Telekom’s identity team, building and operating large-scale consumer identity services. In his...

Guaranteeing maximum security while providing your users with a frictionless experience is a persistent challenge. The more we shift into the digital environment, the more it requires every business to pay critical attention to user experience as boosting customer satisfaction by providing better usability and accessibility in the interaction with every aspect of a product is crucial. This is where next-generation authentication comes into play, decreasing disparities between security and user experience. Given the ever-changing, ever-improving nature of technologies, devices and networks, the combination of SSO, UBA, MFA and other authentication solutions is a gamechanger, allowing companies to apply precisely the right level of gateway security to each and every login request. In this panel, we will address the existing authentication challenges for companies and what next-generation solutions can bring to the table. 


Allan Foster has helped build ForgeRock into a multinational identity software vendor with offices on four continents. Allan’s deep technical knowledge has been well used in all aspects of the business while at ForgeRock, with responsibilities in Support, Engineering, Product Management,...

Guido is the Head of Authentication and Digital Identity for Visa in Europe. He is responsible for the commercialization of Visa Authentication solutions including Visa Consumer Authentication Service (VCAS) and Visa Biometric across Europe. Prior to this role, Guido worked in various...

Mike Schwartz is the Founder of Gluu, a security software company serving companies, governments and universities around the world. Schwartz is a domain expert in application security, authentication and API access management. The Gluu Server is one of the leading implementations of OpenID...

Log in to download the presentation:  


Session Links

Munich, Germany


European Identity & Cloud Conference 2019

Registration fee:
€2100.00 $2625.00 S$3360.00 23100.00 kr
Mastercard Visa American Express PayPal INVOICE
Contact person:

Mr. Levent Kara
+49 211 23707710
  • May 14 - 17, 2019 Munich, Germany