Authentication, Cloud-Native
Facebook Twitter LinkedIn

OAuth DPoP (Demonstration of Proof of Possession): How to Not Let Attackers Steal your OAuth Token

Combined Session
Wednesday, May 11, 2022 16:00—16:30
Location: A05-06

Most OAuth deployments today use bearer tokens – tokens that can be used by anyone in possession of a copy of them, with no way to distinguish between legitimate uses of them and those that stole them and used them for nefarious purposes. The solution to this is proof-of-possession tokens, where the legitimate client supplies cryptographic material to the issuer that is bound to the token, enabling it to cryptographically prove that the token belongs to it – something attackers cannot do because they don’t possess the proof-of-possession cryptographic material.

The OAuth DPoP (Demonstration of Proof of Possession) specification defines a simple-to-implement means of applying proof of possession to OAuth access tokens and refresh tokens. We will describe real attacks occurring every day against bearer tokens and how they are mitigated by DPoP, providing defense in depth and making real deployed systems substantially more secure with minimal implementation and complexity costs.

These attacks and mitigations are particularly relevant to high-value enterprise deployments, such as in the financial, manufacturing, critical infrastructure, and government sectors.

Dr. Michael B. Jones
Dr. Michael B. Jones
Microsoft
Michael B. Jones is a Standards Architect at Microsoft. He is an editor of the OpenID Connect specifications, several IETF OAuth specifications, including JSON Web Token (JWT), the IETF JOSE (JSON...

Tickets

On-Demand Access
Re-live EIC 2022
€300
 
Watch 200 sessions on-demand
Download all available presentations
Subscribe for updates
Please provide your email address