Security & PrivacyConference45min
Bearer of Good News
OAuth 2.1 addresses major OAuth 2.0 flaws by integrating modern security and usability enhancements. Mandatory PKCE, DPoP proofs, CIBA flows, metadata discovery, token exchange, and cross‑app access together prevent token replay, eliminate secret leakage, and simplify configuration. The talk explains these updates, their use cases, and how they enable secure‑by‑default systems.
Sam BellenAuth0
OAuth 2.0 shipped in 2012 with glaring gaps. Public clients leaked secrets. Bearer tokens could be stolen and replayed. Authorization required users at their screens. Metadata lived in documentation, not discoverable endpoints. Token delegation meant copying credentials. Developers patched these with workarounds until the spec caught up.
OAuth 2.1 consolidates best practices. PKCE becomes mandatory. DPoP adds cryptographic proof to bearer tokens, preventing replay attacks. CIBA decouples authorization from browser sessions. Client ID Metadata Documents and Authorization Server Metadata enable discovery over copy-paste configuration. Token Exchange enables delegation without credential copying—secrets never leave the authorization server. Cross-App Access extends this with identity assertion grants. Each solves a real problem; together, they modernize OAuth.
This talk explores why these extensions exist and when to use them. Build systems secure by default, not by accident. Understand which specs matter for your use case—from traditional apps to AI agents to B2B integrations.
We'll assume basic OAuth and OIDC knowledge but explain each new concept from scratch.
OAuth 2.1 consolidates best practices. PKCE becomes mandatory. DPoP adds cryptographic proof to bearer tokens, preventing replay attacks. CIBA decouples authorization from browser sessions. Client ID Metadata Documents and Authorization Server Metadata enable discovery over copy-paste configuration. Token Exchange enables delegation without credential copying—secrets never leave the authorization server. Cross-App Access extends this with identity assertion grants. Each solves a real problem; together, they modernize OAuth.
This talk explores why these extensions exist and when to use them. Build systems secure by default, not by accident. Understand which specs matter for your use case—from traditional apps to AI agents to B2B integrations.
We'll assume basic OAuth and OIDC knowledge but explain each new concept from scratch.
comments.speakerNotEnabledComments