See you at Disclosure 2020!

I’m thrilled to share the virtual stage at Disclosure tomorrow! Disclosure is a security conference that’s shaping up to have a super amazing schedule! The speaker lineup is fantastic—with talks ranging from cyber warfare to disinformation to social engineering (and much more!).

My talk is called “How to Think About OAuth Security”. I’ll be focusing on what makes OAuth secure and some holes in implementations that have previously left some gaps for attackers. Here’s a taste of the kinds of things I’ll be talking about tomorrow!

Revealing mobile app API keys

It’s a well-understood part of modern app development that trying to hide API keys in an app is a futile effort. But just a few years ago, Twitter made headlines when their mobile app’s API keys were leaked! We’ll talk about what happened and how OAuth evolved to address the need for mobile apps to securely log users in.

Stop relying on passwords

There are much better solutions than passwords on the modern internet. How has OAuth been adapting to the changes? Spoiler alert: OAuth never encouraged apps to handle passwords in the first place, so we’ll take a look at how OAuth is changing to address this.

What’s coming in OAuth 2.1?

You may have heard some rumblings about OAuth 2.1, an update to the spec that I and a few others are currently working on at the OAuth Working Group in the IETF. We’ll look at the significant changes coming in that version, highlight what isn’t changing, and talk about why now is a good time to publish an update to the spec!

Hope to see you there! It’s not too late to register! I’ll be answering Q&A, and I’m always happy to chat about OAuth security on Twitter, you can find me at @aaronpk.

Aaron Parecki is a Senior Security Architect at Okta. He is the author of OAuth 2.0 Simplified, and maintains oauth.net. He regularly writes and gives talks about OAuth and online security. He is an editor of several internet specs, and is the co-founder of IndieWebCamp, a conference focusing on data ownership and online identity. Aaron has spoken at conferences around the world about OAuth, data ownership, quantified self, and home automation, and his work has been featured in Wired, Fast Company and more.