Hello group,
just a quick follow-up from the IETF OAuth Security workshop from last July.
The workshop was well attended: security researches and some big names like google, microsoft, facebook, deutsche telekom, ping identity,
openid.net were all represented etc.
There were some interesting talks about using OAuth in IoT scenarios and how the related standards (cbor, cwt, etc.) can be applied.
Another interesting topic was the theory and practice of the recently found IdP Mix-Up attack.
Links to the talks (slides / papers) are here [0] (unfortunately they were not recorded).
There were also some tools mentioned for checking Identity Providers for well known attacks (PrOfESSOS) [0]
as well as OIDC compliance tests (oictest) [2] that can be run locally,
it's an easy to setup python app that also runs behind the official conformance testing portal of the
openid.net [3] - running it locally might make things easier to test ;-)
Btw. I pitched keycloak quite often - folks were really keen to look at it ;-)