Hello group,

just a quick follow-up from the IETF OAuth Security workshop from last July.

The workshop was well attended: security researches and some big names like google, microsoft, facebook, deutsche telekom, ping identity, openid.net were all represented etc.

There were some interesting talks about using OAuth in IoT scenarios and how the related standards (cbor, cwt, etc.) can be applied.

Another interesting topic was the theory and practice of the recently found IdP Mix-Up attack.

Links to the talks (slides / papers) are here [0] (unfortunately they were not recorded).

There were also some tools mentioned for checking Identity Providers for well known attacks (PrOfESSOS) [0]

as well as OIDC compliance tests (oictest) [2] that can be run locally,

it's an easy to setup python app that also runs behind the official conformance testing portal of the openid.net [3] - running it locally might make things easier to test ;-)

Btw. I pitched keycloak quite often - folks were really keen to look at it ;-)

Cheers,

Thomas

[0] https://infsec.uni-trier.de/events/osw2016/schedule

[1] https://github.com/RUB-NDS/PrOfESSOS

[2] https://github.com/rohe/oictest

[3] https://openid.net/certification/testing/

2016-06-22 7:56 GMT+02:00 Stian Thorgersen <sthorger@redhat.com>:

Hi, thanks for letting us now. A summary to the list afterwards would be appreciated, especially any advice on improving security.

On 21 June 2016 at 11:04, Thomas Darimont <thomas.darimont@googlemail.com> wrote:
Hello group,

just wanted to let you know that there will be an OAuth Security Workshop at the
University of Trier (Germany) in July see: https://infsec.uni-trier.de/events/osw2016

I learned from one of the organizers that they will also discuss Keycloak as
an OpenID Connect Provider - just wanted to let you guys know.

I'm going to attend this workshop as well.

Cheers,
Thomas

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev