Hello group,
just a quick follow-up from the IETF OAuth Security workshop from last July.
The workshop was well attended: security researches and some big names like
google, microsoft, facebook, deutsche telekom, ping identity,
openid.net
were all represented etc.
There were some interesting talks about using OAuth in IoT scenarios and
how the related standards (cbor, cwt, etc.) can be applied.
Another interesting topic was the theory and practice of the recently found
IdP Mix-Up attack.
Links to the talks (slides / papers) are here [0] (unfortunately they were
not recorded).
There were also some tools mentioned for checking Identity Providers for
well known attacks (PrOfESSOS) [0]
as well as OIDC compliance tests (oictest) [2] that can be run locally,
it's an easy to setup python app that also runs behind the official
conformance testing portal of the
openid.net [3] - running it locally might
make things easier to test ;-)
Btw. I pitched keycloak quite often - folks were really keen to look at it
;-)
Cheers,
Thomas
[0]
https://infsec.uni-trier.de/events/osw2016/schedule
[1]
https://github.com/RUB-NDS/PrOfESSOS
[2]
https://github.com/rohe/oictest
[3]
https://openid.net/certification/testing/
2016-06-22 7:56 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
Hi, thanks for letting us now. A summary to the list afterwards would
be
appreciated, especially any advice on improving security.
On 21 June 2016 at 11:04, Thomas Darimont <thomas.darimont(a)googlemail.com>
wrote:
> Hello group,
>
> just wanted to let you know that there will be an OAuth Security Workshop
> at the
> University of Trier (Germany) in July see:
https://infsec.uni-trier.de/
> events/osw2016
>
> I learned from one of the organizers that they will also discuss Keycloak
> as
> an OpenID Connect Provider - just wanted to let you guys know.
>
> I'm going to attend this workshop as well.
>
> Cheers,
> Thomas
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>