The session “OAuth2/OpenID Connect mistakes found in production mobile apps” has been accepted to the OAuth Security Workshop (OSW) 2022, which will take place in Trondheim, Norway, from May 4 to May 6, 2022. The session will be presented by Amir Sharif (FBK) and Joseph Heenan (Senior Architect at Authlete Inc).
Here is the abstract:
OAuth 2.0 and OpenID Connect are two of the most widely used protocols to support secure and frictionless access delegation and single sign-on login solutions, extensively integrated within web and mobile native applications.
To secure the integration of OAuth 2.0 and OpenID Connect solutions, the OAuth working group and the OpenID foundation have produced many security-related documents to provide general guidelines and best current practices. These documents explain the features that identity providers must support and how developers should implement these solutions for the different use case scenarios.
In addition, due to the peculiarities of mobile native applications, the OAuth working group has published the "OAuth 2.0 for Native Apps" documentation dedicated to assisting mobile native application developers. In 2017, the OpenID Foundation made a further effort to support developers by releasing the AppAuth SDK to support mobile native application developers in the secure implementation of access delegation and single sign-on login solutions within native apps. Nevertheless, a combination of industry experience and analysis of many popular mobile apps has revealed that many of them still fail to implement these solutions securely.
Amir and Joseph talk about the issues that have been seen recently, the potential problems these could cause, how these types of mistakes have happened – and most notably, how it is possible to assist developers to avoid making the same mistake. One proposed possible solution is a plugin-based approach that automates the enforcement of the best current practices for OAuth 2.0 and OpenID Connect-based solutions within native apps to provide a secure implementation. In this way, developers should worry about neither the core functionalities related to the OAuth 2.0 and OpenID Connect solutions nor the enforcement of BCPs, as both of them can be automatically incorporated in applications by the aforementioned plugin-based approach.
We also talk about how the authorization server vendors and service/identity providers can assist mobile developers that are integrating with them to create high quality secure integrations.