Let's try to hack the authentication of the native clients using OAuth 2.0. OAuth has become the industry's go-to authentication mechanism, with a multitude of users seamlessly logging into apps with well-known platforms like Google or Twitter. Join us as we explore the limitations of standard OAuth flows for native clients, which allow attackers to get access to private data. We will play the attack vectors, try to mitigate such attacks using the PKCE (Proof Key for Code Exchange) extension, and question its future.Key Takeaways:
- Discover the limitations of standard OAuth 2.0 flows for native clients and the associated risks and attack vectors.
- Gain insights into how PKCE extension addresses these challenges head-on, fortifying your applications against private resources' leaks.
- This talk will cover various mitigation strategies, best practices, and recommendations.