Proposed OAuth 2.0 Assurance Session at IIW
Title: OAuth 2.0 Assurance
Problem statement: Provide an introduction to OAuth assurance based on my blogs and RFC 6819
General recommendations: Also part of intro presentation, explain that its necessary to address issues through profiling, testing and secure implementation and operations
Scope: Focus on the basic OAuth 2.0 specification, not getting into unresolved issues related to the many proposed extensions, such as token contents, or semantics
Discussion topic 1: What would be a reasonable framework for OAuth 2.0 assurance levels, and how might those map to NIST Levels of Assurance (LOAs) 1 or 2?
Discussion topic 2: What are “10 commandments” for Secure OAuth 2.0 (or “10 deadly sins to avoid”) and how would we test for them?
Discussion topic 3: Future plans – how can we carry the output of this session forward? Is there a home somewhere for an OAuth 2.0 assurance standards group? Would some organization (or group) be willing to work on standing up a test server to look for the 10 deadly sins? Would some organization (or group) be willing to work developing secure, open source OAuth libraries validated to follow the 10 commandments?
I already have a few folks interested in this panel and contributing ideas but would welcome a lot more. If you’re attending IIW 17 and interested in contributing, please let me know via one of my communications channels such as @danblumSS or the comments thread on this post.