Breaking and Securing OAuth 2.0 in Frontends

Everyone agrees that Cross-Site Scripting (XSS) is a real threat to browser-based applications, yet many underestimate its true power. Common practices like using Single Page Applications as OAuth 2.0 clients, with techniques such as refresh token rotation, fail to account for real-world attackers.

This talk will demonstrate two concrete hacks against frontend OAuth 2.0 clients, highlighting the underlying vulnerabilities. We will explore how to address these security shortcomings by introducing structural solutions like the Backend-for-Frontend pattern. By the end of this session, you will be fully up to speed with the latest updates to the "OAuth 2.0 for Browser-based Apps" specification, co-authored by the presenter. You will walk away with a solid understanding of OAuth 2.0 security in frontends and best practices for securing sensitive applications.