Developer

Aaron Parecki, Okta

In this session, Aaron Parecki, author of OAuth 2.0 Simplified and co-editor of the in-progress OAuth 2.1 spec, will cover the basics of the OAuth and OpenID Connect protocols. You’ll learn about when you’d want to use OAuth or OpenID Connect (or both!), when to use each of the grant types, and how to use OAuth and OpenID Connect securely from mobile applications. Aaron also covers the latest best practices around OAuth security currently in development by the group.  You'll also learn about the upcoming OAuth 2.1 update and what it means for you and your applications. You'll learn how to use JWT access tokens and the tradeoffs that come with them, how to design scopes that allow granular access to various parts of your backend services, and how to design a microservices architecture protected by OAuth at a gateway.

Nick Gamb, Okta

SAML is one of the most widely used identity security standards in the industry today, yet can seem daunting to support. This is especially true for developers being asked to support SAML for the first time.  The age of SAML combined with its numerous revisions over the years makes it difficult to learn and use. Not to mention the complexities of SAML being used in slightly different and nuanced ways in different applications.  In this talk, you'll learn all about the SAML protocol, how it works, and how to use it in a modern application. You'll also learn what pitfalls to look out for and how to resolve them.

Brian Demers, Okta

Security tokens such as JWTs are now commonplace in developer guides and documentation. They are a key part of securing mobile and web applications. Why is this? What benefits do they provide? How should you use them in your applications?  In this talk, you'll learn what security tokens are, how to use them, and how to abuse them. >:) Along the way, you'll learn the differences between the three most popular types of security tokens: JWTs, Macaroons, and PASETO, and when to use (and not use!) them.

Heather Downing, Okta

In this talk, you will discover how to design secure (and friendly) user experiences when developing your software applications. We will cover best practices in the industry that make an authentication experience easier for users to accept, what things to avoid, and how humans think about security, in general, to make your app a 10 out of 10.

Kelley Robinson, Twilio

Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can.

WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.