Breaking & Securing OAuth 2.0 in Frontends • Philippe De Ryck • YOW! 2025
Mar 11, 2026•Channel
AI Analysis
Data from YouTube Data API v3•Updated Just now
Video Overview
Video Details
Published4 months ago
Duration40:40
Video IDoGktdQ45bTg
Languageen
CategoryScience & Technology
PrivacyPublic
Made for KidsNo
Video TypeRegular Video
Performance Metrics
Views1.1K
Likes23
Comments1
Engagement Rate2.25%
Likes per 100 views2.15
Comments per 1K views0.94
Video Tags
Description
This presentation was recorded at YOW! Australia 2025. #GOTOcon #YOW
https://yowcon.com
Philippe De Ryck - Web Security Expert, Founder of Pragmatic Web Security @philippederyck2572
RESOURCES
https://bsky.app/profile/philippederyck.bsky.social
https://github.com/philippederyck
https://www.linkedin.com/in/philippederyck
https://pragmaticwebsecurity.com
https://pdr.online
Links
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps.html
https://github.com/danielmurrmann/Fancy.ResourceLinker
https://curity.io/resources/learn/token-handler-overview
https://docs.duendesoftware.com/bff
ABSTRACT
Everyone agrees that Cross-Site Scripting (XSS) is a real threat to browser-based applications, yet many underestimate its true power. Common practices like using Single Page Applications as OAuth 2.0 clients, with techniques such as refresh token rotation, fail to account for real-world attackers.
This talk will demonstrate two concrete hacks against frontend OAuth 2.0 clients, highlighting the underlying vulnerabilities. We will explore how to address these security shortcomings by introducing structural solutions like the Backend-for-Frontend pattern. By the end of this session, you will be fully up to speed with the latest updates to the "OAuth 2.0 for Browser-based Apps" specification, co-authored by the presenter. You will walk away with a solid understanding of OAuth 2.0 security in frontends and best practices for securing sensitive applications. [...]
TIMECODES
00:00 Intro
03:45 Concept of OAuth 2.0 authorization code flow
08:57 XSS has been a problem for a long time
16:20 Refresh token rotation
17:07 Demo
21:30 Sidestepping refresh token rotation
22:10 We have to do a better job to store our tokens, to prevent exfiltration
23:50 Demo
26:04 Requesting a fresh set of tokens
32:24 What changes to my application does that require?
36:50 What about XSS?
40:01 Key takeaways
40:32 Outro
Download slides and read the full abstract here:
https://yowcon.com/brisbane-2025/sessions/3652
RECOMMENDED BOOKS
Aaron Parecki • OAuth 2.0 Simplified • https://amzn.to/2A3IMOf
Aaron Parecki • OAuth 2.0 Servers • https://amzn.to/3ecHEsz
Aaron Parecki • The Little Book of OAuth 2.0 RFCs • https://amzn.to/3i7qnlC
Erdal Ozkaya • Cybersecurity: The Beginner's Guide • https://amzn.to/2T6OIj3
Richer & Sanso • OAuth 2 in Action • https://amzn.to/3hXiAH6
Wilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 • https://amzn.to/2U8iLY2
https://bsky.app/profile/gotocon.com
https://twitter.com/GOTOcon
https://www.linkedin.com/company/goto-
https://www.instagram.com/goto_con
https://www.facebook.com/GOTOConferences
#Security #OWASP #Cybersecurity #BFF #BackendForFrontend #XSS #CrossSiteScripting #OAuth2 #OpenID #OpenIDConnect #React #PhilippeDeRyck #YOWcon
CHANNEL MEMBERSHIP BONUS
Join this channel to get early access to videos & other perks:
https://www.youtube.com/channel/UCs_tLP3AiwYKwdUHpltJPuA/join
Looking for a unique learning experience?
Attend the next GOTO conference near you! Get your ticket at https://gotopia.tech
Sign up for updates and specials at https://gotopia.tech/newsletter
SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily.
https://www.youtube.com/user/GotoConferences/?sub_confirmation=1