Breaking & Securing OAuth 2.0 in Frontends • Philippe De Ryck • YOW! 2025

Mar 11, 2026Channel
AI Analysis
Data from YouTube Data API v3Updated Just now

Video Overview

Video Details

Published4 months ago
Duration40:40
Video IDoGktdQ45bTg
Languageen
CategoryScience & Technology
PrivacyPublic
Made for KidsNo
Video TypeRegular Video

Performance Metrics

Views1.1K
Likes23
Comments1
Engagement Rate2.25%
Likes per 100 views2.15
Comments per 1K views0.94

Description

This presentation was recorded at YOW! Australia 2025. #GOTOcon #YOW https://yowcon.com Philippe De Ryck - Web Security Expert, Founder of Pragmatic Web Security @philippederyck2572 RESOURCES https://bsky.app/profile/philippederyck.bsky.social https://github.com/philippederyck https://www.linkedin.com/in/philippederyck https://pragmaticwebsecurity.com https://pdr.online Links https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps.html https://github.com/danielmurrmann/Fancy.ResourceLinker https://curity.io/resources/learn/token-handler-overview https://docs.duendesoftware.com/bff ABSTRACT Everyone agrees that Cross-Site Scripting (XSS) is a real threat to browser-based applications, yet many underestimate its true power. Common practices like using Single Page Applications as OAuth 2.0 clients, with techniques such as refresh token rotation, fail to account for real-world attackers. This talk will demonstrate two concrete hacks against frontend OAuth 2.0 clients, highlighting the underlying vulnerabilities. We will explore how to address these security shortcomings by introducing structural solutions like the Backend-for-Frontend pattern. By the end of this session, you will be fully up to speed with the latest updates to the "OAuth 2.0 for Browser-based Apps" specification, co-authored by the presenter. You will walk away with a solid understanding of OAuth 2.0 security in frontends and best practices for securing sensitive applications. [...] TIMECODES 00:00 Intro 03:45 Concept of OAuth 2.0 authorization code flow 08:57 XSS has been a problem for a long time 16:20 Refresh token rotation 17:07 Demo 21:30 Sidestepping refresh token rotation 22:10 We have to do a better job to store our tokens, to prevent exfiltration 23:50 Demo 26:04 Requesting a fresh set of tokens 32:24 What changes to my application does that require? 36:50 What about XSS? 40:01 Key takeaways 40:32 Outro Download slides and read the full abstract here: https://yowcon.com/brisbane-2025/sessions/3652 RECOMMENDED BOOKS Aaron Parecki • OAuth 2.0 Simplified • https://amzn.to/2A3IMOf Aaron Parecki • OAuth 2.0 Servers • https://amzn.to/3ecHEsz Aaron Parecki • The Little Book of OAuth 2.0 RFCs • https://amzn.to/3i7qnlC Erdal Ozkaya • Cybersecurity: The Beginner's Guide • https://amzn.to/2T6OIj3 Richer & Sanso • OAuth 2 in Action • https://amzn.to/3hXiAH6 Wilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 • https://amzn.to/2U8iLY2 https://bsky.app/profile/gotocon.com https://twitter.com/GOTOcon https://www.linkedin.com/company/goto- https://www.instagram.com/goto_con https://www.facebook.com/GOTOConferences #Security #OWASP #Cybersecurity #BFF #BackendForFrontend #XSS #CrossSiteScripting #OAuth2 #OpenID #OpenIDConnect #React #PhilippeDeRyck #YOWcon CHANNEL MEMBERSHIP BONUS Join this channel to get early access to videos & other perks: https://www.youtube.com/channel/UCs_tLP3AiwYKwdUHpltJPuA/join Looking for a unique learning experience? Attend the next GOTO conference near you! Get your ticket at https://gotopia.tech Sign up for updates and specials at https://gotopia.tech/newsletter SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily. https://www.youtube.com/user/GotoConferences/?sub_confirmation=1

Related Videos

More videos from GOTO Conferences