OAuth Security Workshop 2017


OAuth is a critical component of the Internet infrastructure. OAuth enables the user to authorize a third-party application or service to obtain limited access to any service or account owned by the user. The security of the OAuth protocol is therefore paramount as otherwise large-scale loss, theft, or corruption of user data can be the result. To this end we want to bring together experts from industry and the research community with the goal of improving the assurances provided by OAuth and increasing its quality.

This meeting is organized by the IETF OAuth Working Group (WG) which is convinced that the wider Internet security community can help to improve the security of Internet protocols. In an attempt to reach out to all manners of security experts, from research, industry, and standardization bodies, the WG will hold this workshop on OAuth security during the week before the summer IETF meeting, namely on July 13th and 14th 2017 in Zürich/Switzerland, hosted by the Zurich Information Security and Privacy Center of ETH Zurich.


Event Details

When: July 13&14, 2017
Where: ETH Zürich, Alumni Pavillon, Rämistrasse 101, 8092 Zürich




Please note that due to construction work at the tram stop “Central” it may take you longer to get to the Alumni Pavillon than route planners will suggest, particularly if you are arriving from the main train station (Zurich HB). The funicular “Polybahn” is your easiest way up the hill, but will be very busy.


For the general public: https://zisc.ethz.ch/event/oauth-security-workshop-2017/

For ZISC affiliates: https://zisc.ethz.ch/event/oauth-security-workshop-2017-internal/




08:30-09:00 Registration and coffee
09:00-09:15 Torsten Lodderstedt, YES Europe Opening Remarks
09:15-10:15 David Basin, ETH Zurich Security Protocols at ETHZ slides
10:15-10:30 break
10:30-11:30 Cas Cremers, University of Oxford Automated analysis and the subtleties of authentication: Adventures in TLS 1.3 (Invited Talk) slides
11:30-11:45 break
11:45-12:30 Michael Jones, Microsoft OAuth Token Binding: Status and Next Steps slides
12:30-13:15 Denis Pinkas, DP Security Consulting A privacy by design eID scheme supporting Attribute-based Access Control (ABAC) slides-scheme slides-German-eID paper
13:15-14:45 Lunch at Dozentenfoyer (directions)
14:45-15:30 Naveen Agarwal, Breno de Medeiros, Google OAuth & Phishing – Experiences @ Google slides
15:30-16:15 Torsten Lodderstedt, John Bradley OAuth security slides
16:15-16:45 break
16:45-17:30 Sven Hammann, ETHZ Proposing a new Private Mode for Open ID Connect slides
18:00 Dinner at The Alehouse – Palmhof (location)


08:30-09:00 Coffee
09:00-09:45 Daniel Fett, Ralf Kuesters, and Guido Schmitz, Universität Stuttgart The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines slides
09:45-10:30 Nat Sakimura, Nomura Research Institute Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the application of BCM Principles slides paper
10:30-10:45 break
10:45-11:30 Hannes Tschofenig, ARM Lessons learned from security protocol design: Meaningful content for security consideration sections of technical specifications slides
11:30-11:45 break
11:45-12:30 William Denniss (presented by John Bradley), Google Improving Native App OAuth Security with External User Agents slides
12:30-13:15 Go Yamamoto, Richard Boyer, Kenji Takahashi, and Nat Sakimura, Nomura Research Institute Asserting Access Tokens from the Transport Layer slides
13:15-14:45 Lunch at Dozentenfoyer (directions)
14:45-15:30 Jacob Ideskog, Curity Simplified Integration of OAuth into JavaScript Applications slides
15:30-16:00 break
16:00-16:45 Antonio Sanso, Adobe Invalid curve attack in JWE ECDH-ES slides
16:45-17:30 General Discussion

Program Committee


  • David Basin (ETH Zurich)
  • Torsten Lodderstedt (YES Europe)


  • John Bradley (Ping Identity)
  • Ralf Küsters (University of Stuttgart)
  • Chris Mitchell (Royal Holloway University of London)
  • Anthony Nadalin (Microsoft)
  • Nat Sakimura (Nomura Research Institute)
  • Ralf Sasse (ETH Zurich)
  • Jörg Schwenk (Ruhr University Bochum)
  • Hannes Tschofenig (IETF OAuth Working Group Co-Chair)

Organizing Committee

  • David Basin (ETH Zurich)
  • Torsten Lodderstedt (YES Europe)
  • Ralf Sasse (ETH Zurich)


  • Barbara Pfändner (ETH Zurich)


Invited Speaker

  • Cas Cremers, University of Oxford



These hotels are within walking distance of the venue, but there are plenty more hotels in the Zurich area.


Important Dates

  • Position paper submission deadline: May 2, 2017 extended to May 9, 2017 (AoE, UTC-12).
  • Author notification: May 15 delayed to May 22, 2017.
  • Registration deadline: June 16, 2017.
  • Workshop: July 13 and July 14, 2017.

Call for Position Papers


For further questions please contact the organizing committee at ralf.sasse@inf.ethz.ch