Breaking Tokens: Modern Attacks on OAuth, OIDC, and JWT Auth Flows
Bhaumik Shah
BSidesSF 2026 · Day 1 · AMC Theatre 10
In the contemporary landscape of web and mobile applications, **OAuth**, **OpenID Connect (OIDC)**, and **JSON Web Tokens (JWTs)** have become the de facto standards for authentication and authorization. While these protocols offer robust frameworks for secure identity management, their complex implementations and the distributed nature of modern microservice architectures introduce new attack vectors. Bhaumik Shah's talk, "Breaking Tokens: Modern Attacks on OAuth, OIDC, and JWT Auth Flows," meticulously dissects three critical vulnerabilities that can lead to significant breaches, even in systems employing multi-factor authentication (MFA).
AI review
Competent survey of OAuth/OIDC/JWT attack classes with working demos and real-world anchors in Storm-2372 and Salesforce. The material is technically accurate and well-organized, but it's a greatest-hits compilation — scope confusion, bearer token replay, and federated identity trust issues have all been covered at prior cons. Nothing here would surprise an attendee who's read the OAuth Security BCP or watched Portswigger's OAuth labs.