PHPSW: Lockdown Security, May 2020
13 May 2020
at Online
Talk comments
Great talk. Slides were clear. You made a potentially complicated subject very accessible. I've always found SSL a bit intimidating. I really started to understand it after your talk.
Thanks for a fantastic talk
Great talk. I finally got some of the OAuth concepts, so thank you for explaining them well.
My very minor suggestion. I was wondering if the there would be a benefit in reordering the slides slightly.
The first flow you introduced was password grant. I think intrroducing the diagram earlier might have helped. There were times when you were talking through the flow (at a high level) and the slide shown was Slide 8 "TRUSTED CLIENTS: PASSWORD GRANT" (with bullet points). It might aid clarity if you did a briefer introduction to the flow, then went straight to the diagram, then had another slide after the diagram which had the bulk of what was on slide 8.
The only other point might be to emphasis why refresh token is needed. Someone might ask why not just issue the longer lasting auth token.
Other than those tiny points it was a great talk and that is the first time I've understood OAuth. I fear it no longer. Thanks
Great talk :)
I've been dealing with TLS this week at work, and reading the RFCs around the associated ciphers (yawn). Your talk is alot clearer than reading the RFCs, and your style of presentation is fantastic (i might have to steal some bits for work)
Great that you touched on the SSL certificates (as most of us will be familiar), and some useful resources given. I'd have like to have seen webbkoll being run and explored, but I shall be looking into this tomorrow at work instead.
Great talk on a really interesting topic that always confuses me. The slides were informative, and provided a good overview of how OAuth 2.0 works.
It would have been nice to see some more examples of the code (or seen the code for longer during the talk), however due to time constraints that's understandable. And it's on GitHub, so that's great!
Oauth is one of the topics that until you start implementing it, it will always baffle you. Some great code examples given, and very to the point slides with great links to RFCs and other sources too.
Would have been great to see further implementations of the code during the talk, but we only had a finite amount of time this evening.
Hi Ian,
Apologies if I don't express the following very well, but I think the talk would be better if it was more 'story' focused rather than technical focused.
I think you could do with spending a bit more time at the start explaining about why people would use oauth, and why companies provide Oauth APIs.
And then for each of the individual topics, they would be easier to understand if they were introduced as a story of that gives a human relateable explanation of why someone would want to use that.
Although the technical details are interesting, unless someone is going to sit down and start using oauth in the next 12 hours, it's unlikely they will be able to remember those details. I think separating the technical details out into a series of small blog posts, e.g. grants and the bearer tokens and linking to them but not discussing them in depth would be a better use of the time in the talk.
And finally, I asked a question about this, but I think it's almost always a good idea to say when not to use a technology, and there's definitely cases when not to use it. That type of info is probably the most valuable info to pass on.