After more than two weeks on the road, I’m finally back in my home office, sinking into my chair, listening to good music (The Head and the Heart’s "Aperture" pre-release, Caamp’s new EP "Somewhere," and Mt. Joy’s "Hope We Have Fun" pre-release), and reflecting on the past few weeks of travel.

Living by the "work hard, play hard" philosophy, I took my family on a much-needed vacation last month before the late winter/spring standards and conference circuit kicked into high gear. Eight days in Tokyo in mid-February provided the perfect opportunity to unwind—amazing food, rich culture, fascinating museums, more gashapon than you can imagine, and, of course, a lot of trains. After a quick stop home in Seattle, I was off to Reykjavik, Iceland, for my first OAuth Security Workshop (OSW).

What Makes OSW Unique

OSW is an intimate conference (~120 participants) with a distinct format: mornings are dedicated to pre-planned presentations (much like Identiverse or the European Identity & Cloud Conference but with a sharper focus on OAuth and related standards), while afternoons are structured as an “unconference,” similar to the Internet Identity Workshop. Anyone can propose a discussion topic and lead a 30-minute session. And then there’s the third, unofficial component: post-event food, drinks, and discussions that often prove just as valuable as the formal sessions.

Below are some key takeaways that stood out for me at OSW—and why this was my first but definitely not my last!

Highlights from the Talks

Brian Campbell’s "Hope Fulfilled, Hype Dispelled: Identity Standards Past, Present, and Future"

Brian Campbell (Distinguished Engineer, Ping Identity) kicked off the event with a lighthearted but insightful look at the evolution of identity standards—what’s changed, what hasn’t, and what we might expect in the future. He skillfully poked fun at both the identity community and himself, setting a great tone for the week.

By presenting slides from a talk that he gave at Cloud Identity Summit 2013, Brian took a look back at the past 12+ years in identity as a chance to learn from our past mistakes to help us define a better future.  In 2013, Brian asked the question whether the new protocols of the age - OAuth 2.0, OpenID Connect, JWTs, etc. - represented hope or hype.  While these protocols have seen great success since, we’ve also had some failed predictions. Most famously, the prediction that SAML is dead hasn’t quite happened… yet.  

So what should we expect from the newest set of identity protocol hype?  Will the hype lead to successful deployments of verifiable credentials and wallets?  In Brian’s words, “So... as this current wave crashes though the sea of temporality, we ask ourselves, is there hope to be had, or is it all just hype?”

Nobody knows, but I am excited to find out what happens over the next 12 years…

"Enhancing Security with Transaction Tokens" – Naveen CM & Mert Coskuner (Yahoo!)

Yahoo! presented an intriguing approach to mitigating cookie theft and replay risks within their microservices. Instead of relying solely on browser cookies passed from the browser, to their CDN, and onward to their microservices, they introduced transaction tokens (TraTs) — narrowly scoped, time-limited tokens exchanged for cookies at their CDN. These tokens, which are validated locally and bound to specific services, help limit replay risks and reduce latency associated with a centralized session cookie validator.  As the transaction tokens draft progresses through the IETF OAuth Working Group, I expect to see other companies adopt this mechanism and the related work by Kelly Burgin, et al. on OAuth Identity and Authorization Chaining Across Domains.

Justin Richer on HTTP Message Signatures (RFC9421)

Justin Richer (CTO, UberEther) delivered an excellent breakdown of HTTP Message Signatures (RFC 9421), making an otherwise complex topic highly digestible. I’m particularly excited about using HTTP Message Signatures to bind sessions to a user’s browser—a more complex but more flexible alternative to Device Bound Session Credentials (DBSC). (Note Justin’s recent issue submitted to the W3C proposing using HTTP Message Signatures in place of JOSE for DBSC.) After discussing RFC 9421 with Justin last fall at IETF 121 in Dublin, my colleague Harry Guo built an internal demo implementing this concept to enhance session security. I expect to see this approach integrated into future product offerings from Beyond Identity.

Homework and Deep Dives

OSW also left me with a stack of reading material. Kaixuan Luo’s presentation, "Cross-app OAuth Attacks in Integration Platforms: Mix-up Attacks Reloaded,” was fascinating but requires a deeper dive. Similarly, I found Tomasso Innocenti and Louis Jannett’s “Only as Strong as the Weakest Link: On the Security of Brokered Single Sign-On on the Web” to be interesting research. The unconference session which followed led to nuanced discussions regarding what a the differences between single sign on brokers when used as part of a business agreement versus a public service, when they should be used, and how they can both protect and damage an individual’s privacy. I look forward to some quiet time to read and think further about both of these research papers.

Leading the Discussion

In addition to attending, I co-led four unconference sessions:

• Delegation of Authority & On-Behalf-Of Semantics – Alongside Mark Haine (OpenID Foundation) and George Fletcher (independent), we explored how real-world delegation mechanisms often go beyond what OAuth currently provides. The conversation is now continuing within the OpenID Foundation’s eKYC & Identity Assurance Working Group.
• IPSIE Discussion – Co-leading with Aaron Parecki (Okta), we shared the vision of IPSIE and received valuable feedback that has already influenced our working group documents.
• Credential Properties & Terminology – With Pamela Dingle (Microsoft), we continued work stemming from our Authenticate 2024 talk, shifting the focus from traditional discussions about "authentication factors" to a property-driven model to describe credentials in concrete terms. I hope we’ll have a draft for publication soon.

The Value of Community

No identity conference is complete without the informal moments that make the industry feel like a tight-knit community. One highlight was Justin Richer hosting a hilarious game of Cards Against Identity on Thursday night. Trust me, bruh, we’re also good at poking fun at ourselves.  Out of a side conversation a draft, “Deferred Key Binding for OAuth,” quickly emerged to define the tmb (Trust Me, Bruh) claim for OAuth 2.0. We’ll be discussing this draft - tongues planted firmly in cheeks - at IETF 122 on March 21, 2025.  

And, true to my "work hard, play hard" mentality, I wrapped up my trip by road-tripping the Golden Circle with Alex Babeanu (IndyKite), Jeff Lombardo (AWS), and Jeff’s wife Pauline, visiting waterfalls, extinct volcanic craters, geysers, a black sand beach, and the Blue Lagoon. The perfect way to end a week in Iceland, exploring the island with friends, old and new.

Looking Ahead

OSW was an incredible experience—highly technical, deeply collaborative, and full of meaningful discussions. The mix of structured talks, open-ended sessions, and community bonding creates a rare space where identity professionals can push forward the conversation on standards and security in ways that larger conferences often struggle to achieve.

This was my first OSW, but it won’t be my last. If you’re working on OAuth, security, or identity standards, I highly recommend it.