The venue for in-depth technical discussions on
OAuth, OpenID & Co.
The OAuth Security Workshop (OSW) is the premier forum for in-depth technical discussions on OAuth, OpenID, and related related technologies.
By fostering a direct and open collaboration between industry professionals, academic researchers, and members of standardization groups, OSW has in a unique way helped to shape and improve internet protocols. It has even played a pivotal role in developing new ones, such as the JWT Access Token Profile, DPoP, and SD-JWT. Leading researchers showcase their cutting-edge results on identity protocol security at OSW.
OSW also serves as an independent venue for the exchange between various working groups (IETF OAuth and GNAP working groups, OpenID Foundation, etc.).
“The OSW remains the best venue for getting things done in the identity protocols space. The best minds in the industry are there, all eager to solve hard problems: expect two days of relentless focus and remarkable results.”
— Vittorio Bertocci †
“OSW has given me the opportunity to listen, learn and discuss with the best and most experienced people in this domain. If you’re lucky you might even get to witness or participate in the birth of a new international standard or two.”
— Steinar Noem, Udelt AS
“The OAuth Security Workshop is the leading venue where experts from academia and industry join forces to discuss and harden current and future identity standards.”
— Prof. Ralf Küsters, University of Stuttgart
About the OAuth Security Workshop
What is the OAuth Security Workshop?
In 2015, two different groups of researchers (from Ruhr University Bochum and University of Trier) independently discovered new attacks on OAuth and OpenID Connect. At a meeting in Darmstadt, convened at short notice, researchers and members of the OAuth Working Group discussed the impact and potential mitigations of the attacks. The participants also identified the need for a better exchange between the groups to ensure that in the future, security research and standardization go hand in hand. This was the birth of the OAuth Security Workshop.
And while security is still the focus, the meeting has evolved to also be a working meeting to advance existing standards and sometimes also to start new ones.
Why should I attend?
OSW is the place to talk to world-leading identity experts, practicioners and researchers in an open, collaborative environment. This is the place to see what is brewing in the standardization groups, talk about the challenges you might be facing, and run your research by those people who live and breathe identity standards.
What happens at OSW? What kind of content can I expect and how is it selected?
There is a conference part, where submitted and reviewed talks are presented and there is an unconference part, where everybody can propose sessions to tackle problems, deep-dive on particular topics, present the latest ideas, or work on something together. Social events ensure that there is time to talk outside the sessions.
Talks have to be focused on technical content and must not promote products or vendors. A program committee decides on whether submitted talks are accepted for presentation. (Occasional) company presentations by our sponsors are very brief and clearly marked.
Why are there two submission deadlines?
Many attendees need early confirmation of their participation to secure travel funding from their employers. By having an early submission deadline, we can provide these attendees with a response in time for their budget requests. The second deadline allows us to accommodate those who may decide to participate closer to the event. It also enables us to cover more recent developments, ensuring that the conference covers the latest and most relevant topics.
We encourage you to submit by the first deadline if possible. This gives you an opportunity to refine and resubmit your proposal by the second deadline if the program committee suggests any improvements.
Who runs OSW?
We (Daniel Fett, Guido Schmitz, Steinar Noem) run OSW, but there is no organization or company behind it. Each OSW is hosted by a different partner from around Europe — a University, a research group or organization, or a company. The host handles all the on-site organization and the budget. We handle all aspects of the program and work closely with the host to deliver a unique experience for each event.
How is it funded?
OSW is run as a non-profit event. Our hosts and sponsors help to pay for a large part of the expenses (e.g., venue, catering, social events), the tickets cover the rest.
I'm interested in sponsoring or hosting OSW!
Great, please talk to us! If you want to host the OSW, ideally, you should have attended an OSW or two before.
Past Events
Photo by DAVID ILIFF. License: CC BY-SA 3.0
OSW 2023: London, UK
OSW 2022: Trondheim, Norway
OSW 2021: virtual
OSW 2020: virtual
July 2020
Originally planned to take place in Trondheim, Norway, the OSW 2020 was a fully virtual event, hosted by Computer, Menschen, Dinge e.V., Trier.
OSW 2019: Stuttgart, Germany
March 2019, Stuttgart
The fourth OSW was hosted by the Institute for Information Security, University of Stuttgart.
OSW 2018: Trento, Italy
March 2018, Trento
The third OSW was hosted by the Security and Trust research unit of the Bruno Kessler Foundation (FBK).
OSW 2017: Zurich, Switzerland
July 2017, Zurich
The second OSW was hosted by the Zurich Information Security and Privacy Center of ETH Zurich.
OSW 2016: Trier, Germany
July 2016, Trier
The first official OAuth Security Workshop, hosted by the Chair for Information Security and Cryptography, University of Trier.
OSW 2015: The Beginning
November 2015, Darmstadt/Germany
Where everything began. Hosted by Deutsche Telekom.