.e”X”es and “O”auths (They Haunt Me): An In-Depth Analysis of OAuth & OIDC Misconfigurations and Token Replay Attack

OAuth 2.0 and OpenID Connect (OIDC) are the backbone of modern identity and access management, but poor implementations leave organizations dangerously exposed. In this talk, I’ll move beyond theory and demonstrate how subtle misconfigurations in OAuth and OIDC flows can be exploited by attackers to bypass authentication, impersonate users, and replay tokens for unauthorized access. We’ll walk through real-world vulnerabilities such as missing state parameters, improperly validated discovery documents, and token validation failures. Then I’ll demonstrate a live token replay attack using OWASP ZAP to intercept and reuse a captured JWT — illustrating how easily these weaknesses can be exploited in the wild. Attendees will leave with actionable knowledge on how to identify, exploit, and mitigate these flaws in enterprise environments, along with open-source scripts and tools to reproduce the attack scenarios in their own labs.