Web Security: OAuth and OpenID Connect

Learn how to work with OAuth and OpenID Connect to authenticate your applications.

Introduction

• Using OAuth 2.0 and OpenID Connect
• What you should know
• What you will need

1. What Is OAuth?

• Describing OAuth 2.0
• Making OAuth 2.0 useful with extensions
• Extending OAuth 2.0 with OpenID Connect

2. Foundational Concepts

• OAuth 2.0 fundamentals
• Touring the OAuth endpoints
• Designing and using OAuth scopes

3. OAuth Tokens

• OAuth 2.0 tokens
• Validating JWTs
• Using access and refresh tokens
• Parsing and using ID tokens
• Handling tokens safely and securely

4. Grant Type: Authorization Code

• Overview: Authorization code flow
• When should I use this?
• PKCE Overview
• When should I use PKCE?
• Build an example: Web app or Postman
• Build an example: Native app or SPA
• Security considerations

5. Grant Type: Implicit/Hybrid

• Overview: Implicit flow
• When should I use this?
• Build an Example: SPA
• Security considerations

6. Grant Type: Resource Owner Password

• Overview: Resource owner password flow
• When Should I use this?
• Build an example: curl
• Security considerations

7. Grant Type: Client Credential

• Overview: Client credential flow
• When should I use this?
• Build an example: curl
• Security considerations

8. Grant Type: Device Grant Type

• Overview: Device flow
• When should I use this?
• Build an example: Kiosk
• Security considerations

9. Using an OAuth Architecture

• OAuth recommended practices
• Configuring an OAuth server in PHP
• Configuring an OAuth server in Node.js
• OAuth 2.0 as a service using Okta

10. State of the Industry

• OAuth extensions
• Industry specific OAuth extensions

Conclusion

• Next steps