Free Online Course. Register and receive each new lesson directly to your inbox.
In this 8 part online course you will get a comprehensive introduction to OAuth and OpenID Connect to help you get started with implementing these security standards in your own projects.
Register to receive each new lesson directly to your inbox and watch from the comfort of your chair, at a time that suits you.
Each session is approximately 30 minutes long.
In this first session we'll go through the basics of OAuth. You'll learn what it is intended to solve and the Authorization Code Flow which is the most common OAuth flow.
OpenID Connect is built on top of OAuth. It adds an identity layer that provides tools for the client to handle user logins and sessions. We'll discuss how OpenID is different from OAuth, how they relate to each other and how Single Sign On works using OpenID Connect.
OAuth is all about tokens. These tokens have specific purposes and usage patterns. In this session we'll explain the various tokens and how they work when calling an API. We will also discuss how to efficiently design an API infrastructure using a token based architecture and the phantom token flow.
Applications that don't have users directly involved in the transaction are special in OAuth. In this session we discuss how to use OAuth for server applications and what tools there are to secure the usages of these tokens.
Using tokens for access to an API is just the beginning. The token itself can be shaped to contain all the details the API needs in order to properly authorize the request. This means that the token itself is an API for the APIs. Using claims, tokens can be shaped to create a valuable resource in your API infrastructure.
OAuth and OpenID Connect define a standard metadata document that can be used by any client. Dynamic Clients are clients created on demand which enables many interesting use-cases. In this session we'll look at the Dynamic Client Registration standard and how to use it.
When using OAuth in mobile applications it's important to follow the best practices. The applications is considered to be a public client that cannot hold a secret, so how do we secure the requests? We will also discuss how to turn a public client into a confidential client using Dynamic Client Registration.