Getting Started with OAuth and OpenID Connect

In this 8 part online course you will get a comprehensive introduction to OAuth and OpenID Connect to help you get started with implementing these security standards in your own projects.

Register to receive each new lesson directly to your inbox and watch from the comfort of your chair, at a time that suits you.

Each session is approximately 30 minutes long.

---

Course outline

Session 1: Introduction to OAuth

In this first session we'll go through the basics of OAuth. You'll learn what it is intended to solve and the Authorization Code Flow which is the most common OAuth flow.

• Background and short history
• The Problem OAuth is solving
• Actors in OAuth
• The OAuth Code Flow
• Refreshing a token

---

Session 2: OAuth vs OpenID Connect

OpenID Connect is built on top of OAuth. It adds an identity layer that provides tools for the client to handle user logins and sessions. We'll discuss how OpenID is different from OAuth, how they relate to each other and how Single Sign On works using OpenID Connect.

• OpenID Connect vs OAuth
• The OpenID Connect Code Flow
• Single Sign-On and OpenID Connect
• Understanding the ID Token

---

Session 3: Tokens and APIs

OAuth is all about tokens. These tokens have specific purposes and usage patterns. In this session we'll explain the various tokens and how they work when calling an API. We will also discuss how to efficiently design an API infrastructure using a token based architecture and the phantom token flow.

• Tokens in OAuth and OpenID
  • Understanding token type, purpose and format.
  • Typical token lifetimes
• Calling an API with an Access Token
• Introspecting a token
• Using a Gateway to introspect tokens
• The Phantom Token Flow

---

Session 4: Server to Server Communication with OAuth

Applications that don't have users directly involved in the transaction are special in OAuth. In this session we discuss how to use OAuth for server applications and what tools there are to secure the usages of these tokens.

• Server to Server communication
• Client Credentials Flow
• Client Authentication Methods
  • Mutual TLS (MTLS)
  • JWT Client Assertion
  • Secret
• MTLS Sender Constrained Tokens

---

Session 5: Design tokens for your APIs

Using tokens for access to an API is just the beginning. The token itself can be shaped to contain all the details the API needs in order to properly authorize the request. This means that the token itself is an API for the APIs. Using claims, tokens can be shaped to create a valuable resource in your API infrastructure.

• The difference between Scope and Claims
• How to design a token
  • Using Scope
  • Adding Claims
• Thinking API first
  • Define a contract with the API
  • Authorization in the API using scope and Claims

---

Session 6: Dynamic Clients and Metadata

OAuth and OpenID Connect define a standard metadata document that can be used by any client. Dynamic Clients are clients created on demand which enables many interesting use-cases. In this session we'll look at the Dynamic Client Registration standard and how to use it.

• Using Metadata in the Client
• What is Dynamic Client Registration
• The bootstrap token
  • How is this obtained?
• DCRM - Managing the Client

---

Session 7: OAuth for Mobile Applications

When using OAuth in mobile applications it's important to follow the best practices. The applications is considered to be a public client that cannot hold a secret, so how do we secure the requests? We will also discuss how to turn a public client into a confidential client using Dynamic Client Registration.

• OAuth for Mobile Apps
  • PKCE - Proof Key Code Exchange
  • Public Clients
• Dynamic Client Registration (DCR) for Mobile Clients
  • Creating Confidential Clients for Mobile Applications

---

Session 8: OAuth for Single Page Applications

Single Page Application run without a backend. All logic happens in the browser using JavaScript. To retrieve a token in order to call APIs certain measures should be taken. You will learn the best practice and we explore multiple ways SPAs can make use of OAuth.

• Single Page Applications
  • PKCE - Proof Key Code Exchange
  • Code Flow with an SPA
• Depending on the SSO Session
• Assisted Token
• Using a Backend for Frontend