LEARNING PATH: Advanced Application Security

OAuth and OIDC Essentials

OAuth and OIDC (OpenID Connect) have become the de facto protocol for Authentication and Authorization on the modern web. Nearly every application you use depends on these technologies, particularly for Single-Sign On and Social Login. Despite their ubiquity, OAuth and OIDC can get confusing, especially with the multiple flows, models and use-cases. 

In this course, we’re going to start with the basics of OAuth and OIDC. We’ll examine how these protocols have evolved over the years, and how we’ve come to grow dependent on them. 

After that, in typical AppSecEngineer style, we’re going to take a deep-dive into OAuth and OIDC. We’ll be exploring the different flows related to them, including the Authorization Code Grant, Implicit Grant, Client Credentials Grant, and more. You’ll get to learn each of these topics using powerful hands-on labs that will demonstrate these concepts in depth. 

At the end of the course, we’re checking out the new OAuth PKCE Flow (Proof Key for Code Exchange), which is currently considered the more secure type of flow for OAuth and OIDC. Finally, we’ll learn a few best practices for protecting tokens and securing these implementations on the browser.

OAuth and OIDC Essentials
Proficiency Intermediate
Audience Cloud Security Expert
Course Duration​ 7
Lessons​ 36
Cloud Labs​ 5



Cloud Security Expert

Course duration




Cloud Labs


    • Course Intro
    • The Need for OAuth
    • In the Past…
    • AuthN and AuthZ with Tokens
    • The Problems of Discrete IAM
    • Delegated and Federated Access
    • SAML: A Flawed Initial Atempt?
    • Players in OAuth and OIDC
    • Introducing Keycloak
    • Keycloak 101
    • OAuth Protocol, Versions and History
    • OAuth Terminologies
    • OAuth is for Authorization
    • OAuth Advantages
    • OAuth Flow Example
    • OAuth Clients and Perspectives
    • OIDC: An Introduction
    • OIDC Authorization Code Flow
    • Types of Tokens: OAuth and OIDC
    • The Various Flows of OAuth and OIDC
    • The Client Credentials Grant
    • The Implicit Grant
    • Considerations for the Implicit Grant
    • The Authorization Code Grant
    • Authorization Code Grant: Deep Dive
    • Authorization Code Grant with Confidential Client
    • The Resource Owner Credential Grant A.K.A Password Grant
    • The Device Grant
    • OAuth 2.0 vs. 2.1
    • PKCE (Proof Key for Code Exchange) – OAuth and OIDC
    • Authorization Code Grant with PKCE
    • Protecting Tokens in the Browser
    • Local Storage vs Session Storage
    • Securing Refresh Tokens
    • Refresh Token Rotation
    • Protecting against XSS (Cross-Site Scripting)
  • Keycloak 101
  • Client Credential Flow
  • Implicit Flow
  • Authorization Code Flow - Confidential
  • Authorization Code Flow with PKCE - Confidential
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept" you consent to the use of All the cookies