OAuth and OIDC (OpenID Connect) have become the de facto protocol for Authentication and Authorization on the modern web. Nearly every application you use depends on these technologies, particularly for Single-Sign On and Social Login. Despite their ubiquity, OAuth and OIDC can get confusing, especially with the multiple flows, models and use-cases.
In this course, we’re going to start with the basics of OAuth and OIDC. We’ll examine how these protocols have evolved over the years, and how we’ve come to grow dependent on them.
After that, in typical AppSecEngineer style, we’re going to take a deep-dive into OAuth and OIDC. We’ll be exploring the different flows related to them, including the Authorization Code Grant, Implicit Grant, Client Credentials Grant, and more. You’ll get to learn each of these topics using powerful hands-on labs that will demonstrate these concepts in depth.
At the end of the course, we’re checking out the new OAuth PKCE Flow (Proof Key for Code Exchange), which is currently considered the more secure type of flow for OAuth and OIDC. Finally, we’ll learn a few best practices for protecting tokens and securing these implementations on the browser.
Keycloak 101
Client Credential Flow
Implicit Flow
Authorization Code Flow - Confidential
Authorization Code Flow with PKCE - Confidential
Course Introduction
The Need for OAuth
In the Past…
AuthN and AuthZ with Tokens
The Problems of Discrete IAM
Delegated and Federated Access
SAML: A Flawed Initial Attempt?
Players in OAuth and OIDC
Introducing Keycloak
Lab Video: Keycloak 101
Lab: Keycloak 101
OAuth Protocol, Versions and History
OAuth Terminologies
OAuth is for Authorization
OAuth Advantages
OAuth Flow Example
OAuth Clients and Perspectives
OIDC: An Introduction
OIDC Authorization Code Flow
Types of Tokens: OAuth and OIDC
The Various Flows of OAuth and OIDC
The Client Credentials Grant
Lab Video: The Client Credentials Grant
Lab: Client Credential Flow
The Implicit Grant
Lab Video: The Implicit Grant
Lab: Implicit Flow
Considerations for the Implicit Grant
The Authorization Code Grant
Authorization Code Grant: Deep Dive
Lab Video: Authorization Code Grant with Confidential Client
Lab: Authorization Code Flow - Confidential
The Resource Owner Credential Grant A.K.A Password Grant
The Device Grant
OAuth 2.0 vs. 2.1
PKCE (Proof Key for Code Exchange) – OAuth and OIDC
Lab Video: Authorization Code Grant with PKCE
Lab: Authorization Code Flow with PKCE - Confidential
Protecting Tokens in the Browser
Local Storage vs. Session Storage
Securing Refresh Tokens
Refresh Token Rotation
Protecting against XSS (Cross-Site Scripting)