OAuth and OIDC (OpenID Connect) have become the de facto protocol for Authentication and Authorization on the modern web. Nearly every application you use depends on these technologies, particularly for Single-Sign On and Social Login. Despite their ubiquity, OAuth and OIDC can get confusing, especially with the multiple flows, models and use-cases.
In this course, we’re going to start with the basics of OAuth and OIDC. We’ll examine how these protocols have evolved over the years, and how we’ve come to grow dependent on them.
After that, in typical AppSecEngineer style, we’re going to take a deep-dive into OAuth and OIDC. We’ll be exploring the different flows related to them, including the Authorization Code Grant, Implicit Grant, Client Credentials Grant, and more. You’ll get to learn each of these topics using powerful hands-on labs that will demonstrate these concepts in depth.
At the end of the course, we’re checking out the new OAuth PKCE Flow (Proof Key for Code Exchange), which is currently considered the more secure type of flow for OAuth and OIDC. Finally, we’ll learn a few best practices for protecting tokens and securing these implementations on the browser.
Client Credential Flow
Authorization Code Flow - Confidential
Authorization Code Flow with PKCE - Confidential