Labs

Keycloak 101

Client Credential Flow

Implicit Flow

Authorization Code Flow - Confidential

Authorization Code Flow with PKCE - Confidential

Course Content

Introduction

Course Introduction

The Need for OAuth

In the Past…

AuthN and AuthZ with Tokens

The Problems of Discrete IAM

Delegated and Federated Access

SAML: A Flawed Initial Attempt?

Players in OAuth and OIDC

Keycloak

Introducing Keycloak

Lab Video: Keycloak 101

Lab: Keycloak 101

OAuth and OIDC: Deep dive

OAuth Protocol, Versions and History

OAuth Terminologies

OAuth is for Authorization

OAuth Advantages

OAuth Flow Example

OAuth Clients and Perspectives

OIDC: An Introduction

OIDC Authorization Code Flow

Types of Tokens: OAuth and OIDC

OAuth and OIDC flows

The Various Flows of OAuth and OIDC

The Client Credentials Grant

Lab Video: The Client Credentials Grant

Lab: Client Credential Flow

The Implicit Grant

Lab Video: The Implicit Grant

Lab: Implicit Flow

Considerations for the Implicit Grant

The Authorization Code Grant

Authorization Code Grant: Deep Dive

Lab Video: Authorization Code Grant with Confidential Client

Lab: Authorization Code Flow - Confidential

The Resource Owner Credential Grant A.K.A Password Grant

The Device Grant

OAuth 2.0 vs. 2.1

PKCE (Proof Key for Code Exchange) – OAuth and OIDC

Lab Video: Authorization Code Grant with PKCE

Lab: Authorization Code Flow with PKCE - Confidential

Protecting Tokens in the Browser

Protecting Tokens in the Browser

Local Storage vs. Session Storage

Securing Refresh Tokens

Refresh Token Rotation

Protecting against XSS (Cross-Site Scripting)

OAuth and OIDC (OpenID Connect) have become the de facto protocol for Authentication and Authorization on the modern web. Nearly every application you use depends on these technologies, particularly for Single-Sign On and Social Login. Despite their ubiquity, OAuth and OIDC can get confusing, especially with the multiple flows, models and use-cases.

In this course, we’re going to start with the basics of OAuth and OIDC. We’ll examine how these protocols have evolved over the years, and how we’ve come to grow dependent on them.

After that, in typical AppSecEngineer style, we’re going to take a deep-dive into OAuth and OIDC. We’ll be exploring the different flows related to them, including the Authorization Code Grant, Implicit Grant, Client Credentials Grant, and more. You’ll get to learn each of these topics using powerful hands-on labs that will demonstrate these concepts in depth.

At the end of the course, we’re checking out the new OAuth PKCE Flow (Proof Key for Code Exchange), which is currently considered the more secure type of flow for OAuth and OIDC. Finally, we’ll learn a few best practices for protecting tokens and securing these implementations on the browser.

Intermediate

7
Hours
38
Lessons
5
Cloud Labs
learning path:
Advanced Application Security

OAuth and OIDC Essentials

Ideal for
Developer
Security Engineer
Get Started

You might also like these courses

Or explore these Learning Paths

Ready to Elevate Your Security Training?

Empower your teams with the skills they need to secure your applications and stay ahead of the curve.
Get Our Newsletter
Get Started
X
X
Copyright AppSecEngineer © 2025