Mastering OAuth 2.0 and OpenID Connect

A 10-hour deep-dive on the latest best practices

OAuth 2.0 and OpenID Connect are crucial for securing web applications, mobile applications, APIs, and microservices. Unfortunately, getting a good grip on the purpose and use cases for these technologies is insanely difficult. As a result, many implementations use incorrect configurations or contain security vulnerabilities.

Let me tell you how I felt when I started digging into OAuth 2.0 and OpenID Connect a few years ago. I had a hard time understanding what OAuth 2.0 and OpenID Connect were supposed to solve. The terminology made it difficult to understand what the spec was even talking about. And the flows! Each use case had a different flow, and the differences between the flows are often tiny details.

Do you recognize your struggle here? If you are feeling frustrated and overwhelmed with OAuth 2.0 and OpenID Connect, this course is going to help you. This course takes you on a step-by-step journey into the world of OAuth 2.0 and OpenID Connect. It explains the purpose of each technology, along with its use cases. In the course, we also dig deep into concrete scenarios, enabling you to design and implement secure applications with OAuth 2.0 and OpenID Connect.

In a matter of hours, you gain the knowledge that usually takes months of researching dozens of specifications. Throughout the course, we build up a set of best practices that allow you to secure modern applications.

I have worked with thousands of developers to help them understand the ins and outs of OAuth 2.0 and OpenID Connect. I have seen them struggle, but I have also seen them succeed. That's why I can promise you that by the end of this course, you will be confident in using OAuth 2.0 and OpenID Connect.

This course is your shortcut towards understanding OAuth 2.0 and OpenID Connect.

Take me there

Course modules

This course consists of three modules, in which we gradually dive deeper into the details of OAuth 2.0 and OpenID Connect. The introductory module gives an overview of these technologies, along with current best practices. This module will help you understand what these technologies have to offer and how you can use them in your application architecture. The subsequent modules dive deeper into the implementation and configuration details for securing modern applications.

1) Introduction to OAuth 2.0 and OpenID Connect

Everyone who first learns about OAuth 2.0 and OpenID Connect is confused. There are dozens of specifications with uncommon terminology and hard-to-understand scenarios. Eventually, you will have a working implementation, but questions remain. Why use the complicated redirect, instead of just a custom login form? Is this the right flow for my application? Where do I store tokens, and how can I protect them?

In this session, we will clear up the confusion surrounding OAuth 2.0 and OpenID Connect. You will learn about the purpose of these technologies and their concrete use cases. Using examples, we explore current best practice recommendations for using OAuth 2.0 and OpenID Connect. Throughout this session, we also identify which recommendations are part of OAuth 2.1, the latest OAuth specification. At the end of this session, you will understand how and where to use OAuth 2.0 and OpenID Connect.

This module is available as a free introduction.

2) Using OAuth 2.0 and OIDC in SPA frontends

Many modern applications are built as Single-Page Applications, using popular frameworks like Angular, React, and Vue. These frontend applications often need to rely on OpenID Connect to authenticate users, and on OAuth 2.0 to access remote APIs. But how do you integrate OAuth 2.0 and OIDC in a frontend? Where do you store access tokens? Can you use refresh tokens?

Many developers struggle with these questions, and this session answers them. Using a dedicated training application, we dive deep into the current best practices for using OAuth 2.0 and OIDC in frontend applications. We discuss the impact of common web vulnerabilities, along with strategies to manage tokens securely. At the end of this session, you will know all about token storage, silent authentication, and the backend-for-frontend pattern.

3) Securing APIs with OAuth 2.0 (and OIDC)

OAuth 2.0 has become the de facto standard for securing modern APIs. OAuth 2.0 itself does not protect your API, but it provides you the framework to make consistent authorization decisions for different types of clients. But before you get there, you will have to figure out a lot of details. Do you use reference tokens or self-contained tokens? What is token introspection, and you need it? How do you revoke tokens? How do you secure server-to-server API calls?

In this session, we guide you into making these decisions. You will learn about reference tokens and self-contained tokens, their advantages and disadvantages. We dive into handling authorization with OAuth 2.0, using scopes and fine-grained permissions. We also dig deeper into using OAuth 2.0 to secure machine-to-machine communication between backend services. At the end of this session, you will have learned to tame the versatility of OAuth 2.0 to secure your APIs.

Ready to master OAuth 2.0 and OpenID Connect?

Get access to the course now

What to expect

This online course gives you 10 hours of the highest quality training content on OAuth 2.0 and OpenID Connect. Recorded lectures provide you with in-depth knowledge about these technologies and live demos illustrate the practicalities of OAuth 2.0 and OpenID Connect.

Each module also includes a PDF copy of the slides, along with an extensive written Q&A from the live training.

In the coming weeks, the recorded course will be transformed into a full-featured online course. The recordings will be broken down into short videos, along with practical assignments, knowledge checks and skill tests. Joining the current online course ensures you will automatically be upgraded to the new course when it is released.

Philippe De Ryck

Hi, I'm Dr. Philippe De Ryck

I help developers protect companies through better web security.

My Ph.D. in web security gives me a unique perspective into the most complex security challenges developers face today. In my training courses, I help you understand these challenges, I teach you about potential solutions, and I help you decide which solution fits best for your applications.

I have been invited to join the Google Developer Expert program for my work on web security and the Auth0 Ambassador program for my work on identity and access management.

Fortune 500 companies rely on me as a trainer and adviser to help them improve their security practices. Through this online course, you, too, can access the highest quality security content available today.

Philippe De Ryck

Hi, I'm Dr. Philippe De Ryck

I help developers protect companies through better web security.

My Ph.D. in web security gives me a unique perspective into the most complex security challenges developers face today. In my training courses, I help you understand these challenges, I teach you about potential solutions, and I help you decide which solution fits best for your applications.

I have been invited to join the Google Developer Expert program for my work on web security, and the Auth0 Ambassador program for my work on identity and access management.

Fortune 500 companies rely on me as a trainer and adviser to help them improve their security practices. Through this online course, you too can access the highest quality security content available today.

Tired of searching for confusing explanations and outdated information?

Get the best course now

What others are saying about Philippe's courses

It’s rare to find professionals who have both the technical ability and presentation skills it takes to be a successful instructor-led-trainer. Dr. Philippe De Ryck has both and more in spades!

Jim Manico, CEO at Manicode Security

I would definitely take any class taught by Philippe again. He was the best instructor I’ve ever had (including a $5000 CISSP boot camp led by ISC2).

Software engineer at a Fortune 500 company

I have rarely encountered a more professional, humble, and knowledgeable person in his field. I would always invite Philippe again to either give a talk or do a workshop at future conferences.

Dajana Günther, CEO at Trifork Germany

Philippe delivers high-quality, to-the-point and up-to-date trainings about web security. We had him twice at our conference and got only very positive feedback. Do you consider booking him for a training? That's an easy decision: Do it.

Profile picture Thomas Konrad

Thomas Konrad
Organizer of the sec4dev conference