Mastering OAuth 2.0 and OIDC Security
Live training available as a 1-day essentials workshop or a 2-day advanced workshop
OAuth 2.0 and OpenID Connect have become cornerstone technologies for most modern applications. Unfortunately, these technologies are insanely complex to grasp, making it hard to use them securely.
This workshop takes you on a step-by-step journey into the world of OAuth 2.0 and OpenID Connect. The Essentials training helps you understand best practices for building secure applications. The Advanced training allows you to level up your OAuth 2.0 security using the latest state-of-the-art security mechanisms.
1-day Essentials outline
- Introduction to OAuth 2.0 and OpenID Connect
- Architecture patterns using OAuth 2.0 and OpenID Connect
- Best practices for securing OAuth 2.0 and OIDC flows
- Understanding OAuth 2.0 security in frontends
- Breaking OAuth 2.0 security in frontends
- Securing OAuth 2.0 with the Backend-For-Frontend pattern
- Using scopes and permissions in OAuth 2.0
- Securing APIs with OAuth 2.0
- Demos and practical examples throughout the day
2-day Advanced outline
- All of the content from day 1
- Advanced use cases for OAuth 2.0 and OpenID Connect
- Handling delegation scenarios in modern architectures
- Security best practices for confidential OAuth 2.0 clients
- Reducing access token authority with Resource Indicators
- Using sender-constrained tokens with mTLS and DPoP
- Securing OAuth 2.0 flows with JAR and PAR
- Advanced attacks and defenses against OAuth 2.0 flows
- Demos and practical examples throughout the day
Pricing Information
In-house workshops
In-house workshops are available on-site or online, depending on your preference. Pricing for in-house training is available at a fixed price per day, independent of the size of the group. Depending on current promotions, the cost per attendee per day ranges from EUR 200 - 233 for a group of 30 people. Details about pricing and availability can be requested by contacting Philippe at philippe@pragmaticwebsecurity.com.
Public online workshops
For individuals or small groups, joining a live online edition of this training is more cost-efficient than hosting an in-house training. The live online training offers the same immersive training experience. The next training is scheduled for February 10th - 11th and 17th - 18th, 202t.
If you have any further questions, don't hesitate to reach out to philippe@pragmaticwebsecurity.com.
What to expect?
The recording below should give you a good idea of Philippe's presenting style. This particular video is from the NDC Security conference in January 2023, where Philippe first demonstrated how to break OAuth 2.0 in frontend applications, sparking the subsequent rewriting of the OAuth 2.0 for browser-based apps specification.
The testimonials below illustrate how attendees experience Philippe's trainings.
Interactive speaker, keeps you engaged by involving you in the story and explains everything very clearly. Takes enough time to answer your questions.
Good structure, clear content and easy to follow. The quizzes in between were a good way to keep everyone engaged.
A top-notch training on an interesting topic that was very well explained and demonstrated. The speaker clearly had the necessary knowledge and experience to explain complex matters well and understandably with an occasional fun anecdote or joke. Also involved the audience during his examples. I liked the opportunity to ask questions throughout the presentation.
Experienced speaker, both with the subject and in engaging and interacting with participants.
Your trainer, Dr. Philippe De Ryck
Philippe De Ryck, with a Ph.D. in web security from KU Leuven, is renowned for making complex security topics accessible and engaging. As the founder of Pragmatic Web Security, he delivers expert security training and consulting, consistently earning raving reviews from participants globally. He also contributes to OAuth 2.0 specifications as a co-author of best practices for browser-based apps and is recognized as a Google Developer Expert for his contributions in the field of web application and API security.