Mastering OAuth 2.0 and OIDC Security

Live training available as a 1-day essentials workshop or a 2-day advanced workshop

OAuth 2.0 and OpenID Connect have become cornerstone technologies for most modern applications. Unfortunately, these technologies are insanely complex to grasp, making it hard to use them securely.

This workshop takes you on a step-by-step journey into the world of OAuth 2.0 and OpenID Connect. The Essentials training helps you understand best practices for building secure applications. The Advanced training allows you to level up your OAuth 2.0 security using the latest state-of-the-art security mechanisms.

1-day Essentials outline
  • Introduction to OAuth 2.0 and OpenID Connect
  • Architecture patterns using OAuth 2.0 and OpenID Connect
  • Best practices for securing OAuth 2.0 and OIDC flows
  • Understanding OAuth 2.0 security in frontends
  • Breaking OAuth 2.0 security in frontends
  • Securing OAuth 2.0 with the Backend-For-Frontend pattern
  • Using scopes and permissions in OAuth 2.0
  • Securing APIs with OAuth 2.0
  • Demos and practical examples throughout the day
2-day Advanced outline
  • All of the content from day 1
  • Advanced use cases for OAuth 2.0 and OpenID Connect
  • Handling delegation scenarios in modern architectures
  • Security best practices for confidential OAuth 2.0 clients
  • Reducing access token authority with Resource Indicators
  • Using sender-constrained tokens with mTLS and DPoP
  • Securing OAuth 2.0 flows with JAR and PAR
  • Advanced attacks and defenses against OAuth 2.0 flows
  • Demos and practical examples throughout the day
In-depth lectures
Interactive quizzes
Practical demos
Insightful discussions
Q&A throughout the workshop

Pricing Information

In-house workshops

In-house workshops are available on-site or online, depending on your preference. Pricing for in-house training is available at a fixed price per day, independent of the size of the group. Depending on current promotions, the cost per attendee per day ranges from EUR 200 - 233 for a group of 30 people. Details about pricing and availability can be requested by contacting Philippe at philippe@pragmaticwebsecurity.com.

Reach out via email

Public online workshops

For individuals or small groups, joining a live online edition of this training is more cost-efficient than hosting an in-house training. The live online training offers the same immersive training experience. The next training is scheduled for February 10th - 11th and 17th - 18th, 202t.

Register for the live online training

If you have any further questions, don't hesitate to reach out to philippe@pragmaticwebsecurity.com.

What to expect?

The recording below should give you a good idea of Philippe's presenting style. This particular video is from the NDC Security conference in January 2023, where Philippe first demonstrated how to break OAuth 2.0 in frontend applications, sparking the subsequent rewriting of the OAuth 2.0 for browser-based apps specification.

The testimonials below illustrate how attendees experience Philippe's trainings.

Interactive speaker, keeps you engaged by involving you in the story and explains everything very clearly. Takes enough time to answer your questions.

Good structure, clear content and easy to follow. The quizzes in between were a good way to keep everyone engaged.

A top-notch training on an interesting topic that was very well explained and demonstrated. The speaker clearly had the necessary knowledge and experience to explain complex matters well and understandably with an occasional fun anecdote or joke. Also involved the audience during his examples. I liked the opportunity to ask questions throughout the presentation.

Experienced speaker, both with the subject and in engaging and interacting with participants.

Philippe De Ryck

Your trainer, Dr. Philippe De Ryck

Philippe De Ryck, with a Ph.D. in web security from KU Leuven, is renowned for making complex security topics accessible and engaging. As the founder of Pragmatic Web Security, he delivers expert security training and consulting, consistently earning raving reviews from participants globally. He also contributes to OAuth 2.0 specifications as a co-author of best practices for browser-based apps and is recognized as a Google Developer Expert for his contributions in the field of web application and API security.

There are many security experts but only a few have a talent for presentations and lectures.

I met Philippe as an outstanding expert and speaker at the SecAppDev conference he regularly organizes.

This is why I was looking forward to this course and invited other colleagues of mine to participate in this course as well.

And he delivered :) I can say that the course is one of the best courses I have ever attended! Although I already knew a lot of the content, Philippe enriched the course with interesting examples and recent news from the OAuth Working Group. Philippe managed to reduce the complexity to the essentials and to explain complicated sounding schemes like PKCE in a clear and understandable way, even for non-technical people.

Highly recommended for all developers or security people who want to get a clear understanding of OAuth and OIDC.

Profile picture Rocco Gränitz

Rocco Gränitz
Leading Application Security Architect at Generali