- How does OAuth 2.0 work, and what problems does it solve?
- What is OpenID Connect, and how is it different from OAuth?
- OAuth tokens and their usage
- Authorization in microservices
- Common security considerations
- Authorization for mobile apps and SPA
- Authorization in legacy applications
- Server-side implementations
Skill Level Intermediate
- [Instructor] Hello, and welcome to Web Security usint OAuth and OpenID Connect. I'm Keith Casey, and in this course we're going to explore OAuth and OpenID Connect from the basics, talk about specific good and bad use cases, demonstrate how to use them, and even review the risks and trade-offs of the different approaches. While most of the course will focus on the more common scenario of using and consuming OAuth, we'll touch on the OAuth server side of things, also. First, let's make sure we have a good understanding of the basics.
So we'll cover the definitions and background on what OAuth is, what OpenID Connect is and how they do and don't fit together. Next we'll talk about the mechanics and terminology of tokens, scopes and claims, and how you use each of them. Then we'll cover the four primary flows, client credential for micro services, hybrid implicit for mobile and single-page applications, authorization code flow for web apps, and finally the resource owner password flow, for Legacy apps.
We'll get into the basics of an authorization server and what it does. And then finally, we'll wrap with common attacks, threats and the corresponding mitigation strategies. Overall, it's a full agenda. So we better get started.