Join Keith Casey for an in-depth discussion in this video What you should know before watching this course, part of Web Security: OAuth and OpenID Connect.
- [Man] In terms of prerequisites for this course, there really aren't many. First, I should note that for the rest of this course, whenever I say OAuth, I mean specifically OAuth version 2.0 and not OAuth version one. While OAuth 1 is still around in a few select places, support for it is steadily dwindling. One thing you do need is a firm grip on software development. You need to understand how HTTP redirects work and how to store data securely in the browser. Next, I recommend that you have Postman, along with the Postman Interceptor installed.
Alternatively, you are welcome to use Runscope, but I'll be using Postman in this course. Next, you need to have a reliable OAuth server available. You can use something as simple as an open-source version, such as the PHP one available from The League. But there are plenty of others available in every language you might consider. Just remember, you have to worry about configuration and hosting. Alternatively, the Google OAuth Playground is a great option if you just want to try things out and see how they work. In addition, there's the OpenID Foundation's OpenID Connect Playground.
These are both great options to try things out and the Google provided one is even better because it works with the Google account you probably already have. Finally, I'd be remiss if I didn't mention Okta's own OAuth as a service offering, called API Access Management. It's free with a developer account available at developer.okta.com. And in terms of disclosure, I work on this product in my day job, so I may be a little biased. And last but not least, you need to have a tool like jsonwebtoken.io available.
It's a simple website that can decode JSON web tokens, or jwts, pronounced jots, and tell you whether or not they're valid. There are tools and libraries that do that locally, but with this, we can stay language agnostic for now. Next, let's talk about how to use the code for this course.
- How does OAuth 2.0 work, and what problems does it solve?
- What is OpenID Connect, and how is it different from OAuth?
- OAuth tokens and their usage
- Authorization in microservices
- Common security considerations
- Authorization for mobile apps and SPA
- Authorization in legacy applications
- Server-side implementations