Open Authentication (OAuth)

• Basic knowledge of web service and API development

Audience

• Developers

Open Authentication (OAuth) is an open technology standard used for website authentication. It describes how unrelated servers and services can safely allow authenticated access to assets without sharing credentials.

This instructor-led, live training (online or onsite) is aimed at developers and anyone who wishes to learn and use OAuth to provide applications with secure delegated access.

By the end of this training, participants will be able to:

• Learn the fundamentals of OAuth.
• Understand the native applications and their unique security issues when using OAuth.
• Learn and understand the common extensions to the OAuth protocols.
• Integrate with any OAuth authorization server.

Format of the Course

• Interactive lecture and discussion.
• Lots of exercises and practice.
• Hands-on implementation in a live-lab environment.

Course Customization Options

• To request a customized training for this course, please contact us to arrange.

Introduction

• Overview of OAuth
• Understanding API security

OAuth

• Protocol endpoints
• Scope
• Authorization code for web apps
• Implicit flow for single-page apps
• Client credentials for machines
• Resource owner password credentials
• Long-lived access with refresh tokens
• Choosing the right response mode
• Simplifying OAuth with OAuth 2.1

Native Applications Best Practices

• Unique issues of native apps
• Using PKCE to handle stolen tokens
• Choosing the best redirect URI

Browser-based Application Best Practices

• The security profile of the browser-based app
• OAuth within the browser
• Avoiding OAuth with SameSite cookies
• Securing browser-based apps with backend for frontend

Extending OAuth

• OAuth and Identity with OpenID Connect
• Configuring clients with OAuth metadata
• Authorizing the IoT with the OAuth device flow
• Combining SAML and OAuth with the SAML assertion grant
• Securing Microservices with token exchange

Summary and Next Steps