We provide course with introduction to OpenID Connect and OAuth. OpenID Connect and OAuth are the de-facto standards for authentication and authorization in modern applications, yet they involve complex concepts like scopes, claims, and token flows.
Content:
This introductory workshop simplifies these fundamentals, giving developers, testers, and architects the skills to implement secure identity solutions. With hands-on exercises and practical insights, participants will gain a solid foundation to prevent vulnerabilities and work confidently with systems like Duende IdentityServer, Keykloak, and Entra ID.
What you will learn:
• Authentication vs. authorization
• How OAuth 2.x and OpenID Connect work
• Fundamental concepts
• How a client authenticates against an authorization server
• How to retrieve and consume JWT tokens
• How OpenID Connect fits into your architecture
• How the tokens are secured and managed
This course includes many hands-on exercises that will help you understand how the protocol works under the hood. After this course, we recommend taking the Web Security Fundamentals workshop. Understanding core web security concepts is crucial when implementing and working with authentication solutions.
Agenda:
1) Introduction:
• Authentication vs. Authorization
• Our challenges
• OAuth versions
• OAuth vs. OpenID Connect
2) Token Service:
• Authorization Server
• Relying party
• Token types
• Bearer token
• Server implementations
• Identity architecture
• Service endpoints
• The discovery document
3) Implicit flow:
• How does this flow work
• Why it is no longer a recommended flow
4) JWT tokens:
• ID and access tokens
• JSON Web Tokens
• JWT access tokens
5) Claims and scopes:
• What are claims
• Claim types
• Scopes
• User consent
6) Securing the token:
• Unsecure tokens
• Signed tokens
• Signature algorithms
• Private / public keys
• Encrypted tokens
• State and nonce
7) Authorization Code Flow:
• Public vs. private clients
• Front vs. back-channel
• Getting the tokens
8) Refresh tokens:
• One-time refresh tokens
• Using the refresh token
• Token introspection
9) Client Credentials
10) Proof Key for Code Exchange (PKCE)
11) Single sign-on and sign-out
12) Backend for Frontend (BFF)
13) OAuth 2.1
Instructor: Tore Nestenius
Tore Nestenius has more than 25 years of professional experience in software development and over a decade specializing in developer training, Tore is a seasoned industry expert. He is an independent consultant, delivering high-quality training, coaching, and consulting services. His areas of focus include .NET, ASP.NET Core, Software Architecture, Web Security, and Identity Management. He is also a Microsoft .NET MVP and blogs frequently at https://nestenius.se/.
Target audience:
This course is designed for both new and experienced developers and architects seeking to understand the fundamentals of application security using OAuth2 and OpenID Connect. With a focus on the core standards and protocols rather than a specific implementation or programming language, it’s the perfect fit regardless of whether you use Duende IdentityServer, Entra ID (AzureAD), KeyCloak, or any other authorization service.
Prerequisites:
You should have a good understanding of the following:
• The HTTP(s) protocol (including methods, headers, and cookies
• How the web works in general.
• Familiar with REST APIs and JSON
• Some experience in developing backend web solutions