The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

OAuth 2.0 Security

Description

OAuth 2.0 is a widely used framework for securing access to APIs. But due to its complexity, many developers struggle to use and integrate OAuth 2.0 securely. This course introduces the core concepts of OAuth 2.0 and investigates the currently recommended flows. It also provides a quick overview of deprecated flows and looks at common security pitfalls and misconceptions

Learning Objectives

  • Identify the different actors/roles in an OAuth 2.0 architecture
  • Differentiate between OAuth 2.0 and OpenID Connect
  • Explain how access tokens are used in OAuth 2.0
  • Describe current best practice flows for different types of clients
  • Explain the difference between access tokens and refresh tokens

Details

Delivery Format: eLearning

Duration: 1 hour 30 minutes

Level: Intermediate

Intended Audience: 

  • Architects
  • Back-End Developers
  • Enterprise Developers
  • Front-End Developers
  • Mobile Developers

Prerequisites: None

 

Course Outline

The Need for OAuth 2.0

  • An Example OAuth 2.0 Scenario
  • The Valet Key Analogy
  • Valet Keys in Our Application

Delegated Access with OAuth 2.0

  • A Brief History of OAuth 2.0
  • OAuth 2.0 Terminology
  • Conceptual Overview of OAuth 2.0
  • OAuth 2.0 Clients

Overview of OAuth 2.0 Grant Types

  • Overview of Different Grant Types and Their Purposes
  • Authorization Code Grant
  • Device Authorization Grant
  • Client Credentials Grant
  • Implicit Grant
  • Resource Owner Password Credentials Grant

Delegated Access from a Confidential Client

  • A Confidential Client Scenario
  • Delegated Access with the Authorization Code Flow
  • Security Properties of the Authorization Code Flow

Delegated Access from a Public Client

  • A Public Client Scenario
  • Augmenting the Authorization Code Grant with PKCE
  • Mobile and Native Clients
  • Frontend Web Clients
  • Security Properties of the Authorization Code Flow with PKCE

Long-Term Delegated Access

  • The Purpose of Access Tokens
  • Running a New Flow
  • Using Refresh Tokens
  • Securing Refresh Tokens

Common Pitfalls and Misconceptions

  • Mistaking OAuth 2.0 for What It Is Not
  • Abusing OAuth 2.0 for Authentication
  • Modifying OAuth 2.0 Flows

Wrapping up OAuth 2.0

  • The Core Concepts of OAuth 2.0
  • High-Level Security Considerations

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster