This workshop provides an intro to OAuth and OpenID Connect for the complete beginner, and guides you through building an OAuth client from scratch. By the end of the workshop you’ll understand how to get an access token to access APIs as well as learn the user's information such as their user ID and email address.

Prerequisites for the Exercises

A basic understanding of HTTP requests, responses, and JSON No programming language knowledge is necessary since the exercises can be completed without writing any code! Experience with Postman, curl, or any other HTTP client

Details

OAuth 2.0 has become the industry standard for providing secure access to web APIs, allowing applications to access users' data without compromising security. Companies around the world add OAuth to their APIs to enable secure access from their own apps, third-party apps, and even IoT devices. OAuth also serves as the foundation of OpenID Connect, the most widely deployed authentication protocol on the web today.

This workshop is for you if you are new to OAuth and OpenID Connect. The workshop begins with an introduction to OAuth and OpenID Connect concepts, and will lead you through completing an OAuth and OpenID Connect flow. You will learn the ins and outs of the OAuth Authorization Code flow with PKCE, and get a chance to try it out yourself.

The workshop will guide you through building an OAuth client from scratch in order to get an access token to access APIs as well as learn the user's information such as their user ID and email address.

By the end of this workshop, you'll understand:

• The problems OAuth was created to solve
• The basics of OAuth 2.0 and OpenID Connect
• Best practices for developing web-based and native OAuth apps
• Which OAuth grant type is right for your use case
• What to expect with the upcoming OAuth 2.1 standard

And you'll be able to:

• Implement an OAuth client from scratch
• Use OpenID Connect to get the user's email address

The workshop is divided into 5 parts.

Part 1

First, we discuss some background of OAuth and learn the various roles involved in the flows, as well as some terminology that will be useful later in the session.

• A brief history of OAuth
• How OAuth improves application and API security
• The difference between OAuth and OpenID Connect
• Roles of each party in OAuth
• Application types
• User consent
• Front channel vs back channel
• Application identity

Part 2

Next we focus on the most common types of OAuth clients. In this segment we cover the basic grant types applicable to web-based, native and single-page applications, as well as how to use refresh tokens. The exercises in this segment will walk through a successful OAuth flow from scratch.

• Registering an OAuth application
• OAuth for Native Applications
• OAuth for Single-Page Applications
• OAuth for Web Applications
• Refresh tokens

Part 3

Our third segment covers how to use OAuth on alternative types of applications, such as IoT devices or smart TVs, as well as when there is no user involved in the flow. This segment also introduces OpenID Connect so the application can learn information about the user that logged in.

• OAuth for Browserless (IoT) Devices
• OAuth for Machine-to-Machine Applications
• Introduction to OpenID Connect

Part 4

Our last main segment focuses on protecting APIs with OAuth. In this segment we discuss how an API can validate an access token and make decisions about whether and what data to return based on the authorization information present in the token. We also discuss tradeoffs on various token lifetimes depending on how your APIs are architected.

• Access token validation methods
• What's in a JWT access token
• Choosing access token and refresh token lifetimes
• Handling revoked or invalidated access tokens
• Designing OAuth scopes

Part 5

We conclude with a summary of what we covered throughout the day, and provide resources for further learning. We will also briefly discuss where the more advanced OAuth topics fit in to what we've learned today and how you can learn more about them. We'll touch on where OAuth is heading in the future, and talk about how what you've learned today is the foundation of the next revision to OAuth named OAuth 2.1.