OWASP 2021 Virtual AppSec Training Program

OAuth 2.0 and OpenID Connect (OIDC) are the most commonly used solutions for stateless, token-based authentication in distributed microservice architectures as of today.

But have you ever asked yourself how OAuth 2.0 really works and how it differs from OpenID Connect? Then this workshop is a good opportunity to get to know how it works by making your hands dirty in code using Spring Security.

After an introduction to the basic concepts of OAuth 2.0 and OpenID Connect, we will use a boot-based Spring sample application to gradually implement authentication and authorization using these standards.

Learning Objectives:
- Differences between OAuth 2.0 and OpenID Connect (OIDC)
- What is an Authorization Grant and when do I use which grant
- The detailed procedure of the Authorization Code Grant protocol flow
- Implementation of an OAuth 2.0/OIDC compliant Resource Server
- Differences between JWT and reference tokens
- Authorization by means of claims in JWT
- Implementation of an OAuth 2.0/OIDC compliant client
- The correct validation of tokens
- Automated testing with OAuth 2.0 and OpenID Connect
- Current best practices for OAuth 2.0 and OIDC, especially for Single Page Applications
- The workshop contents are aligned with the proposed updates of OAuth 2.1