OAuth 2.0 Authorization Framework Training

Request this training

OAuth 2.0 is an authorization framework that is extensively used in the Internet. With extensions, it can be used to implement single sign-on (SSO)  where a user who logs in to one web site can be made to interact with other web sites as a logged in user without retyping username and password. OAuth 2.0 provides more. A user can allow an application A to access web application B on behalf of the user without providing the username and password pair to A. The said application A could be a web application, a desktop application or even a mobile application. Both A and B however need to interact with what is known as an authorization server trusted by the user.

In modern days, we find a lot of mobile applications that communicate with web based APIs. OAuth 2.0 can be used to secure those APIs too while benefiting from the features provided by OAuth 2.0.

In this training, we investigate how OAuth 2.0 works and also experiment with basic implementations of an OAuth 2.0 authorization server, a client and a resource server. The demonstrations will be done in PHP language even though the concepts learnt will be applicable to other languages as well.

Target groups
  1. Web application developers
  2. Mobile application developers
  3. Information systems security professionals
Prerequisites
  1. Some familiarity with how web applications work.
Communication language
English or Sinhala
Duration

3 Hours

Training fee

Rs. 5000/= (LKR) per participant when the training is publicly scheduled by us.

Visit this page for the fee if this training is scheduled on special request.

Facilitator(s)

Kamal Wickramanayake (Profile)

Training content
  1. Introduction
    • Problems solved by OAuth 2.0
    • OAuth 2.0 usage scenarios
  2. Roles
  3. Protocol flow
  4. Grant types
    • Authorization code
    • Implicit
    • Resource owner password credentials
    • Client credentials
  5. Tokens
    • Access token
    • Refresh token
  6. Client types
    • Confidential
    • Public
  7. Scopes
  8. JWT (JSON Web Token)
  9. OpenID Connect
  10. PKCE (Proof Key for Code Exchange) extension
    • Problems solved by PKCE
    • Protocol flow
  11. Implementing an OAuth 2.0 authorization server
  12. Implementing an OAuth 2.0 client
  13. Implementing an OAuth 2.0 resource server