OAuth 2.0: Nailed the core framework with hands dirty.
What you'll learn
- Create a personal OAuth 2.0 playground in a virtual machine.
- The fundamentals of the OAuth 2.0 framework.
- Develop projects from scratch and secure them with OAuth 2.0
- Attack your own projects
- Apply some best practices like PKCE.
- A touch on OpenID Connect.
- Integrate our projects with Github’s OAuth application.
Requirements
- A machine that can run a virtual machine by VirtualBox.
- Basic knowledge of programming.
Description
In this course, we will start learning Oauth2 by using a production-ready Authorization Server such as Keycloak at the beginning. That sounds reasonable, but why do we do that?
By using a correct implementation authorization server at the beginning, it prevents us from going in the wrong way by ensuring that the authorization server complies with the Oauth 2.0 specification correctly. Besides, we can peacefully focus on how a client communicates with the authorization server in various different flows that are available and waiting for us to learn them and understand them. At the end of the day, it is less likely that one will use the Authorization server written from scratch for their production. And more importantly, we are focusing on fundamentals as our first priority. We wanted to divide the huge concept apart and conquer each small enough pieces that can be easily comprehended from the ground up.
Hence we offload what we haven’t focused yet to another piece of software we believe it implements correctly. Once we understand ins and outs all relevant theories, then our implementation will hardly go wrong if we really wanted to implement an Authentication server ourselves, In addition, the Authorization server is unarguably a complex system. So again, we won’t implement an authorization server in this course.
After we develop the OAuth 2.0 client and protected-resource. The protected resource will be a simple service that exposes APIs. Then we protected them with the Oauth2 framework. And with all solid understanding of the fundamental of how an authorization server behaves, plus the familiarity with RFC6749. Then we can at least implement a simple authorization server with joy.
Let’s imagine that, if this course was designed completely opposite direction, that is to guide you to start building the Authorization server at the beginning, it will draw a lot of energy from us. It will keep us juggling all OAuth's roles at once, and possibly take time to correct any mistakes that may occur from misunderstanding the concept and hence it could possibly take longer to achieve that same goal. That is why this course is carefully designed to deeply understand the Oauth 2.0 framework.
For more information and more specialty, please find my blog under my profile picture.
Who this course is for:
- This course is for a newcomer who wants to understand the core concept of the OAuth.
- This course doesn’t cover all the best practices of the IETF’s draft topic.
Course content
- Preview02:50
- 02:32Why don’t we implement an authorization server?
- 02:49Choosing between Virtual Machine and Docker
- Preview03:33
- 01:46Why don’t I provide a project code?
- 00:35Prerequisite checklist.
- Preview03:25
- 05:34Install KeyCloak
- 05:13Configure KeyCloak accessible from host OS.
Instructor
Learning is probably one of the most pleasant activities privileges to a human being. Most of us are doing it every day. However, when it comes to technologies these days, there are many things to learn out there, what if there is a faster way to achieve the same goal?
Hi, I am Charnnarong Chomthiang. I grew up among unanswered mysterious stories since I was a child. That made me love to demystify things around resiliently. And when I had a chance to know about Computer science. My destiny was discovered since then.
When finding a different perspective of the same thing becomes my second nature skill, I usually turn a result of that into smiling faces around by spreading new angles out to others.
To share that psychological moment even further, here I am. The place where I can release all my energy without holding it back.
For my professional background please find Linkedin under the profile picture.