
Explore how OpenID Connect streamlines authentication and identity management, enabling effortless sign-up and login with Google, Microsoft, or Yahoo while reducing onboarding overhead.
Show how OpenID Connect reduces credential management burden by letting users sign in across apps with a single identity provider, using token-based claims for authentication and authorization.
Explore how OAuth 2.0 and OpenID Connect enable delegated access via an auth server and access tokens, and standardize identity attributes with the user info API.
Identify the four main actors in OpenID Connect: resource owner, client, authorization server, and resource server, and how they exchange access, refresh, and ID tokens to access protected resources.
Engage in a quick quiz that reinforces OpenID Connect actors by matching subject, audience, resource server, and authorization server with their common names like user, client, API, and identity provider.
Explain the authorization endpoint in OpenID Connect, detailing input parameters, how the authorization code or access token is delivered via redirects, and the roles of scope, OpenID, and redirect uri.
Learn how the claims parameter in the OpenID Connect authorization endpoint controls which claims appear in the ID token and user info endpoint, including essential true and value domain constraints.
Explore how the resource endpoint on the resource server uses bearer access tokens with scopes in an authorization header to authorize API requests, returning data or 401/403 errors.
Access the userinfo endpoint, a protected OpenID Connect resource, by presenting a bearer access token and the OpenID scope. Receive the user info as a JSON object of claims (sub, name, email, locale), with the subject claim always returned, and optionally signed or encrypted as a JWT via TLS.
Explain the redirect endpoint in OpenID Connect: a 302 redirect delivers the authorization code, the ID token, and possibly the access token via query parameters, with nonce validation.
Take a break from heavy technical topics and spend time in nature; when you return, your mind feels fresh and you learn much better.
Explore tokens and codes in oauth and openid connect, including the access token, refresh token, authorization code, and id token, plus credentials for resource owners and clients.
Learn about reference and value tokens in OpenID Connect. Understand their information content, use cases, pros and cons, and how they map to pass-by-value and pass-by-reference semantics.
OpenID Connect access tokens are typically reference tokens that grant resource access and must be protected in transit and at rest, then validated via the at_hash in the ID token.
Use the refresh token, with longer validity than the access token, to obtain a new access or ID token after expiration, enabling backchannel renewal without disturbing the end user.
Explore id tokens in OpenID Connect and how jwt-based claims convey user data, issuer, audience, nonce, and expiration. Validate signatures, decrypt when needed, and verify claims to prevent replay.
OpenID Connect flows, including authorization code, implicit, and hybrid, govern how ID tokens and access tokens are returned via endpoints.
Explain how the authorization code flow authenticates the end user, client, and server at the authorization endpoint. Describe how the token endpoint issues access, refresh, and id tokens.
Explore how the authorization code flow uses the token endpoint to exchange a code for access, refresh, and ID tokens. Learn client authentication with basic auth and redirect URI validation.
Explore OpenID Connect implicit flows where tokens are delivered via the authorization endpoint. Learn nonce replay protection, fragment redirects, and validations like AT hash and C hash for ID token.
Explore the OpenID Connect flows—authorization code grant, implicit grant, and hybrid flow—and their security tradeoffs, including token and refresh token handling.
Choose the OpenID Connect authorization code flow when possible. Register the client, implement a redirect endpoint, initiate the flow from the client, and call the userinfo API for identity claims.
Understand JWT as a self-contained container for cryptographically secured claims. See how OpenID Connect ID tokens rely on JWT and how signing and encryption protect integrity and confidentiality.
Explore how json web signature (jws) constructs tokens with a header, payload, and signature using compact or json serialization, including base64url encoding, signing input, and offline verification.
Explore json web encryption (jwe) basics, including compact and json serializations, and the encrypted content flow: header creation, content encryption key, encrypted key, iv, ciphertext, aad, and authentication tag.
Explore the json web key (jwk) and its metadata, including key id, alg, kty, use, and key_ops, and the json web key set (jwks) that aggregates these keys.
Explore JSON web algorithms registry in JWA, covering MAC, content encryption, and key encryption algorithms used in JWT and JWE, and learn to rely on libraries rather than implementing them.
Issue an OpenID Connect token via Google's auth playground, then decode and verify the ID token, inspect its claims, and grasp the token's workflow.
Learn to authorize with the OpenID scope in the Google OAuth playground, exchange the code for tokens, and validate the ID token with jwt.io.
Fetch the jwk set from the OpenID configuration and inspect the keys array. Identify the correct key by matching the token header's kid, then use that key's n modulus.
Recent Updates
2023-01-07 NEW Added 4 new videos on Proof Key for Code Exchange (PKCE)
2023-01-06 More than 2400 satisfied students
Learn OpenID Connect to get higher signups & conversions for your apps!
Login with Google, Facebook, and LinkedIn - all successful apps do it, so should you
Do you want to know how OpenID Connect works?
Exploring how OpenID Connect works in detail is the subject of this course. We take a bottom-up approach and first study all the elements (actors, endpoints, and tokens) of OpenID Connect. This puts us in an excellent position for the second step: to understand the various OpenID Connect Flows - how the actors, endpoints, and tokens are put together to transmit identity claims securely.
Do you wonder why there are several OpenID Connect Flows?
Whether we use OpenID Connect from a mobile app, a script in a browser or from a secure backend server, there is an appropriate OpenID Connect Flow with the right tradeoffs in security, functionality, and convenience for each of these scenarios. This course helps you to choose the right one.
Do you think that these OpenID Connect Flows are confusing?
You are not alone; the OpenID Connect Flows tend to get confusing. However, with this course, we make it clear and easy to understand: We visualize these flows and show how to choose the flow that is appropriate for a given scenario. A picture says more than a 1000 words - that is why we explain the OpenID Connect Flows using easy to understand sequence diagrams.
Do you want to understand how JWT works?
This course explains what a JSON Web Token (JWT) is, how it is used in OpenID Connect, how it is constructed, what data it contains, how to read it, and how to protect its contents.
Do you wonder why there are so many tokens in OpenID Connect and how to use them?
There are JWT, JWS, JWE, access tokens, refresh tokens, identity tokens, and authorization codes. This book helps you to make sense of them all. Using examples, we explore how the tokens are used, constructed, signed, and encrypted.
Why is OpenID Connect so popular?
If used in the right way, OpenID Connect is powerful, and everyone loves it:
End-users don't need to signup and remember a new password
Business owners enjoy high conversion rates
Developers don't get any grey hair over securely storing credentials.
Do you want to increase the conversion rate of your app?
Signup and login to a new app become so smooth and convenient that end-users are much more likely to try a new app. It is supported, e.g. by Google, Yahoo, or Microsoft.
This course is for you...
...if you want to improve your market value as a Software Engineer and Security Expert. Imagine what could happen to your professional career if you could add OpenID Connect, API Security and OAuth skills to your CV!
API Security experts and engineers who understand OpenID Connect are in HIGH DEMAND, as companies expand their digital business. Plenty of opportunities are waiting for anyone who has the right skills.
Do you want to write best-selling iPhone and Android apps?
The most popular mobile apps integrate with popular social APIs of Google, LinkedIn, Facebook, Paypal and many more. If this is a well-known fact, why do app developers not just do it?
Many app developers are afraid of complicated OpenID Connect integrations. Identity, Login, and Signup are in fact the biggest hurdle for most mobile app developers.
With the knowledge gained in this course, you can use the secret of best app developers out there and finally integrate your app with social APIs.
Do you want to start out on your own, as an entrepreneur, consultant or freelancer?
Knowing API Security, OAuth, and OpenID Connect allows you to realize the big vision of your company in the field of mobile apps, cloud apps and web APIs, such as Google, Paypal, and LinkedIn.
Do you want to build exciting solutions with next-generation technology?
Whether you are a web developer, mobile developer or API developer, an architect or embedded developer for the Internet of Things, today you need to know OpenID Connect to build state of the art solutions.
What does this course offer?
This course offers an introduction to API Security with OpenID Connect. In 7 hours you will gain an overview of the capabilities of OpenID Connect and OAuth. You will learn the core concepts of OpenID Connect. You will get to know all 3 OpenID Connect flows that are used in cloud solutions and mobile apps.
This course explains OpenID Connect in simple terms. The three OpenID Connect flows are visualized graphically using sequence diagrams. The diagrams are then animated so you get to know the interactions step by step and see the big picture of the various OpenID Connect interactions. This high-level overview is complemented with a rich set of example requests and responses and an explanation of the technical details.
Who should take this course?
Do you believe OpenID Connect is complicated? OpenID Connect may seem complex with flows and redirects going back and forth. This course will give you clarity by introducing the seemingly complicated material by many illustrations. These illustrations clearly show all the involved interaction parties and the messages they exchange.
Do you want to learn the OpenID Connect concepts efficiently? This course uses many animated diagrams and sequence diagrams. A good diagram says more than 1000 words.
Do you want to use OpenID Connect in your mobile app? If you want to access resources that are protected by OAuth, you need to get a token first, before you can access the resource. For this, you need to understand the OAuth flows and the dependencies between the steps of the flows.