Course info
Jun 26, 2013
2h 23m

In a world of light-weight and cross-platform apps, devices and services we need technologies that work well on arbitrary devices and that allow us implementing our security requirements in an interoperable and manageable way. OAuth2, OpenID Connect and JWT are the replacements for the "old-school" protocols we used to build distributed security architectures with like Kerberos, WS-Trust, WS-Federation and SAML.

About the author
About the author

Dominick works as an associate consultant for the Germany-based company thinktecture. His main area of focus is security in general and identity & access control in particular.

More from the author
Web API v2 Security
6h 12m
Apr 12, 2014
Identity and Access Control in WCF 4.5
3h 12m
Dec 14, 2012
More courses by Dominick Baier
Section Introduction Transcripts
Section Introduction Transcripts

The Security Stack for Modern Applications
The first module, I want to give you a quick overview. Where these technologies are actually used and how they build what I call the new security stack for modern applications.

JSON Web Tokens (JWT)
Let's start with a quick look at JSON web token. As I said, JSON Web Tokens are an emerging standard. They are very close to its standardization. IETF has taken care of that, and OpenID connect mandates the use of JSON Web token for all of the tokens that are exchanged in that protocol. And OAF two, isn't mandated, but as I said most implementations these days use JSON Web Token. So let's have a look at them first. So, I want to give you a little indu, overview of the purpose of security tokens, and, and what other types of tokens we have out there and where, where they are used. Then we have a look at the structure of a JSON Web Token, and then I want to quickly show you how easy it is to create and consume them using development framework.

Introduction to OAuth2
In this module I want to introduce you to OAuth2. The OAuth2 is pretty popular at least the term. And there's also a, a lot of confusion, what OAuth2 is about and what it's good for and what it's not good for and so I really want to clear up with that here in this module will tell you, a little bit of the history, of OAuth2, its goals and long goals, and what are so called OAuth flows.

OAuth2 Flows
Intro level I want to talk about the various workflow in much more detail and how they work and in which situations you want to use them. So we, talk about the authorization flow, the implicit flow, the resource owner credential flow and the client credential flow.

OpenID Connect
So, now we want to talk about OpenID Connect. So, OpenID Connect is really a specification that fits on top of OAuth2. Meaning it reuses its message format, like the query string format, like how token responses look like. But to implement authentication. Now you might wonder, why do I need a separate specification for that? And I first want to introduce you to why OAuth2 on its own is not enough for authentication. Then I want to show you what OpenID Connect adds to OAuth2 to make authentication secure. And then again, I want to show you or walk you through a typical OpenID Connect Flow, how to do authentication.

OAuth2 Concerns
In the introduction I said that there's kind of a discussion going on right now about OAuth2 and that discussion was mainly triggered by the fact that the lead editor Aaron Hammer, left. The committee and was really, really vocal about the fact that he wants his name to be removed from the spec. And, and frankly had some, had some good arguments why the OAuth spec is not as good as it could be. This led to as I said a big discussion about the, the usefulness and the security properties of OAuth. And I want to, present you some of these, these points here and, how you should deal with them.