Skip to content
O'Reilly home

Hands-on introduction to OAuth 2.0

Published by O'Reilly Media, Inc.

Nov. 1, 2021

5 - 9 p.m. Coordinated Universal Time

This event has ended.

What you’ll learn and how you can apply it

By the end of this live online course, you’ll understand:

  • The problems OAuth was created to solve
  • The basics of OAuth 2.0 and OpenID Connect
  • Best practices for developing web-based and native OAuth apps
  • Which OAuth grant type is right for your use case

And you’ll be able to:

  • Implement an OAuth client from scratch
  • Protect the OAuth flows in native and JavaScript apps
  • Use OpenID Connect to get the user’s email address

This live event is for you because…

  • You’re a software architect, application developer, or technical decision maker.
  • You work with APIs, web apps, mobile apps, or microservices.
  • You want to deepen your understanding of application security and become a technical leader.


  • A basic understanding of HTTP requests, responses, and JSON
  • Experience with Postman, curl, or any other HTTP client
  • A free Okta Developer account from


The timeframes are only estimates and may vary according to how the class is progressing.

Background of OAuth (25 minutes)

  • Lecture: OAuth and the problems it solves; issues with password-based authentication for third-party apps; how OAuth improves security; authorization versus authentication; roles in OAuth; client registration
  • Group discussion: What type of apps are you building?
  • Q&A

OAuth grant types and use cases (45 minutes)

  • Lecture: Which grant type is right for your use case; server-side apps; machine-to-machine apps
  • Hands-on exercise: Implement the authorization code flow
  • Q&A
  • Break (5 minutes)

OAuth for public clients (45 minutes)

  • Lecture: OAuth for native apps; browser-based apps
  • Hands-on exercise: Implement Proof Key for Code Exchange (PKCE) with the authorization code flow
  • Q&A

Refresh tokens (20 minutes)

  • Lectures: Refresh tokens; what they’re for; why we have them
  • Hands-on exercise: Use a refresh token to get a new access token
  • Break (5 minutes)

OpenID Connect (25 minutes)

  • Lecture: OpenID Connect and JWT ID tokens
  • Hands-on exercise: Obtain an ID token to find out a user’s profile information
  • Q&A

Wrap-up and Q&A (10 minutes)

Your Instructor

  • Aaron Parecki

    Aaron Parecki is a contributor to the OAuth specifications, maintains, and is the author of OAuth 2.0 Simplified. He’s also the cofounder of IndieWebCamp, a yearly conference on data ownership and online identity, and the editor of the W3C Webmention and Micropub specifications. Aaron has spoken at conferences around the world about OAuth, data ownership, and the quantified self and even explained why R is a vowel. Aaron has tracked his location continuously since 2008. He made Inc. magazine’s “30 under 30” list when he was the CTO and cofounder of Geoloqi, a location-based software company acquired by Esri. His work has been featured in Wired, Fast Company, and more. Aaron holds a BS in computer science from the University of Oregon and lives in Portland, Oregon.

Start your free 10-day trial

Get started

Want to learn more at events like these?

Get full access to O'Reilly online learning for 10 days—free.

  • checkmark50k+ videos, live online training, learning paths, books, and more.
  • checkmarkBuild playlists of content to share with friends and colleagues.
  • checkmarkLearn anywhere with our iOS and Android apps.
Start Free TrialNo credit card required.