O'Reilly logo
live online training icon Live Online training

Hands-on Introduction to OAuth 2.0

Topic: Programming
Aaron Parecki

OAuth 2.0 has quickly become the industry standard in providing secure access to web APIs, allowing applications to access users' data without compromising security.

OAuth was originally created to allow third-party applications access to APIs, and quickly grew to cover many additional use cases. Companies around the world are adding OAuth to their APIs to enable secure access from their own mobile apps, third-party IoT devices, and even enabling access to banking APIs.

In this session, we'll break down each of the OAuth workflows (also called grant types) and you'll learn how to apply them to your use cases. We'll cover how to implement OAuth for web apps as well as native apps. Even how to do OAuth on devices with no web browser or keyboard. We'll cover what you need to know to implement OAuth securely, both when writing an app as well as a server. Along the way, we'll talk about some of the options available when implementing a server, such as when to use self-encoded tokens or how to present scopes in a way that won't intimidate your users. Your application will probably also want to know the user’s name and email address, so we'll explore how OpenID Connect builds on top of OAuth 2.0 to provide the identity of users signing in.

What you'll learn-and how you can apply it

  • What problems OAuth was originally created to solve
  • The basics of OAuth 2.0 and OpenID Connect
  • Best practices for developing web-based and native OAuth apps
  • Which OAuth grant type is the right one for your use case

And you’ll be able to:

  • Implement an OAuth client from scratch
  • Protect the OAuth flows in native apps and Javascript apps
  • Use OpenID Connect to get the email address of the user who logged in

This training course is for you because...

  • You’re a software architect, application developer, or technical decision maker
  • You work with APIs, web apps, mobile apps, or microservices
  • You want to deepen your understanding of application security and become more of a technical leader


  • You should have a basic knowledge of HTTP requests and responses, and some familiarity with JSON
  • Experience with Postman, curl, or any other HTTP client will be used for the exercises. Programming knowledge is not required, as we will be walking through the OAuth flow manually using an HTTP client.

Recommended preparation: - We’ll provide instructions for the exercises using Postman or curl, so make sure you have one of them installed on your computer ahead of time to complete the course exercises. Alternatively, you’re welcome to use any other HTTP client that you’re already familiar with.

Common misunderstandings

  • We’ll demystify all the OAuth grant type options available to you
  • You’ll learn the difference between JWT authentication and OAuth
  • You’ll learn why OAuth is an authorization framework and not for authentication

About your instructor

  • Aaron Parecki is a contributor to the OAuth specifications, maintains Oauth.net, and is the author of OAuth 2.0 Simplified. He’s also the cofounder of IndieWebCamp, a yearly conference on data ownership and online identity, and the editor of the W3C Webmention and Micropub specifications. Aaron has spoken at conferences around the world about OAuth, data ownership, and the quantified self and even explained why R is a vowel. Aaron has tracked his location continuously since 2008. He made Inc. magazine’s “30 under 30” list when he was the CTO and cofounder of Geoloqi, a location-based software company acquired by Esri. His work has been featured in Wired, Fast Company, and more. Aaron holds a BS in computer science from the University of Oregon and lives in Portland, Oregon.


The timeframes are only estimates and may vary according to how the class is progressing

Background of OAuth (30 minutes)

  • Presentation:

  • What is OAuth? What problem does it solve?

  • Issues with password-based authentication for third-party apps
  • High-level introduction to how OAuth improves security
  • Authorization vs Authentication
  • Roles in OAuth
  • Client Registration

  • Q&A

OAuth Grant Types and Use Cases (45 minutes)

  • Presentation: How to decide which grant type is right for your use case
  • Presentation:
  • Server-side apps
  • Server-to-server apps
  • First-party apps

  • Exercise: Implementing the Authorization Code flow

  • Q&A

  • Break (5 mins)

OAuth for Public Clients (45 minutes)

  • Presentation:

  • Native apps

  • Browser-based apps
  • IoT devices

  • Exercise: Implementing PKCE with the Authorization Code flow

  • Q&A

Refresh Tokens (20 minutes)

  • Presentation: What are refresh tokens and why do we have them?
  • Exercise: Using a refresh token to continue the OAuth session without the user being present
  • Q&A
  • Break (5 min)

OpenID Connect (30 minutes)

  • Presentation: Introduction to OpenID Connect and JWT ID Tokens
  • Exercise: Obtaining an ID Token to find out profile information about the user who logged in
  • Q&A

Wrap-up and Q&A (10 minutes)

  • Further reading
  • Resources
  • Q&A