O'Reilly logo
live online training icon Live Online training

Hands-on introduction to OAuth 2.0

Topic: Security
Aaron Parecki

OAuth 2.0 has become the industry standard for providing secure access to web APIs, allowing applications to access users' data without compromising security. Companies around the world add OAuth to their APIs to enable secure access from their own mobile apps and third-party IoT devices and even access to banking APIs.

Security expert Aaron Parecki breaks down each of the OAuth flows (grant types) and applies them to use cases such as implementing OAuth for web apps, native apps, and SPAs. In addition to learning how applications can use OAuth to access APIs, you’ll learn how to use OpenID Connect to get the user’s identity.

What you'll learn-and how you can apply it

By the end of this live online course, you’ll understand:

  • The problems OAuth was created to solve
  • The basics of OAuth 2.0 and OpenID Connect
  • Best practices for developing web-based and native OAuth apps
  • Which OAuth grant type is right for your use case

And you’ll be able to:

  • Implement an OAuth client from scratch
  • Protect the OAuth flows in native and JavaScript apps
  • Use OpenID Connect to get the user’s email address

This training course is for you because...

  • You’re a software architect, application developer, or technical decision maker.
  • You work with APIs, web apps, mobile apps, or microservices.
  • You want to deepen your understanding of application security and become a technical leader.


  • A basic understanding of HTTP requests, responses, and JSON
  • Experience with Postman, curl, or any other HTTP client
  • A free Okta Developer account from https://developer.okta.com

About your instructor

  • Aaron Parecki is a contributor to the OAuth specifications, maintains Oauth.net, and is the author of OAuth 2.0 Simplified. He’s also the cofounder of IndieWebCamp, a yearly conference on data ownership and online identity, and the editor of the W3C Webmention and Micropub specifications. Aaron has spoken at conferences around the world about OAuth, data ownership, and the quantified self and even explained why R is a vowel. Aaron has tracked his location continuously since 2008. He made Inc. magazine’s “30 under 30” list when he was the CTO and cofounder of Geoloqi, a location-based software company acquired by Esri. His work has been featured in Wired, Fast Company, and more. Aaron holds a BS in computer science from the University of Oregon and lives in Portland, Oregon.


The timeframes are only estimates and may vary according to how the class is progressing

Background of OAuth (25 minutes)

  • Lecture: OAuth and the problems it solves; issues with password-based authentication for third-party apps; how OAuth improves security; authorization versus authentication; roles in OAuth; client registration
  • Group discussion: What type of apps are you building?
  • Q&A

OAuth grant types and use cases (45 minutes)

  • Lecture: Which grant type is right for your use case; server-side apps; machine-to-machine apps
  • Hands-on exercise: Implement the authorization code flow
  • Q&A
  • Break (5 minutes)

OAuth for public clients (45 minutes)

  • Lecture: OAuth for native apps; browser-based apps
  • Hands-on exercise: Implement Proof Key for Code Exchange (PKCE) with the authorization code flow
  • Q&A

Refresh tokens (20 minutes)

  • Lectures: Refresh tokens; what they’re for; why we have them
  • Hands-on exercise: Use a refresh token to get a new access token
  • Break (5 minutes)

OpenID Connect (25 minutes)

  • Lecture: OpenID Connect and JWT ID tokens
  • Hands-on exercise: Obtain an ID token to find out a user’s profile information
  • Q&A

Wrap-up and Q&A (10 minutes)