Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

Udemy

Advanced OAuth Security

via Udemy

Overview

Learn the high-security OAuth extensions described in FAPI: PAR, JAR, JARM, DPoP, Mutual TLS, and HTTP Signatures

What you'll learn:
  • How to leverage the advanced OAuth specifications for high-security applications
  • Learn the details of the FAPI specifications, including the FAPI Security Profile and FAPI Message Signing
  • Learn the purpose of JAR, JARM, MTLS, DPoP, HTTP Signatures, and Non-Repudiation
  • How to apply HTTP Message Signing and JWTs to achieve non-repudiation for every role in an OAuth exchange

Certain applications need a higher level of security compared to what is part of the core OAuth 2.0 specifications. This course will guide you through the details of FAPI, a set of extensions of OAuth 2.0 that provide additional layers of security throughout the OAuth flows.

This course covers the extensions of OAuth developed by the OAuth Working Group at the IETFas well as the OpenIDFoundation, including:


  • PKCE

  • Authorization Server Issuer Identifier (iss)

  • Pushed Authorization Requests (PAR)

  • Mutual TLS(MTLS)

  • Private Key JWT

  • Demonstration of Proof of Possession (DPoP)

  • JWTResponse for OAuth Token Introspection

  • JWT-Secured Authorization Requests (JAR)

  • JWT-Secured Authorization Response Mode(JARM)

  • HTTPSignatures

This course is for you because...

  • You've got a solid understanding of the basics of OAuth, and

  • You're looking to take your knowledge to the next level

  • You want to ensure the systems you're building are up to the industry standards in security

  • You want to deepen your understanding of application security and become a technical leader

Prerequisites

  • An understanding of HTTP requests, responses, and JSON

  • Abasic understanding of JSONWebTokens (JWT)

  • Familiarity with the OAuth authorization code flow

The content is divided into five parts, beginning with and overview of the OAuth authorization code flow, an overview of the security goals set out by FAPIand related extensions, as well as a description of the types of attacks we are concerned about protecting against. Part two focuses on securing the front channel, where we'll discuss authorization code injection attacks, PKCE, authorization server mixup attacks, and using Pushed Authorization Requests. Part three focuses on the back channel, and discusses the differences between Mutual TLSand Private Key JWT for client authentication. Part four is all about proof-of-possession (sender-constraining)access tokens using Mutual TLS and DPoP. Part five discusses how to achieve non-repudiation throughout each leg of the OAuth flow.

Taught by

Aaron Parecki

Reviews

4.6 rating at Udemy based on 421 ratings

Start your review of Advanced OAuth Security

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.