Advanced OAuth Security

Advanced OAuth Security, available at $79.99, has an average rating of 4.58, with 31 lectures, 10 quizzes, based on 362 reviews, and has 3059 subscribers.

You will learn about How to leverage the advanced OAuth specifications for high-security applications Learn the details of the FAPI specifications, including the FAPI Security Profile and FAPI Message Signing Learn the purpose of JAR, JARM, MTLS, DPoP, HTTP Signatures, and Non-Repudiation How to apply HTTP Message Signing and JWTs to achieve non-repudiation for every role in an OAuth exchange This course is ideal for individuals who are Software architects, application developers, or technical decision makers or API developers who want to better secure their APIs or Developers and software architects working in high-security fields working with financial or medical records It is particularly useful for Software architects, application developers, or technical decision makers or API developers who want to better secure their APIs or Developers and software architects working in high-security fields working with financial or medical records.

Enroll now: Advanced OAuth Security

Summary

Title: Advanced OAuth Security

Price: $79.99

Average Rating: 4.58

Number of Lectures: 31

Number of Quizzes: 10

Number of Published Lectures: 31

Number of Published Quizzes: 10

Number of Curriculum Items: 41

Number of Published Curriculum Objects: 41

Original Price: $199.99

Quality Status: approved

Status: Live

What You Will Learn

How to leverage the advanced OAuth specifications for high-security applications

Learn the details of the FAPI specifications, including the FAPI Security Profile and FAPI Message Signing

Learn the purpose of JAR, JARM, MTLS, DPoP, HTTP Signatures, and Non-Repudiation

How to apply HTTP Message Signing and JWTs to achieve non-repudiation for every role in an OAuth exchange

Who Should Attend

Software architects, application developers, or technical decision makers

API developers who want to better secure their APIs

Developers and software architects working in high-security fields working with financial or medical records

Target Audiences

Software architects, application developers, or technical decision makers

API developers who want to better secure their APIs

Developers and software architects working in high-security fields working with financial or medical records

Certain applications need a higher level of security compared to what is part of the core OAuth 2.0 specifications. This course will guide you through the details of FAPI, a set of extensions of OAuth 2.0 that provide additional layers of security throughout the OAuth flows.

This course covers the extensions of OAuth developed by the OAuth Working Group at the IETF as well as the OpenID Foundation, including:

PKCE

Authorization Server Issuer Identifier (iss)

Pushed Authorization Requests (PAR)

Mutual TLS (MTLS)

Private Key JWT

Demonstration of Proof of Possession (DPoP)

JWT Response for OAuth Token Introspection

JWT-Secured Authorization Requests (JAR)

JWT-Secured Authorization Response Mode (JARM)

HTTP Signatures

This course is for you because

You’ve got a solid understanding of the basics of OAuth, and

You’re looking to take your knowledge to the next level

You want to ensure the systems you’re building are up to the industry standards in security

You want to deepen your understanding of application security and become a technical leader

Prerequisites

An understanding of HTTP requests, responses, and JSON

A basic understanding of JSON Web Tokens (JWT)

Familiarity with the OAuth authorization code flow

The content is divided into five parts, beginning with and overview of the OAuth authorization code flow, an overview of the security goals set out by FAPI and related extensions, as well as a description of the types of attacks we are concerned about protecting against. Part two focuses on securing the front channel, where we’ll discuss authorization code injection attacks, PKCE, authorization server mixup attacks, and using Pushed Authorization Requests. Part three focuses on the back channel, and discusses the differences between Mutual TLS and Private Key JWT for client authentication. Part four is all about proof-of-possession (sender-constraining) access tokens using Mutual TLS and DPoP. Part five discusses how to achieve non-repudiation throughout each leg of the OAuth flow.

Course Curriculum

Chapter 1: Intro to this Course

Lecture 1: Intro to this Course

Chapter 2: Part 1: Security in OAuth 2.0

Lecture 1: Intro to Part 1

Lecture 2: Review of the Authorization Code Flow

Lecture 3: Front Channel vs Back Channel

Lecture 4: Security Goals

Lecture 5: Attacker Model

Lecture 6: Protecting the OAuth Flow

Chapter 3: Part 2: Securing the Front Channel

Lecture 1: Intro to Part 2

Lecture 2: Authorization Code Injection Attacks

Lecture 3: How PKCE Prevents Authorization Code Injection Attacks

Lecture 4: History of PKCE

Lecture 5: Authorization Server Mixup Attacks

Lecture 6: Preventing Mixup Attacks with the Authorization Server Issuer Identifier

Lecture 7: The Problems with Starting in the Front Channel

Lecture 8: Avoiding the Front Channel with Pushed Authorization Requests

Chapter 4: Part 3: Securing the Back Channel

Lecture 1: Client Authentication in OAuth

Lecture 2: MTLS as Client Authentication

Lecture 3: Private Key JWT as Client Authentication

Chapter 5: Part 4: Securing Access Tokens

Lecture 1: Intro to Part 4

Lecture 2: Additional Requirements for Access Token Validation

Lecture 3: The Problem with Bearer Tokens

Lecture 4: MTLS for Sender-Constrained Access Tokens

Lecture 5: DPoP for Sender-Constrained Access Tokens

Chapter 6: Part 5: Non-Repudiation

Lecture 1: Intro to Non-Repudiation

Lecture 2: Signing Authorization Requests (JAR)

Lecture 3: Signing Authorization Responses (JARM)

Lecture 4: Signing Token Introspection Responses

Lecture 5: Signing All Resource Requests

Lecture 6: Signing All Resource Responses

Lecture 7: Summary of Non-Repudiation

Chapter 7: Wrap-Up

Lecture 1: Congratulations!

Instructors

Aaron Parecki
OAuth Expert and Author

Rating Distribution

1 stars: 1 votes

2 stars: 5 votes

3 stars: 22 votes

4 stars: 113 votes

5 stars: 221 votes

Frequently Asked Questions

How long do I have access to the course materials?

You can view and review the lecture materials indefinitely, like an on-demand channel.

Can I take my courses with me wherever I go?

Definitely! If you have an internet connection, courses on Udemy are available on any device at any time. If you don’t have an internet connection, some instructors also let their students download course lectures. That’s up to the instructor though, so make sure you get on their good side!