A developer who can secure front-end and back-end systems using oAuth security flows.
- Differenciate between HTTP Basic Auth and oAuth
- Defend the superiority of oAuth over HTTP Basic Auth
- Discuss the scenarios where OAuth is the most appropriate choice
- Differentiate between 2 party systems vs 3 party systems (2-legged/3-legged oauth)
- List the different types of security flows an application can implement in the oAuth context
- Describe the components/systems involved in the OAuth flow.
- Explain why refresh tokens are necessary
- Describe the role in the OAuth flow of...
- Resource Owner
- Client
- Authorization Server
- Resource Server
- Redirect URI
- Response Type
- Scope
- Consent
- Client ID
- Client Secret
- Authorization Code
- Access Token
- Describe the common OAuth grant types and their use cases
- Use "OAuth Debugger" (oauthdebugger.com) to test an OAuth Provider
- Authenticate against OAuth Provider in a SPA front-end with no backend (implicit flow)
- Demonstrate how a back-end can trust requests made with tokens generated by another server, as is the case with implicit flow
- Authenticate against OAuth Provider in server-to-server application (client credentials flow)
Caution: Keep in mind that this badge focuses on oAuth only. OIDC comes at a later time, but it's almost impossible to find good learning materials that only talk about oAuth. Try your best to focus on oAuth and file away any OIDC concerns until later.
- OAuth 2.0 Docs{:target="_blank"}
- Authentication and Authorization: OAuth{:target="_blank"} by Udacity
- Authentication and Authorization{:target="_blank"} by Coursera
- Hands-on Authentication and Authorization: OAuth{:target="_blank"} by Udemy
- Secure your ReactJS Applications with Auth0{:target="_blank"}
- JWT Docs{:target="_blank"}
- An Illustrated Guide to OAuth and OpenID Connect{:target="_blank"}
- OAuth 2.0 and OpenID Connect (In Plain English){:target="_blank"}
- Playlist by Hussein Nasser{:target="_blank"}
Node Applications:
- Passport Docs{:target="_blank"}
- OAuth with NodeJS and Express{:target="_blank"} Tutorial
- Implementing OAuth 2.0 with NodeJS{:target="_blank"}
ASP.NET Applications:
- C# ASP.NET MVC Authentication{:target="_blank"}
- Secure Your ASP.NET Core App with OAuth 2.0{:target="_blank"}
Ask your mentor if you are ready for evaluation. Then, do one of the following:
- Schedule a live evaluation by clicking here to find a time on the calendar. After the evaluation, claim the badge.
or
- Record a screencast where you talk about and demonstrate each competency listed above. Make sure badge criteria and relevant tools are visible in the screen cast AND that your audio is good enough for the evaluator to hear. Upload the video to a service like Vimeo or Youtube (unlisted is fine) so that you can provide a public url for an evaluator to view. Claim the badge and include the video url in the evidence box.