Introduction to OpenID Connect and OAuth

OpenID Connect is the de-facto standard we should use for handling authentication and authorization in modern applications. However, it can still be very complex and confusing with all the various concepts, including scopes, claims, flows, resources, and tokens.

In this course you will learn the following:

  • Authentication vs. authorization
  • How OAuth 2.x and OpenID Connect work
  • Fundamental concepts
  • How a client authenticates against an authorization server
  • How to retrieve and consume JWT tokens
  • How OpenID Connect fits into your architecture
  • How the tokens are secured and managed

This course includes many hands-on exercises that will help you understand how the protocol works under the hood.


  • The HTTP(s) protocol (including methods, headers, and cookies…)
  • How the web works in general
  • Some experience in developing backend web solutions.

Target audience:

Developers and architects who want to learn the fundamentals and how to protect applications using OAuth2 and OpenID Connect. This class focuses on the various standards and protocols, not on a specific implementation or programming language.

Course content:

  • Introduction
    • Authentication vs. Authorization
    • Our challenges
    • OAuth versions
    • OAuth vs. OpenID Connect
  • Token Service
    • Authorization Server
    • Relying party
    • ID token
    • Access token
    • Authentication architecture
    • Token endpoints
    • Discovery document
  • Implicit flow
    • How does this flow work
    • Why it is no longer a recommended flow
  • JWT tokens
    • ID token
    • JSON Web Tokens
    • JWT access tokens
  • Claims and scopes
    • What are claims?
    • Claim types
    • Scopes
    • User consent
  • Securing the token
    • Unsecure tokens
    • Signed tokens
    • Signature algorithms
    • Private/public keys
    • Encrypted tokens
  • Authorization Code Flow
    • Public vs. private clients
    • Front vs. back-channel


  • Client Credentials flow
  • Refresh tokens
  • Proof Key for Code Exchange (PKCE)
  • Backend for Frontend (BFF)
  • OAuth 2.1
  • And much more…


About the autor and instructor: Tore Nestenius

Tore has worked as a consultant since 1997 and is a very knowledgeable system developer and has in the past worked for large companies like Ericsson and Flextronics. Early in his career, Tore Nestenius started Programmers Heaven - a portal with over 750 000 monthly users. He’s behind several other successful projects like CodePedia - a Wiki for developers, the Open Source project TNValidate, and the C# School e-book with over 100 000 downloads.

Other relevant courses

2 days
2 days