O'Reilly logo
live online training icon Live Online training

Hands-on introduction to OAuth 2.0

Aaron Parecki

OAuth was created to allow third-party applications access to APIs and grew to cover many additional use cases. OAuth 2.0 has become the industry standard for providing secure access to web APIs, allowing applications to access users' data without compromising security. Companies around the world add OAuth to their APIs to enable secure access from their own mobile apps and third-party IoT devices and even access to banking APIs.

Expert Aaron Parecki breaks down each of the OAuth workflows (grant types) and applies them to use cases such as implementing OAuth for web and native apps, using OAuth on devices with no web browser or keyboard, and implementing OAuth securely when writing an app and a server. Along the way, you’ll identify the available options when implementing a server, such as when to use self-encoded tokens and how to present scopes in a way that won't intimidate your users. And since your application will want to know the user’s name and email address, you’ll learn how to use OpenID Connect with OAuth 2.0 to provide the user’s identity.

What you'll learn-and how you can apply it

  • The problems OAuth was created to solve
  • The basics of OAuth 2.0 and OpenID Connect
  • Best practices for developing web-based and native OAuth apps
  • Which OAuth grant type is right for your use case

And you’ll be able to:

  • Implement an OAuth client from scratch
  • Protect the OAuth flows in native and JavaScript apps
  • Use OpenID Connect to get the user’s email address

This training course is for you because...

  • You’re a software architect, application developer, or technical decision maker.
  • You work with APIs, web apps, mobile apps, or microservices.
  • You want to deepen your understanding of application security and become a technical leader.


  • A basic understanding of HTTP requests, responses, and JSON
  • Experience with Postman, curl, or any other HTTP client
  • A machine with Postman, curl, or any other HTTP client installed

About your instructor

  • Aaron Parecki is a contributor to the OAuth specifications, maintains Oauth.net, and is the author of OAuth 2.0 Simplified. He’s also the cofounder of IndieWebCamp, a yearly conference on data ownership and online identity, and the editor of the W3C Webmention and Micropub specifications. Aaron has spoken at conferences around the world about OAuth, data ownership, and the quantified self and even explained why R is a vowel. Aaron has tracked his location continuously since 2008. He made Inc. magazine’s “30 under 30” list when he was the CTO and cofounder of Geoloqi, a location-based software company acquired by Esri. His work has been featured in Wired, Fast Company, and more. Aaron holds a BS in computer science from the University of Oregon and lives in Portland, Oregon.


The timeframes are only estimates and may vary according to how the class is progressing

Background of OAuth (30 minutes)

  • Lecture: OAuth and the problems it solves; issues with password-based authentication for third-party apps; how OAuth improves security; authorization versus authentication; roles in OAuth; client registration
  • Group discussion: What type of apps are you building?
  • Q&A

OAuth grant types and use cases (40 minutes)

  • Lecture: Which grant type is right for your use case; server-side apps; server-to-server apps; first-party apps
  • Hands-on exercise: Implement the authorization code flow
  • Q&A
  • Break (5 minutes)

OAuth for public clients (45 minutes)

  • Lecture: Native apps; browser-based apps; IoT devices
  • Hands-on exercise: Implement Proof Key for Code Exchange (PKCE) with the authorization code flow
  • Q&A

Refresh tokens (15 minutes)

  • Lectures: Refresh tokens; why we have them
  • Hands-on exercise: Use a refresh token to continue the OAuth session without the user present
  • Q&A
  • Break (5 minutes)

OpenID Connect (30 minutes)

  • Lecture: OpenID Connect and JWT ID tokens
  • Hands-on exercise: Obtain an ID token to find out a user’s profile information
  • Q&A

Wrap-up and Q&A (10 minutes)