OAuth is a topic that has popped up a few times in my certification studies (Security+, CISSP, CSC210), but in none of those cases the curriculum went in-depth on how it works. As in really, how do you implement it, what does it look like in action?

I'm currently going through PDSO's API security training, preparing for the exam. OAuth gets about twenty minutes of video in there and they do a relatively good job of explaining. But yet again, there's still a lot of details missing.

Today I spent five or six hours reading through the resources below, making a huge stack of flash cards so I can refresh what I learned at a later point in time.

For those who might struggle a bit with OAuth and how it would be implemented in code, here's an absolutely great example of a Javascript SPA (single-page app).

I then also read:

I also had no clue whatsoever about how those links worked, where you do something in a browser and it pops up an app on your smartphone, tablet or computer. I learned that's called app deep linking and it's something that's both really cool and that's had its share of vulnerabilities as well. This was a great read which taught me how the URI schema for app deep links work and how they can be attacked.

Measuring the insecurity of mobile deep links on Android

EDIT:

Oh my gosh, the folks at Curity made a great 8-part mini training that introduces OIDC and OAuth. Parts 7 and 8 perfectly explain 90% of what I wanted to know when I started my research.

kilala.nl tags: studies,

View or add comments (curr. 0)

All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.

Kilala.nl - Personal website of Tess Sluijter

About me

Blog archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

> Weblog

> Sysadmin articles

> Maths teaching

Learning about OAuth