Learning about OAuth

2023-12-27 20:33:00

OAuth is a topic that has popped up a few times in my certification studies (Security+, CISSP, CSC210), but in none of those cases the curriculum went in-depth on how it works. As in really, how do you implement it, what does it look like in action? 

I'm currently going through PDSO's API security training, preparing for the exam. OAuth gets about twenty minutes of video in there and they do a relatively good job of explaining. But yet again, there's still a lot of details missing. 

Today I spent five or six hours reading through the resources below, making a huge stack of flash cards so I can refresh what I learned at a later point in time. 

For those who might struggle a bit with OAuth and how it would be implemented in code, here's an absolutely great example of a Javascript SPA (single-page app).

I then also read:

I also had no clue whatsoever about how those links worked, where you do something in a browser and it pops up an app on your smartphone, tablet or computer. I learned that's called app deep linking and it's something that's both really cool and that's had its share of vulnerabilities as well. This was a great read which taught me how the URI schema for app deep links work and how they can be attacked. 

EDIT:

Oh my gosh, the folks at Curity made a great 8-part mini training that introduces OIDC and OAuth. Parts 7 and 8 perfectly explain 90% of what I wanted to know when I started my research.


kilala.nl tags: ,

View or add comments (curr. 0)