< Back to Courses

Introduction to OpenID Connect and OAuth

OpenID Connect is the de-facto standard we should use for handling authentication and authorization in modern applications. However, it can still be very complex and confusing with all the various concepts, including scopes, claims, flows, resources, and tokens.

In this course, you will learn the following:

  • Authentication vs. authorization
  • How OAuth 2.x and OpenID Connect work
  • Fundamental concepts
  • How a client authenticates against an authorization server
  • How to retrieve and consume JWT tokens
  • How OpenID Connect fits into your architecture
  • How the tokens are secured and managed

This course includes many hands-on exercises that will help you understand how the protocol works under the hood.

After this course, we recommend you look at the following related courses:

Target audience

This course is designed for both new and experienced developers and architects seeking to understand the fundamentals of application security using OAuth2 and OpenID Connect. With a focus on the core standards and protocols rather than a specific implementation or programming language, it’s the perfect fit regardless of whether you use Duende IdentityServer, Entra ID (AzureAD), KeyCloak, or any other authorization service.


It would be best if you had a good understanding of the following:

  • The HTTP(s) protocol (including methods, headers, and cookies…)
  • How the web works in general
  • Some experience in developing backend web solutions


In this course, we will cover the following:

  • Introduction
    • Authentication vs. Authorization
    • Our challenges
    • OAuth versions
    • OAuth vs. OpenID Connect
  • Token Service
    • Authorization Server
    • Relying party
    • Token types
    • Bearer token
    • Server implementations
    • Identity architecture
    • Service endpoints
    • The discovery document
  • Implicit flow
    • How does this flow work
    • Why it is no longer a recommended flow
  • JWT tokens
    • ID and access tokens
    • JSON Web Tokens
    • JWT access tokens
  • Claims and scopes
    • What are claims?
    • Claim types
    • Scopes
    • User consent
  • Securing the token
    • Unsecure tokens
    • Signed tokens
    • Signature algorithms
    • Private/public keys
    • Encrypted tokens
    • State and nonce
  • Authorization Code Flow
    • Public vs. private clients
    • Front vs. back-channel
    • Getting the tokens
  • Refresh tokens
    • One-time refresh tokens
    • Using the refresh token
    • Token introspection
  • Client Credentials flow
  • Proof Key for Code Exchange (PKCE)
  • Single sign-on and sign-out
  • Backend for Frontend (BFF)
  • OAuth 2.1
  • And much more…

Introduction to
OIDC and OAuth

Article SKU

1 day


English, Swedish

Contact me for a price enquiry or to submit interest.

Training FAQs

Do you provide both on-site and remote training classes?

Yes, we provide both types of training.

Do you provide training in both Swedish and English?

Yes, both options are available. All our course materials are in English and we can teach the class in either Swedish or English.

Do you do half-day training?

When we run on-site, we usually do full-day classes. For remote training, we can provide options for both half and full days.

Do you do webinars and shorter talks?

Yes, please visit our Talks page for more details.

Do you provide customized courses?

Yes we do that. Contact me for more information.