Advanced OAuth & OpenID Connect

In the workshop, attendees will learn about the advanced aspects of OAuth and OpenID Connect. These will include such things as:

  • Advanced aspects of the code and implicit flow, for example:
    • acr_values and how this can be used for “step up” authentication
    • ui_locales
    • prompt=consent, prompt=none, prompt=login
    • max_age
    • by-value and by-ref request objects
    • variations on interactive user-consent
  • Hybrid flow
  • Form response mode
  • Proof Key for Code Exchange (PKCE or “pixie”)
  • Proof-of-Possession (PoP), i.e., Holder of Key (HoK)
  • Mutual TLS (mTLS) and cert-bound access tokens
  • Pairwise Pseudonymous Identifiers (PPID)
  • Dynamic Client Registration (DCR) and early/late user-binding using implicit or client credential flow
  • JWT authorization grant for user and client authentication
  • Down-scoping during token refresh
  • Signed and unsigned metadata and how to use it to verify tokens

To help solidify these concepts, they will be described verbally, with whiteboard drawings, and demonstrated. Attendees will also be able to implement them using a client application that will be provided together with written instructions. For this, students will need a laptop and the right to install software on that machine. Students will also be able to ask questions and get help during the workshop from the instructor and an aide.

(From the list of topics above, it should hopefully be obvious that the workshop will be in-depth and advanced. Attendees are, therefore, expected to have used or implemented these protocols before or to have at least attended a previous OAuth workshop. Extensive background info will not be provided.)


Austin API Summit 2019


May 13, 2019 13:00




4 hours including break