Synopsys Software Integrity Group is now operating as Black Duck Software, Inc., a subsidiary of Synopsys. Click to learn more.

close search bar

Sorry, not available in this language yet

close language selection

Securely Accessing APIs Using OAuth 2.0

Course Description

In the modern web, many APIs depend on OAuth 2.0 to implement proper access control. Therefore, applications accessing these APIs need to implement support for OAuth 2.0. There are four main OAuth 2.0 flows (and several additional ones), and each supports a particular scenario. In this course, we focus on how to use OAuth 2.0 to access remote APIs. We look at the registration of clients, the different flows, and additional security considerations.

Learning Objectives

  • Understand how to register a client application and request proper permissions
  • Select the right OAuth 2.0 flow based on the use case they are handling
  • Implement an application that uses OAuth 2.0 to access remote APIs
  • Understand relevant security considerations to protect sensitive tokens

Details

Delivery Format: eLearning

Duration: 1 hour 30 minutes

Level: Intermediate

Intended Audience

  • Architects
  • Back-End Developers
  • Enterprise Developers
  • Front-End Developers
  • Mobile Developers

Prerequisites: OAuth 2.0 Security    

Course Outline

Introduction

  • An Example OAuth 2.0 Scenario
  • Conceptual View of OAuth 2.0
  • Accessing Protected Resources

Registering a Client Application

  • The Need for Client Registration
  • Registering Different Types of Clients
  • Registering a Client
  • The Importance of Redirection URIs

Scopes and Permissions

  • Using Scopes
  • Handling Scopes in an OAuth 2.0 Flow
  • Practical Examples of Scopes
  • Scopes vs. Permissions
  • The Limitations of Scopes
  • Practicalities of Scopes

The Client Credentials Grant Flow

  • Defining the Client Application
  • Initializing the Flow
  • Practicalities of the Client Credentials Grant Flow
  • Limitations and Security Considerations

The Authorization Code Grant Flow

  • Defining the Client Application
  • Initializing the Flow
  • Practicalities of the Authorization Code Grant Flow
  • Limitations and Security Considerations

The Refresh Token Flow

  • The Purpose of Refresh Tokens
  • Using Refresh Tokens
  • Securing Refresh Tokens for Public Clients
  • Limitations and Security Considerations

Token Security Recommendations

  • The Real-World Consequences of Token Theft
  • Secure Token Storage
  • Using Sender-Constrained Tokens
  • The Limitations of Browser-Based Application Security
  • Using a Backend-for-Frontend Pattern
  • The Benefits of a BFF

Wrapping Up

  • The Role of Tokens
  • The "state" Parameter
  • Secure Communication Channels

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster