Sorry, not available in this language yet

English
日本語
简体中文

AI-generated code | Harness the power of AI coding assistants while managing the risks.
API Security Testing | Manage software risks with a holistic API security testing program.
AppSec Program Consolidation | Simplify your application security program.
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Manage Enterprise AppSec Risk | Scale your application security program without increasing complexity or adding friction.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud.
Open Source License Compliance | Effective solutions for ensuring open source license compliance.
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality and Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators.

Static Analysis (SAST) | Analyzing code for security vulnerabilities without executing it.
Software Composition Analysis (SCA) | Analyzing software components for security and license compliance.
Dynamic Analysis (DAST) | Testing running applications for security vulnerabilities.
Interactive Analysis (IAST) | Real-time security testing during application execution.
Penetration Testing | Simulated cyberattacks to identify vulnerabilities.
Mobile Application Security Testing (MAST) | Ensuring the security of mobile applications.
Application Security Posture Management (ASPM) | Managing and improving application security posture.
Fuzz Testing Solutions | Identifying vulnerabilities by inputting random data to applications.

Automotive | Security solutions for automotive industry applications.
Financial Services | Security solutions tailored for financial services.
IoT & Embedded | Security for Internet of Things and embedded systems.
Medical Devices | Security solutions for medical devices.
Public Sector | Security solutions for government and public sector organizations.

Dev and DevOps Teams | Security tools and practices for development and DevOps teams.
Security Teams | Solutions and support for dedicated security teams.
Legal Teams | Resources and compliance tools for legal teams.

OpenID Connect

Description

Single sign-on and federated identity on the web have long been a nightmare. Overly complex XML-based systems are hard to implement in an interoperable way. OAuth 2.0 seems like a good solution but was never built for authentication. As a consequence, many OAuth 2.0-based authentication systems are insecure.

Enter OpenID Connect. Designed for authentication and built on top of OAuth 2.0, OpenID Connect addresses many problems developers have struggled with over the years. This course positions OpenID Connect and explores how to authenticate end users against an identity provider. By applying these principles, you can significantly improve the architecture of your application.

Learning Objectives

Position OpenID Connect in the world of web-based delegation and identity federation systems
Implement a secure OpenID Connect flow for various types of web applications
Understand how identity providers offer SSO solutions and advanced session management mechanisms
Use dynamic discovery to load the necessary information from the identity provider
Use additional security features to fine-tune the security properties of OpenID Connect flows

Details

Delivery Format: eLearning

Duration: 1 Hour

Level: Advanced

Intended Audience:

Back-end developers
Front-end developers
Enterprise developers
Architects

Competencies:

Basic understanding of web development and HTTP
Basic understanding of authentication and access control
Basic understanding of cryptography
Basic understanding of OAuth 2.0

Prerequisites:

OAuth 2.0 Security

Course Outline

Introduction to OpenID Connect

Single Sign-On and Federated Identity
Pseudo-Authentication with OAuth 2.0
OpenID Connect
OpenID Connect Alternatives

OpenID Connect Flows

The Authorization Code Flow
The Hybrid Flow
The Implicit Flow
The Password Flow

Authenticating End Users

Dissecting the Authentication Response
Validating an Identity Token
Providing Additional User Information
Querying the userinfo Endpoint
Client Control over Returned Claims

Single Sign-On with OpenID Connect

Using a Centralized Identity Provider
End-User Involvement
Session Management and Single Logout

Discovery and Dynamic Configuration

Discovering the OIDC Configuration
Discovering Key Material

Advanced OpenID Connect Topics

Using a Request Object
Encrypting Tokens and Responses
Client Registration

Concluding OpenID Connect

OpenID Connect Flows
End-User Authentication
Configurability and Control

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster

Learn more about developer security training