Resources for Catching Up on OAuth2 and OIDC

This article was originally published on bmf-tech.com.

Overview

Materials I read extensively to catch up on OAuth2 and OIDC.

Specifications

OIDC

• OpenID Connect Core 1.0 incorporating errata set 1
• OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1
• OAuth 2.0 Multiple Response Type Encoding Practices
• OAuth 2.0 Form Post Response Mode
• OpenID Connect RP-Initiated Logout 1.0 - draft 01
• OpenID Connect Session Management 1.0 - draft 30
• OpenID Connect Front-Channel Logout 1.0 - draft 04
• OpenID Connect Back-Channel Logout 1.0 - draft 06
• OpenID Connect Federation 1.0 - draft 17
• OpenID Connect Basic Client Implementer's Guide 1.0 - draft 40
• OpenID Connect Implicit Client Implementer's Guide 1.0 - draft 23
• OpenID 2.0 to OpenID Connect Migration 1.0

OAuth 2.0

• RFC 6749 The OAuth 2.0 Authorization Framework
• RFC 6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage
• RFC 6819 OAuth 2.0 Threat Model and Security Considerations

JWx

• RFC 7519 JSON Web Token (JWT)
• RFC 7515 JSON Web Signature (JWS)
• RFC 7516 JSON Web Encryption (JWE)
• Use Cases and Requirements for JSON Object Signing and Encryption (JOSE)
• JSON Web Signature (JWS) draft-ietf-jose-json-web-signature-14

Official Organizations

• openid.net

Books

• Understand Properly Without Using It Vaguely! A Tutorial Guide to Using OAuth2.0
• 【Digital Edition】A Book to Understand the Differences Between OAuth, OAuth Authentication, and OpenID Connect
• 【Digital Edition】A Book to Understand and Organize Attacks and Countermeasures on OAuth and OIDC (Attack on Redirect Edition)
• In-depth Introduction to OAuth: Principles and Practices for Applying Secure Authorization Systems

Web

Be cautious as some blog posts are old and not updated.

• Super Summary of Authentication and Authorization: A Quick Overview of OAuth, OpenID Connect, SAML, etc.
• 【Report】Backend Engineer’s Meetup ~Authentication and Authorization Infrastructure in Microservices~
• Authentication 【authentication】 certification
• Better Understanding of Authentication and Authorization
• Understanding Authentication and Authorization
• Insights from a Full-Stack Implementer of OAuth 2.0 + OpenID Connect
• Set Up an OAuth 2.0 & Web API Server at Lightning Speed with Authlete
• Summary of OAuth & OpenID Connect Related Specifications
• Summary of Improper Implementations of OAuth & OpenID Connect
• Complete Understanding of Authlete's OAuth 2.0 / OIDC Implementation Knowledge
• New Architecture for OAuth 2.0 / OIDC Implementation
• History of ID Federation and Overview of OpenID-Connect
• Introduction to OpenID Connect ~Trends in ID Federation for Consumers~
• Full Explanation of OpenID Connect Flows
• The Most Understandable Explanation of OpenID Connect
• Probably the Most Understandable OpenID Connect
• About "Using Plain OAUTH 2.0 for Authentication Creates a Huge Security Hole Big Enough for a Car to Drive Through"
• Using Plain OAuth 2.0 for Authentication Creates a Huge Security Hole Big Enough for a Car to Drive Through
• OAuth 2.0 Client Authentication
• The Most Understandable Explanation of OAuth
• Authentication Technologies You Should Know for App Development - OAuth 1.0 + OAuth 2.0 + OpenID Connect -

Working Group

• openid.net/wg/

Videos

• Recording and Material Download of "OAuth & OIDC Study Session"

Study Sessions

• conpass.com - Authlete, Inc.
• conpass.com - Identity Dance School

Twitter

Accounts I follow.

• @authyasan
• @authlete
• @authlete_jp
• @darutk