OAuth 2.0 and OIDC Internals: Grant Flows, PKCE, and JWT Verification
See the Invisible
Interactive simulators visualize what's hidden from view.
Hands-On Labs
Step through executions tick by tick. Manipulate state.
Why, Not Just What
Deep architectural understanding for mid-senior developers.
AI Sandbox Lab
Real-world scenarios. Find the flaws AI misses.
Become the Engineer Who Supervises AI
As AI generates more code, understanding what that code does becomes more valuable, not less. Someone must verify AI output, debug failures, and make architectural decisions.
Build Your Architectural EdgeYou've implemented OAuth. But do you actually understand it?
You've copied the redirect URIs, configured the client secrets, and
somehow got tokens flowing. But when something breaks, when the
authorization server returns
invalid_grant, when tokens fail validation, when a security review asks why you
chose Authorization Code over Implicit, you're guessing. The OAuth
and OIDC specs are complex, fragmented across multiple RFCs, and
built on assumptions you've never seen visualized.
- • Why does the authorization code travel through the browser, but tokens never do?
- • Why can't your SPA safely store a client_secret?
- • What attack does PKCE actually prevent?
- • When should you call the introspection endpoint vs verify JWTs locally?
- • What's the difference between an ID token and an access token, and why is sending ID tokens to APIs an anti-pattern?
- • Trace each actor's role in the Authorization Code Grant, including the security boundary between front-channel and back-channel
- • Explain why PKCE's code_verifier/code_challenge mechanism defeats authorization code interception
- • Choose between symmetric (HS256) and asymmetric (RS256/ES256) JWT signing based on your architecture
- • Debug token validation failures by checking signature, expiration, issuer, audience, and scope
- • Architect OIDC flows correctly, using ID tokens for client-side authentication and access tokens for API calls
Interactive Simulators: Watch Token Flows Execute Step by Step
OAuth and OIDC are multi-party protocols. Reading sequence diagrams doesn't build intuition. Our simulators let you trigger each step: the browser redirect, the user consent screen, the authorization code exchange, the token refresh. You'll watch the code_verifier transform into code_challenge, see how JWKS endpoints deliver public keys, and observe refresh token rotation invalidating old tokens. The invisible choreography becomes visible.
What You'll Master
The four actors, security boundaries between them, and why delegated authorization replaces credential sharing.
Authorization Code vs Implicit (and why Implicit is deprecated), Client Credentials for M2M, and when each grant type applies.
Why SPAs and mobile apps are public clients, and how PKCE's code_verifier/code_challenge defeats code interception attacks.
Header, payload, and signature anatomy. Standard claims. The Base64 encoding trap. Symmetric vs asymmetric signing. JWKS endpoints.
Access token expiration, refresh token rotation mechanics, and the introspection vs local verification trade-off.
The authentication/authorization split. ID tokens for clients, access tokens for APIs. Nonce for replay prevention. UserInfo endpoint.
Course Curriculum
Visual cheatsheet
Practice verifying AI-generated code
Built for Engineers Who Want to Understand, Not Just Implement
Whether you're a senior engineer designing authentication architecture, a tech lead reviewing OAuth implementations, or a developer tired of debugging token flows by trial and error, this course gives you the internal model you need to make confident decisions. Stop guessing why tokens fail. Start seeing the protocol execute.
Ready to see what's really happening?
All deep dives included with your subscription. Cancel anytime.