Many of my 7100 students of the OAuth course have asked me to create a new course on OpenID Connect & JWT . And I completely understand why. Because as an API professional in 2020, you simply need to know the why, what and how of OpenID Connect!

So I am glad to announce today, that after months of hard work, this online course is finally available!

Some of the Contents…

1 Introduction
1.1 What is OpenID Connect
1.2 What can be done with OpenID Connect
1.3 How does OpenID Connect Work
1.4 OAuth 2 vs. OpenID Connect
1.5 Common Misunderstandings

2 OpenID Connect Actors
2.1 OpenID Connect Provider
2.2 Resource Provider
2.3 End-user (a.k.a. Resource Owner)
2.4 Client (a.k.a. App)

3 OpenID Connect Endpoints
3.1 Authorization Endpoint
3.2 Resource Endpoint
3.3 Userinfo Endpoint
3.4 Token Endpoint
3.5 Redirect Endpoint

4 Tokens in OpenID Connect
4.1 Explanation of the Different Token Types in OpenID Connect
4.2 Access Token
4.3 Refresh Token
4.4 Authorization Code
4.5 ID Token

5 The various OpenID Connect flows and when to use which flow
5.1 Authorization Code Flow
5.2 Refresh Flow
5.3 Implicit Flows
5.4 Hybrid Flows

6 Using OpenID Connect in Practice
6.1 Choosing A Suitable OpenID Connect Flow
6.2 Client Registration
6.3 Redirect Endpoint Implementation
6.4 Initiation of OpenID Connect Flow
6.5 Validation of OpenID Connect Tokens
6.6 Access to Resource Endpoints and Userinfo Endpoint

7 JSON Token Infrastructure
7.1 JSON Web Token (JWT)
7.2 JSON Web Signature (JWS)
7.3 JSON Web Encryption (JWE)
7.4 JSON Web Key (JWK) and JSON Web Key Set (JWKS)
7.5 JSON Web Algorithm (JWA)

8 Practical Exercises & Solution
8.1 Exercise & Solution: Getting an ID Token from Google
8.2 Exercise & Solution: Discovering the Public Key used for validating the ID Token from Google

I wish you lots of fun with my new course on OpenID Connect. As a security expert, you need to know about OpenID Connect in 2020. All the best and a good start into the New Year!

New Course on OpenID Connect & JWT

Also published on Medium.

Tagged on:     

Matthias Biehl

As API strategist, Matthias helps clients discover their opportunities for innovation with APIs & ecosystems and turn them into actionable digital strategies. Based on his experience in leading large-scale API initiatives in both business and technology roles, he shares best practices and provides both strategic and practical guidance. He has stayed a techie at heart and at some point, got a Ph.D. Matthias publishes a blog at, is the author of several books on APIs, and regularly speaks at technology conferences.