Hacker Newsnew | past | comments | ask | show | jobs | submit | krantic's commentslogin

I have not seen a course that covers all of the things you are asking for.

The best courses on the oidc/oauth and saml I have seen were the paid ones here: https://www.hackmanit.de/en/training/portfolio

On linkedinlearning this one was quite ok: https://www.linkedin.com/learning/web-security-oauth-and-ope...

Free ressources check: -https://aaronparecki.com/

-OAuth 2.0 and OpenID Connect (in plain English): https://m.youtube.com/watch?v=996OiexHze0

https://speakerdeck.com/nbarbettini/oauth-and-openid-connect...

-OAuth/OpenID by Nat Sakimura(chairman openid foundation) https://m.youtube.com/playlist?list=PLRUD_uiAYejRvQWkS2xjgFW...

For the active directory topic I don't know good ressources


Aaron Parecki has two courses on OAuth:

The Nuts and Bolts of OAuth 2.0

https://www.udemy.com/course/oauth-2-simplified/

Advanced OAuth Security

https://www.udemy.com/course/advanced-oauth-security/


I can second Hackmanit from my own experience. We had them come on site some years ago to train our team. This was incredibly helpful as they also focused on what we use in house in a separate chapter.


all of that, plus the rfcs for oauth2 and oidc are pretty great as well!


Yeah start with https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-... Deprecating the unsecure&outdated/it's easy to shoot yourself and summarizing so you don't need to go through the rabbit hole of specs...

Also follow the BCP that will remain in a draft state forever(at least for the near future): https://datatracker.ietf.org/doc/html/draft-ietf-oauth-secur...


This is practical, but awful advice. Auth (z or n) has been very badly over engineered. You don't need anything more than http basic auth, the rest is just people with too much time on their hands. Oauth particularly is a travesty that their authors should be ashamed of.


OAuth 2.0 took the best features of what was already being deployed by Google, Microsoft, Yahoo, etc. and added in scopes and refresh tokens. The objective was to standardize how to delegate authorization so that developers did not have to learn slightly different ways of doing effectively the same thing.

Typing your username and password into a 3P website so it could crawl your contacts was horrible anti-pattern.


It depends!

(I work for an auth vendor, so where I stand depends on where I sit, to some extent.)

I've seen and built apps that only needed built-in framework or language support. Or, best of all, don't use authentication at all.

I've also seen and/or built apps that needed advanced functionality to support business requirements. For example, if you want to:

* support slack-like workspace switching functionality for a single user

* but allow each organization to control the login methods they want to allow, including magic links, SAML, OIDC, LDAP, etc

* and make all APIs securely and scalably available to single page applications and mobile applications

* across hundreds of thousands or millions of users

You're going to want to use some of the more complicated standards. Basic auth ain't gonna help with that.


I worked for the largest company in Canada who handled billions of dollars. You can make your decision but they won't do anything.


I work on the cloud security team for a Fortune 500 company. They won’t even consider a third party service that doesn’t provide a enterprise SSO/SAML integration with our auth provider. I suspect this is the more common approach for enterprise level companies given that at 40k+ employees it’s just not possible to manage employee auth across hundreds of services.


They still used basic auth across all their apps?


No. They used Oauth. I wrote their entire Oauth system. And it was a nightmare reading through Oauth/OIDC specs for something that could be handled trivially with http basic auth.


I could recommend https://github.com/panva/node-oidc-provider supports most of the oidc/oauth 2 rabbit hole specs.


This looks really good. I'll see about adding it to the table.


Steve Krug's Don't make me think is one of the best resources on UI/UX https://sensible.com/dont-make-me-think/ I would put on the book recommendation list for a UI/UX Primer


Added. Thank you!


Dan Boneh's "Cryptography I". https://www.coursera.org/learn/crypto Was one of the best basic lecture I have seen on the crypto topic. I have enjoyed several lectures in my studies but some things I just understood after the good and interesting explanations in this course. Really amazing. Still waiting for the the Crypto 2 course.

If you understand german I recommend you math lessons by Christian Spannagel https://www.youtube.com/@pharithmetik. Makes some less interesting topics enjoyable.


I've been waiting for the Crypto 2 course for over ten years. He keeps scheduling it and then postponing it.


Yes seems that we will not see it in the near future... By fun I sometimes go through the project of the cs255 course: https://crypto.stanford.edu/~dabo/cs255/


Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: