Sign up to save your podcasts
Or
Share Mastering OAuth 2.0 & Microservice Security for Senior Interviews
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Mastering OAuth 2.0 & Microservice Security for Senior Interviews
- The "Hotel Keycard" Analogy (AuthN vs. AuthZ): We clarify the critical difference between OpenID Connect (verifying your identity at the front desk) and OAuth 2.0 (the keycard that tells the lock what you can access).
- The "Secret Handshake" (PKCE): Discover why the Proof Key for Code Exchange (PKCE) is now mandatory for public clients to prevent authorisation code interception attacks.
- The "Clear Backpack" Trap: We reveal why storing tokens in browser localStorage is a major interview red flag, and how the Backend-For-Frontend (BFF) pattern keeps tokens securely on the server.
- Defeating the "Forged Badge" (JWT Vulnerabilities): We unpack the notorious alg:none vulnerability and exactly what steps a Resource Server must take to validate a JWT signature safely.
- Zero-Trust Microservices & Token Exchange: Learn how to move past weak shared secrets. We explain how to use private_key_jwt (RFC 7523) for strong service identity, and why you should use Token Exchange (RFC 8693) to maintain a secure chain of custody across microservices.
- Banking-Grade Security (DPoP & Token Rotation): We dive into the ultimate defenses against token theft: Refresh Token Rotation, which acts as a tripwire to invalidate compromised token families, and DPoP (Sender-Constrained Tokens, RFC 9449), which mathematically binds a token to the client's private key.
View all episodes
By Prabuddha Ganegoda- The "Hotel Keycard" Analogy (AuthN vs. AuthZ): We clarify the critical difference between OpenID Connect (verifying your identity at the front desk) and OAuth 2.0 (the keycard that tells the lock what you can access).
- The "Secret Handshake" (PKCE): Discover why the Proof Key for Code Exchange (PKCE) is now mandatory for public clients to prevent authorisation code interception attacks.
- The "Clear Backpack" Trap: We reveal why storing tokens in browser localStorage is a major interview red flag, and how the Backend-For-Frontend (BFF) pattern keeps tokens securely on the server.
- Defeating the "Forged Badge" (JWT Vulnerabilities): We unpack the notorious alg:none vulnerability and exactly what steps a Resource Server must take to validate a JWT signature safely.
- Zero-Trust Microservices & Token Exchange: Learn how to move past weak shared secrets. We explain how to use private_key_jwt (RFC 7523) for strong service identity, and why you should use Token Exchange (RFC 8693) to maintain a secure chain of custody across microservices.
- Banking-Grade Security (DPoP & Token Rotation): We dive into the ultimate defenses against token theft: Refresh Token Rotation, which acts as a tripwire to invalidate compromised token families, and DPoP (Sender-Constrained Tokens, RFC 9449), which mathematically binds a token to the client's private key.