Nowadays, applications need to access both internal and external APIs, and a key mechanism for managing access authorization is OAuth 2.0, which allows users to grant permissions without sharing their credentials. OpenID Connect complements OAuth by adding authentication, making it a complete protocol for handling both user authorization and authentication.

However, due to their complexity and technical terminology, OAuth and OpenID Connect can be confusing. In this talk, we will explain how these protocols work in a simple and accessible way, covering key concepts you need to understand, such as authorization flows, access tokens, scopes, and refresh tokens.

We’ll explore the different OAuth 2.0 flows, such as the Authorization Code Flow, recommended for web applications; the Device Code Flow, ideal for devices with limited capabilities; and CIBA (Client Initiated Backchannel Authentication) flows, which enable background authentication—perfect for mobile apps or devices with minimal user interaction.

We’ll also discuss the use of Reference Tokens, a more secure alternative to traditional access tokens, as they avoid storing tokens directly on the client.

By the end of the session, you'll have a solid understanding of how to use OAuth and OpenID Connect to build more secure and efficient applications, improving user data protection and simplifying authentication and authorization management in your system.