OAuth/OIDC Incident Response
RCCE students will learn the OAuth 2.0 authorization framework and OpenID Connect authentication layer, covering authorization code flows, implicit flows, client credentials, PKCE extensions, token lifecycle management, and JWT structure and validation. RCCE students will learn to identify common OAuth/OIDC vulnerabilities including token theft, authorization code interception, redirect URI manipulation, scope escalation, and insufficient token validation. The course covers incident response for compromised OAuth tokens, revoking active sessions, investigating token abuse in logs, and implementing secure OAuth/OIDC configurations that prevent account takeover. This incident response course prepares students to act decisively during security incidents with structured workflows and clear decision frameworks. Building on core knowledge, RCCE students will learn containment, evidence collection, eradication, and recovery procedures specific to this domain. Students practice incident scenarios that build the composure, coordination, and documentation skills essential for effective incident handling.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing OAuth/OIDC Incident Response
- Explain Course Overview & Learning Objectives fundamentals
- Execute hands-on tasks for what you will learn — covering OAuth 2.0 authorization framework, OpenID Connect authentication layer.
- Execute hands-on tasks for skills you will gain — covering Containment of compromised tokens, Evidence collection from OAuth logs.
- Execute hands-on tasks for resource owner
- Execute hands-on tasks for client application
- Execute hands-on tasks for authorization server
- Execute hands-on tasks for resource server — covering The user who.
- Explain OAuth 2.0 Grant Types Overview fundamentals
- Execute hands-on tasks for authorization code — covering Server-side apps; most secure for web apps, Public clients (SPAs, mobile); prevents code.
- Execute hands-on tasks for client credentials — covering Machine-to-machine; no user context needed.
- Execute hands-on tasks for authorization code + pkce — covering Public clients (SPAs, mobile); prevents code.
- Execute hands-on tasks for implicit (deprecated) — covering Legacy browser-based flow; token in URL fragment.
| Module 01 | Course Overview & Learning Objectives |
| Module 02 | What You Will Learn |
| Module 03 | Skills You Will Gain |
| Module 04 | Resource Owner |
| Module 05 | Client Application |
| Module 06 | Authorization Server |
| Module 07 | Resource Server |
| Module 08 | OAuth 2.0 Grant Types Overview |
| Module 09 | Authorization Code |
| Module 10 | Client Credentials |
| Module 11 | Authorization Code + PKCE |
| Module 12 | Implicit (Deprecated) |
| Module 13 | Best Practice Guidance |
| Module 14 | Authorization Code Flow Deep Dive |
All hands-on labs run on Rocheston Rose X OS. Students practice oauth/oidc incident response by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Explain Course Overview & Learning Objectives fundamentals
- Lab 2: Execute hands-on tasks for what you will learn
- Lab 3: Execute hands-on tasks for skills you will gain
- Lab 4: Execute hands-on tasks for resource owner
- Lab 5: Execute hands-on tasks for client application
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for OAuth/OIDC Incident Response, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI