OAuth/OIDC Monitoring and Detection
RCCE students will learn the OAuth 2.0 authorization framework and OpenID Connect authentication layer, covering authorization code flows, implicit flows, client credentials, PKCE extensions, token lifecycle management, and JWT structure and validation. RCCE students will learn to identify common OAuth/OIDC vulnerabilities including token theft, authorization code interception, redirect URI manipulation, scope escalation, and insufficient token validation. The course covers incident response for compromised OAuth tokens, revoking active sessions, investigating token abuse in logs, and implementing secure OAuth/OIDC configurations that prevent account takeover. This monitoring course teaches comprehensive detection and observability strategies for proactive security operations. Starting from foundational concepts, RCCE students will learn to instrument systems for security telemetry, build detection pipelines, configure alerting, and maintain monitoring coverage as environments evolve. Students gain the visibility and detection capabilities needed to catch threats early.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing OAuth/OIDC Monitoring and Detection
- Monitor and audit privilege usage; detect escalation attempts
- Build detections and response workflows for privilege escalation
- Execute hands-on tasks for identify vulnerabilities — covering Token theft and session hijacking, Redirect URI manipulation vectors.
- Execute hands-on tasks for understand oauth 2.0 & oidc — covering Authorization code, implicit, client creds, PKCE extensions for public clients.
- Build detections and response workflows for privilege escalation, including Instrument systems for security telemetry, and alerting on OAuth anomalies.
- Execute hands-on tasks for respond to token compromise — covering Revoke active sessions rapidly, Investigate token abuse in logs.
- Explain OAuth 2.0 Framework Overview fundamentals
- Execute hands-on tasks for rfc 6749 core grants — covering Delegated access without sharing credentials.
- Execute hands-on tasks for oauth 2.0 roles deep dive
- Execute hands-on tasks for resource owner — covering End user who grants access, Controls scope of permissions.
- Execute hands-on tasks for client application — covering Requests access on behalf of user, Registered with auth server.
- Execute hands-on tasks for authorization server — covering Issues tokens after authentication, Validates client credentials.
| Module 01 | OAuth/OIDC Monitoring |
| Module 02 | Authorization Framework Security · Token Lifecycle · Threat Detection |
| Module 03 | Identify Vulnerabilities |
| Module 04 | Understand OAuth 2.0 & OIDC |
| Module 05 | Build Detection Pipelines |
| Module 06 | Respond to Token Compromise |
| Module 07 | OAuth 2.0 Framework Overview |
| Module 08 | RFC 6749 Core Grants |
| Module 09 | OAuth 2.0 Roles Deep Dive |
| Module 10 | Resource Owner |
| Module 11 | Client Application |
| Module 12 | Authorization Server |
| Module 13 | Resource Server |
| Module 14 | Hosts protected APIs/resources |
All hands-on labs run on Rocheston Rose X OS. Students practice oauth/oidc monitoring and detection by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Monitor and audit privilege usage; detect escalation attempts
- Lab 2: Build detections and response workflows for privilege escalation
- Lab 3: Execute hands-on tasks for identify vulnerabilities
- Lab 4: Execute hands-on tasks for understand oauth 2.0 & oidc
- Lab 5: Build detections and response workflows for privilege escalation
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for OAuth/OIDC Monitoring and Detection, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI