What made me understand these things the most, was setting this up just for myself.

For example host your own instance of Zitadel, Authentik or whatever you find most appealing. Tinker a bit around with it. Then use that instance to authenticate yourself somewhere, i.e. another service where you can set up your own oauth provider. Take a look at the API requests, take a look the code of some OAuth implementation, for example in projects like Gitea, Nextcloud.

May not be it for everyone, though I really like learning by doing.

I have not seen a course that covers all of the things you are asking for.

The best courses on the oidc/oauth and saml I have seen were the paid ones here: https://www.hackmanit.de/en/training/portfolio

On linkedinlearning this one was quite ok: https://www.linkedin.com/learning/web-security-oauth-and-ope...

Free ressources check: -https://aaronparecki.com/

-OAuth 2.0 and OpenID Connect (in plain English): https://m.youtube.com/watch?v=996OiexHze0

https://speakerdeck.com/nbarbettini/oauth-and-openid-connect...

-OAuth/OpenID by Nat Sakimura(chairman openid foundation) https://m.youtube.com/playlist?list=PLRUD_uiAYejRvQWkS2xjgFW...

For the active directory topic I don't know good ressources

I think the most important place to start is appreciating the distinction between authentication ("is the person trying to use my application really the person they say they are?", abbreviated "authn") and authorization ("is this person allowed to perform the action they're trying to perform?", abbreviated "authz").

Most of the comments on this page are referring to authentication. It's important to know, but also the piece you're likely to spend far less time on. It's where most of the heavy lifting will be done by some vendor or tool you set up instead of by your own code.

Authorization is far less likely to be something you get off the shelf and far more likely to be where you spend significant time. It can be very intimately connected to your business logic. Active Directory roles and groups are one authorization solution for a particular class of problems but I have only seen them used for controlling business internal assets (mostly file servers); not public-facing applications.

I really like Oso Academy as a resource for authorization topics. It's structured like a progressive course, though I don't know if they have the kind of exercises you mentioned.

https://www.osohq.com/academy

One thing that might be interesting is SASL has evolved over the years. Most things are RFCs, so well written, short and open specifications. This gives you one larger thing to learn. Should be rather linear if you sort by RFC number.

It would head well into advanced user/password schemes.

The problem is that even advanced mechanism like a SCRAM based authentication with additional 2fa are rather simple to grasp & implement, but really hard to get right / secure.

A lot of the evolution is rather an evolution of attacks and issues, leading to new schemes. OWASP is thus pretty relevant, too.

I'm also interested in this, but specifically something that covers authentication between services and in particular situations where a user authenticates against service a and now service a needs to ask service b to do something on behalf of the user. Not just a handwavy "use OAuth" but more concrete and thorough.

FastAPI's tutorial on how to implement a basic OAuth server helped me a lot in understanding the basic concepts.

https://fastapi.tiangolo.com/tutorial/security/

After getting familiar, I self hosted Keycloak and integrated it with my FastAPI server.

https://www.keycloak.org/

Though not exactly a course, learning by doing helped me :)

I’ve learned a lot about these things by working on a project using Ory Kratos. The documentation is a bit patchy but it’s open source so you can dive into the gritty details of how a fairly large id provider implements the various aspects of OAuth and so on. (One nice thing about Azure Active Directory is that it supports OAuth2 integrations so if you understand and can implement OAuth2 then you can also implement AD).

I know it’s not a linear learning answer but hope it helps you perhaps later. Good luck!

You might want to check out https://dchest.com/authbook/

I found Nate Barbettini's video on OAuth and OpenID Connect incredibly insightful for understanding these topics. He explains everything so well- https://youtu.be/996OiexHze0.

Additionally, I'm part of the ZITADEL team, an open-source project that's free to download or use in our cloud offering. So, you can always tinker around with it as some others have already suggested. Our blog dives into various security topics, ranging from OAuth, OpenID Connect, and Single Sign-On, Authentication, Federation to emerging issues like Passkeys. We also discuss real-world Identity Management problems and solutions seen by ZITADEL users— https://zitadel.com/blog.

For any specific security-related queries, feel free to join the conversation on our Discord chat: https://zitadel.com/chat. We're always discussing and sharing insights on these topics.

I recently had to learn OIDC which is the standard for auth that most people really mean when they say OAuth now, I think. I learned by implementing (using Keycloak) and most importantly by reading the OIDC specs. It may seem intimidating, but the real core of it is not that large.

It's a topic I'd be interested in writing more about, and I'm happy to start here if you would find it useful.

For fido2 and passkeys, I'd recommend Adam Langley's blog: https://www.imperialviolet.org/

There's also the RFC on OAuth2:

https://datatracker.ietf.org/doc/html/rfc6749

The introduction will give you a bit of a background. The most important to read (for now) is just the introduction up to chapter 2.

Generally, check yourself with OWASP cheatsheet:

https://cheatsheetseries.owasp.org/cheatsheets/Authenticatio...

I think auth0 has some, which are free but maybe based too much around there product, which I use and think very good.

https://auth0.com/learn

A bit salse-y, but Oso has a pretty nice overview on the problems that led to their product and how they reason about AuthN/AuthZ: https://www.osohq.com/academy

It's more focused on application level architecture rather than the whole domain of AuthN/AuthZ, but I've found it's a decent reference for folks unfamiliar with a lot of the common issues one encounters in implementation.

For Kerberos, here:

https://kerberos.org/software/tutorial.html

Far from a comprehensive course, but I found this blogpost really good for understanding OAuth2 and usecases/limitations/footguns: https://www.ory.sh/oauth2-openid-connect-do-you-need-use-cas...

https://www.oreilly.com/library/view/api-security-in/9781617...

I don't know of any, but here's the resources I've found useful as I've worked in the space (disclosure: I work for an auth vendor, FusionAuth).

* Solving Identity Management In Modern Applications is a great book offering an overview of the entire identity process, including provisioning (adding users), authentication and more. I read and reference the 2019 edition; don't have the 2023 edition but expect it is just as good: https://link.springer.com/book/10.1007/978-1-4842-8261-8

* OAuth2 In Action walks you through building an OAuth2 server from scratch (in JavaScript). You'll learn about the fundamentals of tokens, clients, registration, and more. Very accessible. https://www.manning.com/books/oauth-2-in-action

* The Security Engineering Handbook is great for foundational security knowledge, like 'What does a hash look like, and what makes a good hashing algorithm' as well as a lot of broader security topics: https://www.cl.cam.ac.uk/~rja14/book.html

* FusionAuth's vendor neutral articles: https://fusionauth.io/articles/ . I'd especially call out these two: The Modern Guide to OAuth, which walks through the multiple different ways the OAuth 2 authorization framework can be used: https://fusionauth.io/learn/expert-advice/oauth/modern-guide... (previous HN discussion: https://news.ycombinator.com/item?id=29752918 ), and the Math of Password Hashing: https://fusionauth.io/learn/expert-advice/security/math-of-p...

* The Beer Drinkers Guide to SAML is a great resource for understanding this (still) critical standard, plus just a fun read: https://duo.com/blog/the-beer-drinkers-guide-to-saml

* The RFCs and BCPs (as mentioned). I've also learned a lot by lurking on the OAuth mailing list, which is freely available: https://mailarchive.ietf.org/arch/browse/oauth/

* The Identity Unlocked podcast with Vittorio Bertocci (RIP). This is not about the basics at all, but is a deeper dive into the dev focused side of authentication, and will give you great pointers for more reading: https://identityunlocked.auth0.com/

* The OWASP guides are good but specialized. See for example: https://owasp.org/API-Security/editions/2023/en/0xa2-broken-...

* I have a substack where I talk about aspects of customer identity and access management that I think is pretty good :) : https://ciamweekly.substack.com/

I think this would be a great linkedin learning, udacity or coursera course, but didn't see anything when I searched there. I've put together courses before and it's a ton of work, but hmmm, maybe it'd be fun to do for this topic.

Edit: corrected spelling of Vittorio Bertocci's name.

One thing I did early on, that I would highly recommend, is picking up a Security+ study guide book and reading it. I recommend a digital copy, since it's easier to ignore the fact that the book is quite large. Even if you never do the certification (I haven't), the Security+ curriculum gives a really nice broad overview of a ton of the concepts involved and how they're used practically. From there, as a few others have mentioned ,it's hard to beat reading some of the specs for Oauth2, OIDC, SAML, etc, to understand how the primitives are woven together and what the different terms mean.

Perhaps the higher level architecture reference guides can provide a good overview of all these items? Written from a GCP perspective, but nevertheless the concepts can be shared cross cloud:

Security & IAM - https://cloud.google.com/architecture/security-iam

Other - https://cloud.google.com/architecture?_ga=2.121060044.-59389...

I made the simplest Rust server I could to learn the basic workflow of OAuth2, it gets the user gmail after you log in with Google. I also included some instructions of how to set up the Google account. Feel free to check it out! https://github.com/alexgf0/oauth

Learning Digital Identity by Phil Windley is a great resource as long as you skip over the SSI parts

https://www.oreilly.com/library/view/learning-digital-identi...

I'm currently in the boat where I need to set up authentication (and eventually authorization) for a startup catering to big enterprises almost exclusively. I'd love to be recommended resources for setting up something like Keycloak or Auth0 (or anything else) for that use case.

https://www.oauth.com

Not a course, but the IDPro Body of Knowledge is a great resource for any aspiring Identity professional: https://idpro.org/body-of-knowledge/

Two I found react/remix

- https://reactsecurity.io/ - https://EpicWeb.dev

This is a deep, starting from zero course -> https://www.thecyberhut.com/auth-design/

I do provide company training in OAuth, OpenID-Connect, ASP.NET Core authenticaiton and web security at https://tn-data.se/

Huh, I always forget a lot of programmers weren't around when this stuff was invented. It's all actually pretty simple, and very little complexity. However, there are so many "gotchas" (that can result in zero security) that anyone writing a guide like this would probably have you sign a waiver, then any company you work for sign a waiver, and include your firstborn child.

For example, user/pass is pretty simple on the surface:

1. app sends server user/password.

2. check if it matches the password in the database.

3. if so, respond with a token the app can send back that is associated with the user. if not, return with a 401.

The number of gotchas in this simple 3-step process is insane... here's some off the top of my head (not exhaustive):

- make sure the login form includes a CSRF token.

- do not store the password in plaintext in the db. or encrypted, probably. Since an attacker can possibly get the encryption key and then decrypt all your passwords. Use strong, slow hashes.

- rate limit your logins to prevent brute-forcing (slow hashes work great here)

- use constant-time comparisons to check if the password matches (e.g., hash_equals() in PHP), RTFM for whatever constant time check you are using or you will open yourself up to timing attacks.

That's the issue with security stuff, there are so many gotchas that anyone writing a course would open themselves up to getting sued (at least in the US) just for missing a gotcha or someone with Dunning-Kruger thinking they know everything and getting hacked ... it's too risky. You have to just get into the industry and learn it the hard way. At least that's how I learned everything I learned.

How much are you willing to pay for it so you would get a knowledge base that is not superficial, but thorough and you'll really know the ins and outs of it?

none.

but useful stuff:

certified ethical hacker course can give you a perpetrator's pov on how people get hacked.

owasp cheatsheet and latacora blog are useful reference also.

understanding how companies offer these services also helps, e.g. clerk.com, ory.sh, auth0, okta, supertokens, etc.

understanding how authentication coincides with authorization helps too.

imo, the best way to learn these is to implement them on a small scale yourself. When I wanted to learn about JOSE, I implemented a JOSE library and read the RFCs alongside my implementation. It taught me a lot.