Understand the difference between authentication and authorization, common identity terms (identity provider, relying party), and where SSO, OAuth, and OIDC fit in an architecture.
Learn OAuth actors (resource owner, client, authorization server, resource server), tokens, scopes, and when to use OAuth 2.0 in applications.
Examine the main OAuth flows (Authorization Code, Client Credentials, Implicit, Resource Owner Password), their security trade-offs, and selection criteria.
Understand lifecycle of access and refresh tokens, scope design and least-privilege, token expiration and revocation strategies.
Learn JWT header/payload/signature, common claims, signing vs encryption, and how to validate tokens in your app.
Combine OAuth-issued tokens with JWT format: how access tokens can be JWTs, API validation patterns, introspection, and mitigation of common attacks.
Learn OIDC concepts (ID token, userinfo endpoint, claims, discovery, and standard scopes), how it builds on OAuth, and typical authentication flows.
Apply SSO and OIDC knowledge to configure an identity provider (e.g., Auth0): set up clients, callbacks, map claims, enforce SSO sessions, and test end-to-end authentication.