Gain insights into JWT, OAuth2, and OpenID Connect. Learn about HTTPS, encryption, and handshake techniques, and explore foundational concepts in web API security for enhanced application protection.

Web application developers are always on the lookout for ways to secure their applications. It has become the most fundamental part of any web application considering the rise in the number of cyber-attacks. This course will be your handy guide to the basic terminologies and frameworks related to web application security.

 In this course, you will learn what JWT is, how a JWT is created, and what benefits it provides in token-based authentication. You will learn about why HTTPS was introduced and how it revolutionized the way data is transferred using techniques like encryption and handshake. You will also dive deep into the most commonly used authentication and authorization frameworks called OAuth and OpenId Connect. This course will give you a taste of what web API security is all about and will give you the foundation so you can further your learning of application security.

Web Security and Access Management: JWT, OAuth2 & OpenId Connect

The Authorization code flow for OpenID Connect is similar to the [Authorization Code Flow](https://www.educative.io/courses/web-security-access-management-jwt-oauth2-openid-connect/authorization-code-grant-type) that we discussed in the OAuth 2.0 chapter.
The only difference is the change in the value of the `scope` field. It must contain **openid** as one of the values, followed by other scope values based on what type of user data the client wants.

There are two questions that can be raised:

1. What would happen if the client does not provide an **openid** in the `scope` field while sending a request to the authorization server?

The answer is that in this case, the flow will work as a normal authorization flow.
The client app will not get access to the user information as it will not receive the identity token.

2. Can user information be fetched from the `UserInfo` endpoint by sending the access token in the request even if `openid` was not provided in the `scope` field when an access token was requested?

The answer is **NO**. When we send a request to the token endpoint to fetch the access token, then we must send **openid** in the `scope` field. We must also send other scope values like email or address if we want to get this information. The access token that is returned is based on the scope values that were sent with the request. When we hit the UserInfo endpoint, then only that user information is returned which the access token is authorized to get.

>Let’s say that while sending a request to the **token endpoint**, the `scope` value is “openid email”. The client sends this request and gets an access token. If the client sends this access token to the UserInfo endpoint, it will get only email information. It will not get an address or any other information.

# Authorization code flow types

There is only one type of Authorization flow. In this flow, the `response_type` is sent as code.

What tokens the client will get is based on what is being sent in the `scope` attribute.

1. If the scope contains **openid**.

![](/api/collection/6650775272947712/6366281604268032/page/6363592887631872/image/4730980121182208)

Here is the flow for this case.

![](/api/collection/6650775272947712/6366281604268032/page/6363592887631872/image/5974457341444096)

2. If the scope does not contain **openid**.

![](/api/collection/6650775272947712/6366281604268032/page/6363592887631872/image/5199713490960384)

Here is the flow for this case.

![](/api/collection/6650775272947712/6366281604268032/page/6363592887631872/image/5443818305355776)

This lesson discusses the authorization code flow for authentication.

Getting started with Web Application Security

HTTPS Basics

JSON Web Token

OAuth

OpenID Connect

Conclusion

Authorization Code Flow for Authentication