OAuth 2.0 and OpenID Connect are playing an important role in modern web applications when it comes to security. OIDC is used for authentication, whereas OAuth is used to grant access to protected resources. Therefore, it is important to implement those techniques correctly and harden them against malicious actors who want to steal the access tokens.
The following presentation gives a short introduction to OAuth 2.0 and OpenID Connect and describes the most important protocol details. After that, common attacks (e.g. code stealing) and their mitigations (e.g. PKCE) are shown. The presentation is concluded with an outlook on new developments in the OAuth community and a guideline for security testing. The presentation shown here is mainly based on the OAuth 2.0 Security BCP.
The code for the practical demonstration can be found on my GitHub account.