Chapter 17. Vetting Resources and Having Patience when Learning Information Security Topics

Christina Lang

If you plan on learning tokens, or really anything in information security, always start out by using only official sources. I cannot tell you the number of times I have been publicly embarrassed or utterly confused because I used a YouTube video, blog post, or vendor’s website to try and learn about authentication, authorization, and tokens when I was first starting out in identity and access management.

The trouble with unofficial methods is that they are often outdated by the time you read or watch them. Or they are opinionated or may not contain entirely accurate depictions of a process. They may also use the wrong terminology or may unintentionally omit helpful pieces of information (such as the difference between a confidential or public client and why that matters when considering what token grant or flow type to use).

I have found, more often than not, that studying the official IETF (Internet Engineering Task Force) documents or the most current publication from OpenID Connect or OWASP (Open Web Application Security Project) to be the best route when trying to learn a topic. Often if the document you are reading has been updated and a more current version is available, they will list that on the document itself so it’s clear that the information within the outdated ...

Get 97 Things Every Information Security Professional Should Know now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.