* OAuth2 basics - Client, Resource Server, Authorization Server and Resource Owner; how authorization is obtained via the AS without the RO giving credentials to the Client
* Co-located RS+AS deployments (e.g. Google) vs more loosely coupled where the RS(s) is/are detached from the AS
* OAuth2 Proof-of-Possession - compare Cash and Credit Card - cash is a bearer token, you have no way of knowing its origin, Credit Card requires identifying the bearer has the right to use it. In OAuth2 PoP this is achieved by the client registering a asymmetric key pair public key when it acquires the access token, and then that public key is sent to the RS on token use, and is used to verify a signature that accompanied the request from the client to the RS.
* Best practice for token lifetime? Auth Codes - seconds; Access Token short - minutes; Refresh Token - longer, days to months
* Stateless vs Authorization Code? Tokens can be server-stateless, where as an Authorization Code must be single use, so state must be maintained across cluster
* Best practice for managing scopes?
* Currently using SAML, why might I switch to OAuth2/OIDC?
* Stateless blacklists vulnerable to NTP attacks?
* SAML session to cover the choice between SAML/OAuth2