Explore common mistakes and misconceptions in web application security using OAuth 2.0 and OpenID Connect in this comprehensive conference talk. Delve into the intricacies of authorization and authentication, examining how OAuth 2.0 and OpenID Connect (OIDC) address these challenges. Gain insights into potential pitfalls and misconceptions that developers may encounter when implementing these standards. Learn about client types, scopes, access tokens, JSON Web Tokens, OAuth endpoints, and grant types. Discover best practices for OAuth grants and understand concepts such as authorization code injection, PixiURI, HTTP headers, reference tokens, and refresh tokens. Explore OpenID Connect scopes, endpoints, and the hybrid flow. Benefit from practical demonstrations using IdentityServer4, a popular open-source framework for OpenID Connect and OAuth 2.0 on ASP.NET Core.