Every application needs authentication, but which implementation is secure and what can easily be hacked? In this talk we will first look at some not-so-good examples from the internet and discuss attacks against them. After understanding how not to do auth, we will then learn how to correctly and securely implement an OAuth/OpenID Connect authentication flow in a modern tech stack (a single page application with an API as backend). And because you should only believe in the code you see, we will do all of this with lots of live hacking and coding.