A couple months ago I was asked to explain OAuth and I really did a horrible job at it. To be honest, I had used it without really digging into details. Following tutorials, using existing SDKs and NuGet packages I got by pretty well, but I wasn’t able to describe how it all worked.
OAuth is an open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
Recently, a requirement came up about authentication and authorization for a semi-public API. Remembering how I failed to answer the question the first time, I decided to get my hands on a short book that would bring me up to speed.
I bought "Getting Started with OAuth 2.0" by Ryan Boyd. In my opinion, it’s really a good place to start learning about OAuth 2.0. The book is short and to the point. It gives you a pretty good overview of the possible OAuth Flows, when to use them and which major OAuth provider currently supports them. The book is a little dated so you might want to refer to each of the provider’s documentation.
The OAuth 2.0 Authorization Framework enables a third-party application to obtain limited access to an HTTP service.
OAuth Flows Covered in This Book
- Server-Side Web Application Flow
- Client-Side Web Application Flow
- Resource Owner Password Flow
- Client Credentials Flow
The book also introduces OpenID Connect, which is a simple identity layer on top of OAuth 2.0. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
Have you read this book? Let me know if it satisfied your expectations.
- The OAuth 2.0 Authorization Framework Specification – RFC 6749
- The OAuth 1.0 Protocol Specification – RFC 5849 (the final version of the OAuth 1.0 specification)
- The OAuth Community Site
- OAuth Code & Libraries
- Community-driven support FAQ.
- OpenID Connect