Justin Richer, lead author of the OAuth2 In Action book and editor of OAuth extensions RFC 7591, 7592, and 7662, discusses the key technical features of the OAuth 2.0, the industry-standard protocol for authorization and what makes this the best choice for authorizing access to API resources. Host Gavin Henry spoke with Richer about browser based OAuth2, types of tokens, OpenID Connect, PKCE, JSON Web Token pros and cons, where to store them, client secrets, Single Page Apps, Mobile Apps, current best practices, OAuth.XYZ, HEART, MITREid, token validation, dynamic client registration, the decision factors of the various types of authorization grants to use and what is next for OAuth.
Show Notes
Related Links
- OAuth2 Main site/https://oauth.net/2/
- Guest site/https://bspk.io/
- https://twitter.com/justin__richer
- OAuth 2 In Action/https://www.manning.com/books/oauth-2-in-action
- https://tools.ietf.org/wg/oauth/
- https://tools.ietf.org/html/rfc7591#section-2 https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-10
- https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12
- https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-00
- https://tools.ietf.org/html/rfc7636
- https://tools.ietf.org/html/rfc8252
- OAuth.xyz/https://oauth.xyz/
- https://oauth.net/events/
- https://www.ietf.org/how/meetings/105/
- AppAuth/https://appauth.io/
- UMA/https://en.wikipedia.org/wiki/User-Managed_Access
- MITREid Connect/https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
- OpenID Connect/https://openid.net/connect/
- PKCE/https://oauth.net/2/pkce/
SE Radio theme: “Broken Reality” by Kevin MacLeod (incompetech.com — Licensed under Creative Commons: By Attribution 3.0)
