←back to thread

An illustrated guide to OAuth

(www.ducktyped.org)
354 points egonschiele | 7 comments | 25 Aug 25 12:29 UTC | HN request time: 0.439s | source | bottom
Show context
gethly ◴[25 Aug 25 13:31 UTC] No.45013667[source]
I am implementing oauth right now, along with oidc. I must say that for such a simple concept, getting to the facts that help me to actually implement it is insanely hard. I have no idea why but everywhere i look it just seems like it only scratches the surface and you get no tangible information that you can use to actually implement it in code. I ended up mostly browsing the specs and grok was insanely helpful to explain meaning of various things where information was lacking or buried deep in documentation/specifications. I would say this was the first time where i actually appreciated these new "AIs", which i don't use at all.
replies(15): >>45013786 #>>45014191 #>>45014923 #>>45014925 #>>45015705 #>>45016116 #>>45016464 #>>45016521 #>>45016761 #>>45017703 #>>45017714 #>>45018132 #>>45018714 #>>45019295 #>>45021989 #
1. aurecchia ◴[25 Aug 25 13:46 UTC] No.45013786[source]
Are you implementing an auth server or integrating with one?

Regardless, the last time I dug into this topic I ended up feeling the same. The web is littered with articles that scratch the surface and only cover the basics. They often leave out the details, which IME ended up making things more difficult to understand. What was the most helpful, as you said, was to follow the RFCs and the OIDC spec directly.

What might also be useful, if you are implementing an auth server, is to look at existing implementations. Duende IdentityServer (https://github.com/DuendeSoftware/products/tree/main/identit...) is the most widely-used one in the .NET space.

replies(4): >>45013944 #>>45014032 #>>45014115 #>>45014363 #
2. commandlinefan ◴[25 Aug 25 14:00 UTC] No.45013944[source]
> Are you implementing an auth server or integrating with one?

And OAuth has somehow managed to be _harder_ to integrate with an existing implementation of than just to implement from scratch.

3. peterldowns ◴[25 Aug 25 14:08 UTC] No.45014032[source]
Ancient, but potentially also helpful due to documentation and tests, is my old django implementation: https://github.com/peterldowns/djoauth2 . I’m sure it doesn’t run out of the box anymore due to Django changes but maybe another good reference server.
4. olavgg ◴[25 Aug 25 14:15 UTC] No.45014115[source]
Before I knew about Keycloak, I need to figure out how to use Spring Boot to authenticate via Azure Entra Id. I could't use Spring Boot Security OAuth2 as I couldn't figure out how to bind Entra ID groups to roles in Spring Boot. I saw a great video from Okta where they broke down all details down to each http request (don't remember the link to the video), and then implement each http request/redirects to Entra ID. Finally I got the token and could then use the Graph API to get group memberships for binding a Spring Boot role.

I still used Spring Sessions though, where a successfull authed user got a new Spring Session. The reason was that I liked the idea of having beans with session scope, for example where each user/role has access to a specific database schema.

5. gethly ◴[25 Aug 25 14:39 UTC] No.45014363[source]
I am implementing oauth server with open id provider capabilities. I agree with what you sad, that is my experience as well.
replies(1): >>45014708 #
6. mettamage ◴[25 Aug 25 15:09 UTC] No.45014708[source]
So how are you guys finding this illustrated guide, is it any good?
replies(1): >>45023397 #
7. aurecchia ◴[26 Aug 25 07:31 UTC] No.45023397{3}[source]
I think it gives a good, albeit very simplified, explanation of the general idea around the most common OAuth flow.

Like OP was writing, if you are looking at implementing an authorization server, this is not very useful. Even if you are a developer looking to understand how to get authorized to interact with a resource server or authenticate a user, I'd argue that this is not enough. The author clarifies that in the conclusion, but then it's essentially the reader who has to figure out what details are missing and where to get them.