←back to thread

An illustrated guide to OAuth

(www.ducktyped.org)
354 points egonschiele | 3 comments | 25 Aug 25 12:29 UTC | HN request time: 0s | source
Show context
gethly ◴[25 Aug 25 13:31 UTC] No.45013667[source]
I am implementing oauth right now, along with oidc. I must say that for such a simple concept, getting to the facts that help me to actually implement it is insanely hard. I have no idea why but everywhere i look it just seems like it only scratches the surface and you get no tangible information that you can use to actually implement it in code. I ended up mostly browsing the specs and grok was insanely helpful to explain meaning of various things where information was lacking or buried deep in documentation/specifications. I would say this was the first time where i actually appreciated these new "AIs", which i don't use at all.
replies(15): >>45013786 #>>45014191 #>>45014923 #>>45014925 #>>45015705 #>>45016116 #>>45016464 #>>45016521 #>>45016761 #>>45017703 #>>45017714 #>>45018132 #>>45018714 #>>45019295 #>>45021989 #
aurecchia ◴[25 Aug 25 13:46 UTC] No.45013786[source]
Are you implementing an auth server or integrating with one?

Regardless, the last time I dug into this topic I ended up feeling the same. The web is littered with articles that scratch the surface and only cover the basics. They often leave out the details, which IME ended up making things more difficult to understand. What was the most helpful, as you said, was to follow the RFCs and the OIDC spec directly.

What might also be useful, if you are implementing an auth server, is to look at existing implementations. Duende IdentityServer (https://github.com/DuendeSoftware/products/tree/main/identit...) is the most widely-used one in the .NET space.

replies(4): >>45013944 #>>45014032 #>>45014115 #>>45014363 #
1. gethly ◴[25 Aug 25 14:39 UTC] No.45014363[source]
I am implementing oauth server with open id provider capabilities. I agree with what you sad, that is my experience as well.
replies(1): >>45014708 #
2. mettamage ◴[25 Aug 25 15:09 UTC] No.45014708[source]
So how are you guys finding this illustrated guide, is it any good?
replies(1): >>45023397 #
3. aurecchia ◴[26 Aug 25 07:31 UTC] No.45023397[source]
I think it gives a good, albeit very simplified, explanation of the general idea around the most common OAuth flow.

Like OP was writing, if you are looking at implementing an authorization server, this is not very useful. Even if you are a developer looking to understand how to get authorized to interact with a resource server or authenticate a user, I'd argue that this is not enough. The author clarifies that in the conclusion, but then it's essentially the reader who has to figure out what details are missing and where to get them.