←back to thread

An illustrated guide to OAuth

(www.ducktyped.org)
354 points egonschiele | 2 comments | 25 Aug 25 12:29 UTC | HN request time: 0.405s | source
Show context
gethly ◴[25 Aug 25 13:31 UTC] No.45013667[source]
I am implementing oauth right now, along with oidc. I must say that for such a simple concept, getting to the facts that help me to actually implement it is insanely hard. I have no idea why but everywhere i look it just seems like it only scratches the surface and you get no tangible information that you can use to actually implement it in code. I ended up mostly browsing the specs and grok was insanely helpful to explain meaning of various things where information was lacking or buried deep in documentation/specifications. I would say this was the first time where i actually appreciated these new "AIs", which i don't use at all.
replies(15): >>45013786 #>>45014191 #>>45014923 #>>45014925 #>>45015705 #>>45016116 #>>45016464 #>>45016521 #>>45016761 #>>45017703 #>>45017714 #>>45018132 #>>45018714 #>>45019295 #>>45021989 #
1. 9dev ◴[25 Aug 25 19:08 UTC] No.45017703[source]
A while ago, I set out to understand OAuth properly and built a fully compliant authorisation server on SvelteKit, following all relevant RFCs, simply by… reading them all.

When you get used to the technical writing, it’s actually pretty straightforward—most of them actually document the endpoint structure and payloads, error codes, and so on. After that, the most complicated part is organizing your code to be modular and handle persistence right.

I can really recommend doing this once, and once the pieces start to fall into place, you’ll be able to understand most OAuth issues you’ll ever come across!

replies(1): >>45021086 #
2. centur ◴[26 Aug 25 01:04 UTC] No.45021086[source]
100% agree. Did the same back in early OAuth2 days, before main platforms got libraries and support (we were transitioning from OpenId 2.0, not yet OIDC ). OAuth2 spec is surprisingly straightforward and readable, couplet with basic understanding of ABNF that is used in all RFCs - it was a joy to read and implement. And this understanding also stuck with me for many years and helped massively in my career :).