An illustrated guide to OAuth

(www.ducktyped.org)

354 points egonschiele | 1 comments | 25 Aug 25 12:29 UTC | HN request time: 0.209s | source

Show context

gethly ◴[25 Aug 25 13:31 UTC] No.45013667[source]▶

I am implementing oauth right now, along with oidc. I must say that for such a simple concept, getting to the facts that help me to actually implement it is insanely hard. I have no idea why but everywhere i look it just seems like it only scratches the surface and you get no tangible information that you can use to actually implement it in code. I ended up mostly browsing the specs and grok was insanely helpful to explain meaning of various things where information was lacking or buried deep in documentation/specifications. I would say this was the first time where i actually appreciated these new "AIs", which i don't use at all.

replies(15): >>45013786 #>>45014191 #>>45014923 #>>45014925 #>>45015705 #>>45016116 #>>45016464 #>>45016521 #>>45016761 #>>45017703 #>>45017714 #>>45018132 #>>45018714 #>>45019295 #>>45021989 #

caseysoftware ◴[25 Aug 25 19:10 UTC] No.45017714[source]▶

>>45013667 #

Yes, 100% agreed.

I launched and worked on OAuth 2.0 at Okta for ~5 years and spent most of my time showing people how to do it well and (gently) finding the holes and mistakes in their implementations. Sure, we were selling "OAuth as a Service" but most had introduced usability problems (at minimum) and gaping security vulns (at worst).

For a deep dive, check out Aaron Parecki's book: https://oauth2simplified.com/ - he's deeply involved in the (coming) OAuth 2.1

When I led re-implementation at pangea.cloud over the last couple years, we dropped most of the capabilies deprecated in 2.1 (resource owner password, implicit) and went straight to Auth Code with PKCE to make it a bit more manageable.

I walk through that progression/simplication here: https://speakerdeck.com/caseysoftware/the-many-layers-of-oau...