You are previewing Getting Started with OAuth 2.0.
O'Reilly logo
Getting Started with OAuth 2.0

Book Description

This book is an introduction to OAuth 2.0, an authentication and authorization protocol for the web. If you're a web application developer or mobile app developer, this book will show you the power of using OAuth to determine the identity of your users and get delegated access to their data to improve the user experience of your app. Use cases and code examples covering many popular APIs and identity providers are included.

Table of Contents

  1. Getting Started with OAuth 2.0
  2. SPECIAL OFFER: Upgrade this ebook with O’Reilly
  3. A Note Regarding Supplemental Files
  4. Preface
    1. Conventions Used in This Book
    2. Using Code Examples
    3. Safari® Books Online
    4. How to Contact Us
    5. Acknowledgments
  5. 1. Introduction
    1. How OAuth Was Born
    2. Why Developers Should Care About OAuth
    3. Why Don’t These APIs Just Use Passwords for Authorization?
    4. Terminology
      1. Authentication
      2. Federated Authentication
      3. Authorization
      4. Delegated Authorization
      5. Roles
    5. The Great Debate over Signatures
      1. Mitigating Concerns with Bearer Tokens
      2. Signing Your OAuth 2.0 Requests
        1. Getting the key
        2. Making API requests
    6. Developer and Application Registration
      1. Why Is Registration Necessary?
    7. Client Profiles, Access Tokens, and Authorization Flows
      1. Client Profiles
      2. Access Tokens
      3. Authorization Flows
  6. 2. Server-Side Web Application Flow
    1. When Should the Authorization Code Flow Be Used?
    2. Security Properties
    3. User Experience
    4. Step-by-Step
      1. Step 1: Let the user know what you’re doing and request authorization
        1. Error handling
      2. Step 2: Exchange authorization code for an access token
        1. Why both access tokens and refresh tokens?
      3. Step 3: Call the API
        1. Error handling
      4. Step 4a: Refresh the access token
      5. Step 4b: Obtaining a new access token
    5. How Can Access Be Revoked?
  7. 3. Client-Side Web Applications Flow
    1. When Should the Implicit Grant Flow Be Used?
    2. Limitations of the Implicit Grant Flow
    3. Security Properties
    4. User Experience
    5. Step-by-Step
      1. Step 1: Let the user know what you’re doing and request authorization
        1. Error handling
      2. Step 2: Parsing the access token from the URL
      3. Step 3: Call the API
      4. Step 4: Refreshing the access token
    6. How Can Access Be Revoked?
  8. 4. Resource Owner Password Flow
    1. When Should the Resource Owner Password Flow Be Used?
    2. Security Properties
    3. User Experience
    4. Step-by-Step
      1. Step 1: Ask the user for their credentials
      2. Step 2: Exchange the credentials for an access token
      3. Step 3: Call the API
      4. Step 4: Refresh the access token
  9. 5. Client Credentials Flow
    1. When Should the Client Credentials Flow Be Used?
    2. What APIs Support the Client Credentials Flow?
    3. How Does the Client Authenticate?
    4. Security Properties
    5. Step-by-Step
      1. Step 1: Exchange the application’s credentials for an access token
      2. Step 2: Call the API
    6. When the Access Token Expires
  10. 6. Getting Access to User Data from Mobile Apps
    1. Why You Should Use OAuth for Native Mobile Apps
    2. What Flow Should Be Used for Native Mobile Apps?
      1. Do You Have a Mobile Backend Web Server for Your Application?
    3. The (Ugly) Web Browser
      1. Embedded WebView
      2. System Web Browser
    4. Enhanced Mobile App Authorization for Specific Providers
      1. For Google
      2. For Facebook
  11. 7. OpenID Connect Authentication
    1. ID Token
    2. Security Properties
    3. Obtaining User Authorization
    4. Check ID Endpoint
    5. UserInfo Endpoint
    6. Performance Improvements
    7. Practical OpenID Connect
      1. For Google
      2. For Facebook
    8. OpenID Connect Evolution
  12. 8. Tools and Libraries
    1. Google’s OAuth 2.0 Playground
    2. Google’s TokenInfo Endpoint
    3. Apigee’s Console
    4. Facebook’s Access Token Tool and Access Token Debugger
    5. Libraries
    6. Going Further
  13. A. References
    1. Specifications
    2. Vendor Documentation
    3. Mailing Lists
    4. Misc
  14. About the Author
  15. SPECIAL OFFER: Upgrade this ebook with O’Reilly