In this Getting Started book, we have given you an overview of how OAuth 2.0 works for obtaining authorized access to user data and why it is important to improve security and user productivity. As an application developer, you should now understand the different authorization flows available and how to decide between them when an API provider supports multiple flows. We’ve also introduced OpenID Connect, discussed how it builds on top of the OAuth 2.0 protocol to enable user authentication, and some of the different security properties of authentication versus authorization. We hope the protocol-level foundation provided by this book will make you a better developer, even if you end up using libraries that abstract many of the details.

As you use OAuth 2.0 in your application, there are additional considerations you should take into account to optimize user experience and performance. When getting access to a user’s data, you should explore how requests for different levels of access and the timing of those requests affect approval rates. When authenticating users with OpenID Connect, you should think about which identity providers to support, how you deal with users who have accounts on multiple identity providers, how to improve sign-in performance by decoding the id_token JWT, and other potential factors that could decrease customer service tickets.

We primarily focused on the perspective of acting as an OAuth client. Many application developers may wish to open ...