What do you think?
Rate this book
Getting Started with OAuth 2.0: Programming Clients for Secure Web API Authorization and Authentication
Whether you develop web applications or mobile apps, the OAuth 2.0 protocol will save a lot of headaches. This concise introduction shows you how OAuth provides a single authorization technology across numerous APIs on the Web, so you can securely access users’ data—such as user profiles, photos, videos, and contact lists—to improve their experience of your application.
Through code examples, step-by-step instructions, and use-case examples, you’ll learn how to apply OAuth 2.0 to your server-side web application, client-side app, or mobile app. Find out what it takes to access social graphs, store data in a user’s online filesystem, and perform many other tasks.
Understand OAuth 2.0’s role in authentication and authorizationLearn how OAuth’s Authorization Code flow helps you integrate data from different business applicationsDiscover why native mobile apps use OAuth differently than mobile web appsUse OpenID Connect and eliminate the need to build your own authentication system
Through code examples, step-by-step instructions, and use-case examples, you’ll learn how to apply OAuth 2.0 to your server-side web application, client-side app, or mobile app. Find out what it takes to access social graphs, store data in a user’s online filesystem, and perform many other tasks.
Understand OAuth 2.0’s role in authentication and authorizationLearn how OAuth’s Authorization Code flow helps you integrate data from different business applicationsDiscover why native mobile apps use OAuth differently than mobile web appsUse OpenID Connect and eliminate the need to build your own authentication system
104 pages, Kindle Edition
First published December 30, 2011
51 people are currently reading
118 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 22 of 22 reviews
October 1, 2014
One of the most helpful short-guided books i have ever read, once i have open it i can't leave it until finished.
it's very informative and straightforward with great real life examples of Facebook & Google scenarios, also the PHP implementation is very clear and could be achieved easily with any other language.
it's very informative and straightforward with great real life examples of Facebook & Google scenarios, also the PHP implementation is very clear and could be achieved easily with any other language.
June 2, 2012
Abbandonato perché l'ho trovato sconclusionato.
Cerca di partire spiegando gli internals di OAuth2, ma dando per scontato che il lettore conosca gli internals di altri sistemi di autenticazione.
Poi passa a blandi esempi di codice, ma senza mai spiegare lo schema generale e i casi d'uso dei vari tipi di autenticazione.
Leggetelo solo se conoscete bene OAuth1, OpenID o altri sistemi analoghi, altrimenti probabilmente si trova di meglio in rete.
Cerca di partire spiegando gli internals di OAuth2, ma dando per scontato che il lettore conosca gli internals di altri sistemi di autenticazione.
Poi passa a blandi esempi di codice, ma senza mai spiegare lo schema generale e i casi d'uso dei vari tipi di autenticazione.
Leggetelo solo se conoscete bene OAuth1, OpenID o altri sistemi analoghi, altrimenti probabilmente si trova di meglio in rete.
February 10, 2023
No a "Getting Started" book. In Chapter 1 the section "The Great Debate over Signatures" is not understandable for beginners and should be in an appendix. And the following sections are also not beginner friendly. An introduction should start with a simple example and extend it step by step...
July 31, 2017
Good introductory material for OAuth flows and OpenID concepts.
September 28, 2017
Disorganized and incomplete. Short (64 pages). Not worth it.
November 28, 2018
The good is great as an introduction but it is a little old, it should have modern examples.
January 11, 2019
This is a short overview of OAuth 2.0; however it covers most topics broadly and does not go in depth with code samples and how to implement OAuth 2.0.
September 21, 2019
brief but good enough to help me understand how oauth 2.0 work and relevant terms
February 25, 2024
too basic.... it's for how-tos, but not designs. The author is not a software architect but a developer advocate, so I'm not the best audience.
May 28, 2022
The full original review is available here.
The OAuth 2.0 specification has not gone under a major revision since it was introduced ten years ago. But the development community remains active. New security and accessibility concerns have arisen in the last decade: the community now advises against using two of the authorization flows in the original specification and they have developed several notable OAuth extensions.
I didn’t expect Getting Started with OAuth 2.0 (2012) to age well when I sat down to read it. Books on specific implementations never do. But older books in programming and computer science that explain the “why behind the how” can be enlightening. Getting Started with OAuth 2.0 is essentially a how-to book, so there isn’t much here for the contemporary reader.
The Why
We don’t want everyone’s identity to be centralized on someone else’s server. This objective is difficult to achieve because, as Moxie Marlinspike explained, people don’t want to run their own servers.
OAuth can be used to authorized access to identity assets between servers. The standard is a step towards a more decentralized identity standard.
Before a person is able to authorize access, they must prove that the request is authentic. The process of authentication can be done with the familiar username and password pair. OAuth doesn’t help here, but it can be coupled with something like OpenID Connect. The combination of the two essentially federates the verification of identity and the sharing of privileged information.
The How
Many of the example API calls in the book are not very helpful. And some are now downright problematic. For example, Getting Started with OAuth 2.0 shows its age when going through the Implicit Flow step-by-step, which is now considered insecure and not recommended.
But the author’s expertise is never in question. Specific insights remain valuable. For example:
and
Ryan Boyd deftly explains the reason the OAuth spec calls for both long-lived access tokens and short-lived refresh tokens. An access token is sent to an API along with a request for some information. That API service might have access to several different scopes of information - a person’s calendar, their eMail inbox, etc… - but use only one access token. If the API service is compromised, the “blast radius” of this access token can encompass quite a bit of information.
However, the access token expires relatively quickly and will become worthless when it does. The refresh token provides a way for the service to provide continuous access to the API; it permits the service to issue a new access token. If the attacker only has one-time access, the refresh token won’t be useful in a different context.
There is another benefit to these short-lived access tokens. Boyd points out that many implementations forgo checking OAuth every time an access token is used to grab a resource. It is faster to cache an access token in the system and verify it against a encrypted access token string sent in an HTTP request. If the system administrators are not careful, this can lead to inconsistencies in the system if a user revokes an access token using OAuth. Programmers should be careful to guard against this, but if a mistake does happen, the access token will expire and another one will not be issued.
These are all great insights, but they are scattered between page after page of implementation details. The book offers lots of “how” but very little “why”. This amounts to a fine cookbook but the reader should not expect to learn much about how to cook.
The OAuth 2.0 specification has not gone under a major revision since it was introduced ten years ago. But the development community remains active. New security and accessibility concerns have arisen in the last decade: the community now advises against using two of the authorization flows in the original specification and they have developed several notable OAuth extensions.
I didn’t expect Getting Started with OAuth 2.0 (2012) to age well when I sat down to read it. Books on specific implementations never do. But older books in programming and computer science that explain the “why behind the how” can be enlightening. Getting Started with OAuth 2.0 is essentially a how-to book, so there isn’t much here for the contemporary reader.
The Why
We don’t want everyone’s identity to be centralized on someone else’s server. This objective is difficult to achieve because, as Moxie Marlinspike explained, people don’t want to run their own servers.
OAuth can be used to authorized access to identity assets between servers. The standard is a step towards a more decentralized identity standard.
Before a person is able to authorize access, they must prove that the request is authentic. The process of authentication can be done with the familiar username and password pair. OAuth doesn’t help here, but it can be coupled with something like OpenID Connect. The combination of the two essentially federates the verification of identity and the sharing of privileged information.
The How
Many of the example API calls in the book are not very helpful. And some are now downright problematic. For example, Getting Started with OAuth 2.0 shows its age when going through the Implicit Flow step-by-step, which is now considered insecure and not recommended.
But the author’s expertise is never in question. Specific insights remain valuable. For example:
When implementing OAuth 2.0, calling any APIs, or using a library, you should verify that it properly handles SSL/TLS certificate chain validation by doing the following things: Checking that the hostname on the certificate returned by the server matches the hostname in the URL being accessed verifying each certificate in the chain properly chains up to a valid and trusted certificate authority (CA) Ensuring that the certificate authority bundle on your server is secure and not able to be modified by potential
and
Typically the refresh token is stored securely in a server-side database, associated with the user account. Access tokens can also be stored in a database, but they may also be cached in a server-side session to improve performance.
Ryan Boyd deftly explains the reason the OAuth spec calls for both long-lived access tokens and short-lived refresh tokens. An access token is sent to an API along with a request for some information. That API service might have access to several different scopes of information - a person’s calendar, their eMail inbox, etc… - but use only one access token. If the API service is compromised, the “blast radius” of this access token can encompass quite a bit of information.
However, the access token expires relatively quickly and will become worthless when it does. The refresh token provides a way for the service to provide continuous access to the API; it permits the service to issue a new access token. If the attacker only has one-time access, the refresh token won’t be useful in a different context.
There is another benefit to these short-lived access tokens. Boyd points out that many implementations forgo checking OAuth every time an access token is used to grab a resource. It is faster to cache an access token in the system and verify it against a encrypted access token string sent in an HTTP request. If the system administrators are not careful, this can lead to inconsistencies in the system if a user revokes an access token using OAuth. Programmers should be careful to guard against this, but if a mistake does happen, the access token will expire and another one will not be issued.
These are all great insights, but they are scattered between page after page of implementation details. The book offers lots of “how” but very little “why”. This amounts to a fine cookbook but the reader should not expect to learn much about how to cook.
October 13, 2014
My major is information security, but since I’ve graduated a lot of things have changed in a field of security. New crypto algorithms have emerged, some of perimeter security patterns have changed. I try to brush up me IS skills from time to time, because I still find security as the most exciting(but not so valued by the managers) thing in IT for me.
This book is not an exception. I’ve been using an open source library which abstracts usage of OAUTH 2.0 and I was curios about the specs that this library is based on.
This book is the perfect destination if you’ve come for specs. It covers oauth’12 draft verbosely. Though there are some code snippets written in PHP in Python (which was OK in 2012, but it’s not in 2014 when JS is the most widespread language), they are so brief and out of scope of today’s implementation that I’ll suggest not use them at all.
Albeit the author is a Google employee the book covers some other (mostly Facebook’s) implementations also.
This book is not an exception. I’ve been using an open source library which abstracts usage of OAUTH 2.0 and I was curios about the specs that this library is based on.
This book is the perfect destination if you’ve come for specs. It covers oauth’12 draft verbosely. Though there are some code snippets written in PHP in Python (which was OK in 2012, but it’s not in 2014 when JS is the most widespread language), they are so brief and out of scope of today’s implementation that I’ll suggest not use them at all.
Albeit the author is a Google employee the book covers some other (mostly Facebook’s) implementations also.
November 7, 2015
Despite having implemented my share of OpenID and OAuth consumers, I must confess that I find the whole morass of federated authentication and authorization protocols rather opaque and difficult to understand. This book does a pretty good job of clearing things up, and I think the examples are fairly concrete and well-done. Chapter 2 was definitely the most useful, and it walked through a typical authentication workflow really well. The remaining chapters felt a little perfunctory and rushed, and I thought the description of server-to-server authorization was a little lacking as a result. Chapter 1 was all right, but unfortunately a little disorganized and confusing; in particular I wish it had provided a better overview of the various types of tokens. All that said - for chapter 2 alone, I thought this book was well worth the read, and I definitely found it quite helpful in understanding OAuth.
November 8, 2014
This book is a good introduction to OAuth2. It's important to note that the author mentioned but didn't stress some of the aspects where OAuth can become insecure, such as validating certificates (at least he didn't stressed them in big red bold letters:).
Definitely a good read if you're thinking of implementing OAuth in your company.
Definitely a good read if you're thinking of implementing OAuth in your company.
June 3, 2015
A very good overview of OAuth, its use cases and implementation examples in PHP and JavaScript. (C# or some .NET language should have been used, at least some of the time, IMO.) There is also a useful chapter on OpenID Connection. I think the overview of authentication vs. authorization is good for anyone considering API Security models.
November 24, 2013
Excellent, to-the-point overview of working with Oauth2. The best resource I've so far encountered for the topic
September 15, 2013
Good and commendably short guide.
August 9, 2014
A Great book for who already knows oauth and want to consolidate skills. Not for newbie , good for intermediate.
August 18, 2015
Not so easy as I thought
May 14, 2016
Fantastic introduction to OAuth 2.0
August 20, 2016
This has been written when OpenID Connect spec was still a draft, so some info are outdated.
November 1, 2016
Very short book about OAuth 2.0.
March 22, 2017
This book is a little on the old side, referencing specifications that were still very much in progress. Still, it is a good low-level introduction to the pieces of OAuth 2.0. I would love to see an updated edition that incorporates the changes of the last few years.
Displaying 1 - 22 of 22 reviews