OAuth recently shared details around the ongoing effort to create a next-generation protocol based on years of knowledge and experience with OAuth 2. This new specification would encompass many more use cases than OAuth originally set out to solve, and while it’s still in its early stages of development, you can get involved by joining the IETF Working Group or attending OAuth events.
Although the thought of OAuth 3.0 is exciting stuff, OAuth 2 is the industry standard, so we recently interviewed Aaron Parecki, author of the book OAuth 2.0 Simplified, to learn about some of OAuth 2.0’s hidden secrets.
A few highlights from that interview:
- OAuth was created because of the problems third-party apps had accessing APIs.
- OAuth 2.0 is a complete rewrite of OAuth 1.0 from the ground up, sharing only overall goals and general user experience.
- Authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.
- Don’t build your own OAuth server!
- PKCE is the most secure way to do authorization code grants.
- “Short token lifetimes” means reducing the window where the validation may be wrong.
- When using PKCE the authorization server has the opportunity to deny requests that don’t use PKCE.
Check out the full interview…