X
OAuth.com
Background
Getting Ready
Accessing Data in an OAuth Server
Create an Application
Setting up the Environment
Authorization Request
Obtaining an Access Token
Making API Requests
Signing in with Google
Create an Application
Setting up the Environment
Authorization Request
Getting an ID Token
Verifying the User Info
Server-Side Apps
Authorization Code Grant
Example Flow
Possible Errors
User Experience and Security Considerations
Single-Page Apps
Authorization
Example Flow
Implicit Flow for Single-Page Apps
Security Considerations for Single-Page Apps
Mobile and Native Apps
Authorization
Security Considerations
Making Authenticated Requests
Refresh Tokens
Client Registration
Registering a New Application
The Client ID and Secret
Deleting Applications and Revoking Secrets
Authorization
The Authorization Request
Requiring User Login
The Authorization Interface
The Authorization Response
Security Considerations
Scope
Defining Scopes
User Interface
Checkboxes
Redirect URLs
Redirect URL Registration
Redirect URLs for Native Apps
Redirect URL Validation
Access Tokens
Authorization Code Request
Password Grant
Client Credentials
Access Token Response
Self-Encoded Access Tokens
Access Token Lifetime
Refreshing Access Tokens
Listing Authorizations
Revoking Access
The Resource Server
OAuth for Native Apps
Use a System Browser
Redirect URLs for Native Apps
PKCE Extension
Checklist for Server Support for Native Apps
OAuth for Browserless and Input-Constrained Devices
User Flow
Authorization Request
Token Request
Authorization Server Requirements
Security Considerations
Protecting Apps with PKCE
Authorization Request
Authorization Code Exchange
Token Introspection Endpoint
Creating Documentation
Terminology Reference
Differences Between OAuth 1 and 2
Authentication and Signatures
User Experience and Alternative Token Issuance Options
Performance at Scale
Bearer Tokens
Short-lived tokens with Long-lived authorizations
Separation of Roles
OpenID Connect
Authorization vs Authentication
Building an Authentication Framework
ID Tokens
Summary
IndieAuth
Discovery
IndieAuth Sign-In Workflow
IndieAuth Authorization Workflow
Map of OAuth 2.0 Specs
Tools and Libraries
Appendix
Close
Created with Sketch.
Next Chapter
Getting Ready