The Internet is a thriving and dynamic ecosystem. Living and playing within this ecosystem are many world-class services, all offering world-class technologies. Think about the massive social graph that Facebook hosts, the most up-to-date mapping system proudly owned and operated by Google, or the ever-growing professional network that is available from LinkedIn. All of these companies, and more, are presenting their world-class technologies for the world to use!
Until recently, it was very difficult to access these technologies in your own applications. Each company would create their own protocols for how to access and leverage their respective technologies. You may have heard of Yahoo!'s BBAuth, or Google's AuthSub. These are just a couple of examples of proprietary protocols created to allow people to leverage these company's services. Unfortunately, the trend of creating and using proprietary protocols just doesn't scale. Enter OAuth 2.0.
OAuth 2.0 is an open protocol for delegating authorization to such services, and it has become the standard authorization protocol used by companies around the world. It allows developers like you and I to access these world-class technologies and use them in our own applications! It is a fascinating problem space with an equally fascinating and elegant solution.
I've been lucky enough to work in the Identity space for the past 7 years, and during this time, I've been able to witness the evolution and progression of this protocol. Mastering OAuth 2.0 is an attempt at distilling the most important parts of the protocol, including design and usage. With a hard focus on practicality and security, this book focuses on the parts of integration that will give application developers like you and I the most benefit and mileage.
As OAuth 2.0 continues to gain adoption, and more and more services become available for developers to integrate with and leverage, I'm hoping that this book will allow you to be able to comfortably dive in and start building the next generation of world-class applications and technologies!
Chapter 1, Why Should I Care About OAuth 2.0?, introduces the OAuth 2.0 protocol, and discusses its purpose, prevalence, and importance.
Chapter 2, A Bird's Eye View of OAuth 2.0, takes a high-level look at the OAuth 2.0 protocol and the different workflows it describes.
Chapter 3, Four Easy Steps, enumerates the simple steps necessary to integrate with a service provider using the OAuth 2.0 protocol.
Chapter 4, Register Your Application, details the first of these four steps which covers registering your application with the service provider.
Chapter 5, Get an Access Token with the Client-Side Flow, discusses the complicated topic of gaining access to a protected resource from what we call an untrusted client.
Chapter 6, Get an Access Token with the Server-Side Flow, discusses the complicated topic of gaining access to a protected resource from what we call a trusted client.
Chapter 7, Use Your Access Token, outlines the process for exercising access to a resource once it has been granted to you.
Chapter 8, Refresh Your Access Token, talks about the process of refreshing your access once it expires.
Chapter 9, Security Considerations, discusses the many important security considerations to be made in your application. This is an important topic for any application, but is especially important given the power that this protocol allows.
Chapter 10, What About Mobile?, is a chapter dedicated to the topic of mobile devices, including phones and tablets, and all of the considerations that come with it.
Chapter 11, Tooling and Troubleshooting, talks about how to troubleshoot issues with your integration as well as how to appropriately handle errors so as to minimize user interaction.
Chapter 12, Extensions to OAuth 2.0, looks at the various ways OAuth 2.0 can be extended to satisfy a multitude of use cases.
Appendix A, Resource Owner Password Credentials Grant, takes a look at one of the supplemental supported flows in the book.
Appendix B, Client Credentials Grant, takes a look at another of the supplemental supported flows in the book.
Appendix C, Reference Specifications, enumerates the various open specifications that are referenced throughout the book.
To create the sample applications described in this book, you will need Java 8, Apache Maven 3, a modern web browser (such as Google Chrome, Microsoft Edge, or Mozilla Firefox), and a text editor of your choice. Several libraries and command-line utilities will be utilized as well, including JQuery, Apache HTTPClient, and cURL. A basic understanding of programming and OAuth is recommended.
This book is written for application developers, software architects, security engineers, and casual programmers alike, looking to leverage the power of OAuth 2.0 in their own services and applications. It covers basic topics such as registering your application and choosing an appropriate workflow, and advanced topics such as security considerations and extensions to the specification. This book has something for everyone.
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "Open up your favorite HTML editor and create a new file, index.html
, place it where index.jsp
was."
A block of code is set as follows:
function makeRequest() { // Define properties var AUTH_ENDPOINT = "https://www.facebook.com/dialog/oauth"; var RESPONSE_TYPE = "token"; var CLIENT_ID = "wmiig-550106"; var REDIRECT_URI = "http://wmiig.com/callback.html"; var SCOPE = "public_profile user_posts";
Any command-line input or output is written as follows:
sudo mvn -Dmaven.tomcat.port=80 -Dmaven.tomcat.path=/ tomcat:run
New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Save the file, reload your page, and click on Go! again."
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail <[email protected]>
, and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
You can download the example code files from your account at http://www.packtpub.com for all the Packt Publishing books you have purchased. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]>
with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
If you have a problem with any aspect of this book, you can contact us at <[email protected]>
, and we will do our best to address the problem.