Intimidated by OAuth? Here’s why you shouldn’t be

According to the OAuth website, “OAuth is the industry-standard protocol for authorization”, which focuses on simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

Because of the simplicity and level of security it offers, it has emerged as the de facto standard protocol for securely protecting Web-APIs.

However, according to Matthias Biehl, author of “ Oauth 2.0: Getting Started in Web-api Security” a lot of developers are still intimidated by the protocol.

“[OAuth] requires a lot of different players, and a very dedicated way of interacting between those players.” Biehl says during an interview on Coding Over Cocktails, a podcast by Toro Cloud.

He further states that the intimidation can often stem from the fact that there are multiple channels that need to be authenticated: typically a UI-based interaction, as well as a back channel for API-based interaction.

This can add to the misconception that OAuth can be quite complicated to implement.

“It’s not.” Biehl replies

“Maybe you need to get your head around it once, but I would say: don’t be afraid of the OAuth beast. It’s actually quite a good and well thought-out, practically proven protocol that we should all use more in our implementations on APIs.” he adds.

In order to have a better understanding of OAuth and its flows, Biehl advises developers to look at several resources around it, including this OAuth Cheat Sheet he developed at API University.

“Nowadays, I think there are excellent libraries that you can use as a programmer that gets you around a lot of these difficult parts, and it already incorporates all the best practices. So, instead trying to code the protocol yourself from the start, use something that’s already out there.”

Understanding OAuth

The key to understanding OAuth is… literally a “key”.

Instead of providing passwords, OAuth provides users an “ access token” in order to grant them access to websites or applications.

Biehl explains that OAuth works like checking-in to a hotel with keycard access.

“When you check into a hotel, you don’t get handed out the master key to all the rooms, right? That is kept secret and only a few people can hold that. But when you check into a hotel, you get a key card that’s programmable, and that gives you access to the front door, to your own room and not to any other room in the big house. It also gives you access only for a specific time period, right? And afterwards, I mean, maybe you would leave it in your pocket. You come back a year later, it won’t work because it is bound — and that’s basically what OAuth brought.” Matthias illustrates.

The OAuth 2.0 Authorization Framework also supports several ways to retrieve these access tokens via “ flows”.

While there are several flows that can be used depending on the use case, the main one is called the “ Authorization Code Flow”.

“What you do in an authorization code flow, is number one: the client requests an authorization code on the authorization endpoint; then, there you have the end user in the loop. The end user usually authenticates by logging in with biometrics, with a password so forth.”

“Then as an outcome of that, the client, the app receives a so-called authorization code on the redirect endpoint. And with this intermediate code, it can then request an OAuth access token using a back channel — using an API called directly on the OAuth server. Now, when this comes back, the access token has to be validated and then it can be used in order to access those resources.” he explains.

OAuth for Microservices

Now that we’ve established how OAuth is mostly utilized for public-facing APIs, can we also use the protocol for east-west configurations, such as between microservices?

“Definitely… but you need to tweak it a little bit differently depending on how you want to use it.” Biehl says.

“If you have this East-West type of interaction, then you typically want to have a distributed architecture. You don’t want to have any central points, any bottlenecks in your architecture, and you should not really have a reference token because a reference token can only be decoded basically in one point in the whole architecture.”

In addition, he explains the concept of a “value token” that’s used for this specific case.

“You can decode this [value] token and see what are the access rights, who is the user and in a very decentralized way, each microservice can decode it and work with that token. And then of course, you can bring both of these patterns basically together, where you have a north-southbound interaction to the outside world, you translate to, say, the reference token that you give out to a value token, that you can then use inside in your microservice architecture.” Biehl adds.

Learn more about OAuth with Biehl in this episode of Coding Over Cocktails — a podcast by Toro Cloud.

Coding Over Cocktails is a podcast created by Toro Cloud, a company that offers a low-code, API centric platform for application development & integration.

This podcast series tackles issues faced by enterprises as they manage the process of digital transformation, application integration, low-code application development, data management, and business process automation. It’s available for streaming in most major podcast platforms, including Spotify, Apple, Google Podcasts, SoundCloud, and Stitcher.

Originally published at




low-code, API centric platform for application development & integration

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How To Define Xpath- Appium

Deploy a Symfony application with AWS Lambda: quick guide

AWS Privatelink Setup and Configuration

Building a PEG Parser

WSO2 API Manager & Gluu SSO (OIDC)

What Employers Exactly Look for in a C/C++ Job Description

Two people laughing at their desks

The Power of the Flutter’s Transform and GestureDetector Widgets

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Toro Cloud

Toro Cloud

low-code, API centric platform for application development & integration

More from Medium

C.O.R.P.S Questions

What is Microservices Architecture?

Caching API Response At Edge

S3 for Distrubution — Architecture

NoQ — A Job Portal for College Career Fairs