Skip to main content



tl;dr: OAuth 2.0

The prime goal of OAuth 2.0 is to let users, in their capacity of resource owners, grant clients limited access to resources they control. Resources reside on resource servers which require an access token for access. Access tokens are issued by an authorization server. This is a departure from previous protocols where a client would receive user credentials with which it could impersonate the resource owner. Instead of users having to completely trust the client, they can, and should, limit the privileges they grant the client to those needed for the job at hand. This mitigates the risk of a malicious client and limits the impact of a client compromise. OAuth 2.0 defines 3 ways in which the client can prove its entitlement to access a resource: Authorization Code GrantImplicit GrantResource Owner Password Grant It also defines a 4th grant type where the client is also the resource owner, the Client Credentials Grant. The protocol in the first 3 grant types involves 5 parties, the reso…

Latest Posts

Externalising the Security Token Service and Identity Provider

Problems with Basic Authentication for REST services

Bearer tokens are susceptible to theft and what you can do about it

In the (back)end, JWT is all that matters

Protect your REST APIs with JWT tokens

API gates and fences

Technology stack for a static web site