What do you think?
Rate this book
OAuth 2 in Action
Summary
OAuth 2 in Action teaches you the practical use and deployment of this HTTP-based protocol from the perspectives of a client, authorization server, and resource server. You'll learn how to confidently and securely build and deploy OAuth on both the client and server sides. Foreword by Ian Glazer.
Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications.
About the Technology
Think of OAuth 2 as the web version of a valet key. It is an HTTP-based security protocol that allows users of a service to enable applications to use that service on their behalf without handing over full control. And OAuth is used everywhere, from Facebook and Google, to startups and cloud services.
About the Book
OAuth 2 in Action teaches you practical use and deployment of OAuth 2 from the perspectives of a client, an authorization server, and a resource server. You'll begin with an overview of OAuth and its components and interactions. Next, you'll get hands-on and build an OAuth client, an authorization server, and a protected resource. Then you'll dig into tokens, dynamic client registration, and more advanced topics. By the end, you'll be able to confidently and securely build and deploy OAuth on both the client and server sides.
What's Inside
Covers OAuth 2 protocol and design
Authorization with OAuth 2
OpenID Connect and User-Managed Access
Implementation risks
JOSE, introspection, revocation, and registration
Protecting and accessing REST APIs
About the Reader
Readers need basic programming skills and knowledge of HTTP and JSON.
About the Author
Justin Richer is a systems architect and software engineer. Antonio Sanso is a security software engineer and a security researcher. Both authors contribute to open standards and open source.
Table of Contents
Part 1 - First stepsWhat is OAuth 2.0 and why should you care?
The OAuth dance Part 2 - Building an OAuth 2 environmentBuilding a simple OAuth client
Building a simple OAuth protected resource
Building a simple OAuth authorization server
OAuth 2.0 in the real world Part 3 - OAuth 2 implementation and vulnerabilitiesCommon client vulnerabilities
Common protected resources vulnerabilities
Common authorization server vulnerabilities
Common OAuth token vulnerabilities Part 4 - Taking OAuth furtherOAuth tokens
Dynamic client registration
User authentication with OAuth 2.0
Protocols and profiles using OAuth 2.0
Beyond bearer tokens
Summary and conclusions
OAuth 2 in Action teaches you the practical use and deployment of this HTTP-based protocol from the perspectives of a client, authorization server, and resource server. You'll learn how to confidently and securely build and deploy OAuth on both the client and server sides. Foreword by Ian Glazer.
Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications.
About the Technology
Think of OAuth 2 as the web version of a valet key. It is an HTTP-based security protocol that allows users of a service to enable applications to use that service on their behalf without handing over full control. And OAuth is used everywhere, from Facebook and Google, to startups and cloud services.
About the Book
OAuth 2 in Action teaches you practical use and deployment of OAuth 2 from the perspectives of a client, an authorization server, and a resource server. You'll begin with an overview of OAuth and its components and interactions. Next, you'll get hands-on and build an OAuth client, an authorization server, and a protected resource. Then you'll dig into tokens, dynamic client registration, and more advanced topics. By the end, you'll be able to confidently and securely build and deploy OAuth on both the client and server sides.
What's Inside
Covers OAuth 2 protocol and design
Authorization with OAuth 2
OpenID Connect and User-Managed Access
Implementation risks
JOSE, introspection, revocation, and registration
Protecting and accessing REST APIs
About the Reader
Readers need basic programming skills and knowledge of HTTP and JSON.
About the Author
Justin Richer is a systems architect and software engineer. Antonio Sanso is a security software engineer and a security researcher. Both authors contribute to open standards and open source.
Table of Contents
Part 1 - First stepsWhat is OAuth 2.0 and why should you care?
The OAuth dance Part 2 - Building an OAuth 2 environmentBuilding a simple OAuth client
Building a simple OAuth protected resource
Building a simple OAuth authorization server
OAuth 2.0 in the real world Part 3 - OAuth 2 implementation and vulnerabilitiesCommon client vulnerabilities
Common protected resources vulnerabilities
Common authorization server vulnerabilities
Common OAuth token vulnerabilities Part 4 - Taking OAuth furtherOAuth tokens
Dynamic client registration
User authentication with OAuth 2.0
Protocols and profiles using OAuth 2.0
Beyond bearer tokens
Summary and conclusions
360 pages, Paperback
Published March 18, 2017
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 22 of 22 reviews
March 19, 2017
My relationship with this book came from hate to admiration:
* introduction into the basic flow of the protocol was one of the worst I've seen - in theory everything was in place, but it was VERY dry, didn't use any R-L examples, just the official taxonomy. It felt like reading a telephony directory. Or worse. Exactly one year ago I had to get myself intimately familiar with OAuth 2, so I was reading through all the available materials on the web - honestly, I've found many far better ones that this
* fortunately, the further into the wild, the better as this book doesn't leave you with protocol specification, you're getting a lot of info about the vulnerabilities & weak points of EVERY element of architecture - really, really good stuff
* book doesn't refer to any actual implementations, but I don't find it an issue
* all the code samples are in JavaScript (server-side code is Node-based), which in fact may be a bit confusing at some points
* there's a short, but nice chapter on "companion" protocols that cover OAuth2 - like Open ID Connect - it's very useful TBH
* unfortunately (aside from vulnerability analysis) there's nothing about long & detailed discussion regarding OAuth2 criticism that has popped out some time ago on the web (look for Eran Hammer-Lahav); there's also not much about JOSE criticism - quite a recent topic these days; you can also barely find any info on OAuth2 alternatives / equivalents available. Sadly.
In the end - it's 4 stars as an OAuth2 resource, but only 3 stars as a book as it's very, very, very burdensome to go through.
* introduction into the basic flow of the protocol was one of the worst I've seen - in theory everything was in place, but it was VERY dry, didn't use any R-L examples, just the official taxonomy. It felt like reading a telephony directory. Or worse. Exactly one year ago I had to get myself intimately familiar with OAuth 2, so I was reading through all the available materials on the web - honestly, I've found many far better ones that this
* fortunately, the further into the wild, the better as this book doesn't leave you with protocol specification, you're getting a lot of info about the vulnerabilities & weak points of EVERY element of architecture - really, really good stuff
* book doesn't refer to any actual implementations, but I don't find it an issue
* all the code samples are in JavaScript (server-side code is Node-based), which in fact may be a bit confusing at some points
* there's a short, but nice chapter on "companion" protocols that cover OAuth2 - like Open ID Connect - it's very useful TBH
* unfortunately (aside from vulnerability analysis) there's nothing about long & detailed discussion regarding OAuth2 criticism that has popped out some time ago on the web (look for Eran Hammer-Lahav); there's also not much about JOSE criticism - quite a recent topic these days; you can also barely find any info on OAuth2 alternatives / equivalents available. Sadly.
In the end - it's 4 stars as an OAuth2 resource, but only 3 stars as a book as it's very, very, very burdensome to go through.
September 30, 2021
This book is better than I expected.
Good points:
- Provide solid knowledge about OAuth components and grant_type
- Good cover for OAuth ecosystems, including PKCE, PoP, iGov, HEART, UMA.
- Security is emphasized.
- You can learn Javascript belongs with OAuth
Improvement points:
- I would like to have OAuth compare with other solutions
- Also want to know more about OAuth in Microservices and Enterprise.
Good points:
- Provide solid knowledge about OAuth components and grant_type
- Good cover for OAuth ecosystems, including PKCE, PoP, iGov, HEART, UMA.
- Security is emphasized.
- You can learn Javascript belongs with OAuth
Improvement points:
- I would like to have OAuth compare with other solutions
- Also want to know more about OAuth in Microservices and Enterprise.
May 14, 2019
The authors are competent and explain clearly and exhaustively all aspects of OAuth 2.0.
The book provides both a theoretical exposition of the concepts as well as a simple working Javascript/Node.js implementation of what is explained.
Recommended.
Part 1 is a very clear description of the purpose of OAuth, the delegation mechanism, all parties involved and any messages exchanged by the protocol. This part only describes the authorization code grant type.
Part 2 builds a Javascript/Node.js implementation of the three parties involved in OAuth 2.0: the client, the authorization server and the protected resource for the authorization code grant type.
Node.js and Express.js are a required knowledge. There is also some minor use of the Underscore and JQuery libraries. The code is downloadable but Appendix B has the most important parts of the code explained in the book.
The final chapter of this part reviews other grant types besides the authorization code grant type discussed and implemented up to now. It details when each alternative is applicable and provides the modifications needed to adapt the code in the previous chapters to the other grant types.
Part 3 enumerates known vulnerabilities of the protocol and possible attacks carried against each of the three parties and indicates possible ways to protect against each of these attacks.
Part 4 discusses various topics that are ancillary to the core OAuth 2.0 protocol but still of significant importance.
Firstly it introduces JSON Web Tokens (JWT) a standardized way to serialize a JSON object containing claims into a token that can be used in the OAuth 2.0 protocol to carry information, and that can be signed and encrypted to guarantee the needed security.
A chapter also describes the dynamic client registration protocol that allows servers to accept client registrations dynamically and clients to talk to arbitrary authorization servers without having to know each other beforehand.
Also important is the discussion of OpenID Connect: an authentication service built on top of OAuth 2.0.
The book provides both a theoretical exposition of the concepts as well as a simple working Javascript/Node.js implementation of what is explained.
Recommended.
Part 1 is a very clear description of the purpose of OAuth, the delegation mechanism, all parties involved and any messages exchanged by the protocol. This part only describes the authorization code grant type.
Part 2 builds a Javascript/Node.js implementation of the three parties involved in OAuth 2.0: the client, the authorization server and the protected resource for the authorization code grant type.
Node.js and Express.js are a required knowledge. There is also some minor use of the Underscore and JQuery libraries. The code is downloadable but Appendix B has the most important parts of the code explained in the book.
The final chapter of this part reviews other grant types besides the authorization code grant type discussed and implemented up to now. It details when each alternative is applicable and provides the modifications needed to adapt the code in the previous chapters to the other grant types.
Part 3 enumerates known vulnerabilities of the protocol and possible attacks carried against each of the three parties and indicates possible ways to protect against each of these attacks.
Part 4 discusses various topics that are ancillary to the core OAuth 2.0 protocol but still of significant importance.
Firstly it introduces JSON Web Tokens (JWT) a standardized way to serialize a JSON object containing claims into a token that can be used in the OAuth 2.0 protocol to carry information, and that can be signed and encrypted to guarantee the needed security.
A chapter also describes the dynamic client registration protocol that allows servers to accept client registrations dynamically and clients to talk to arbitrary authorization servers without having to know each other beforehand.
Also important is the discussion of OpenID Connect: an authentication service built on top of OAuth 2.0.
September 1, 2022
This is probably a one of the cleanest technical books I've ever read. Well done!
What I liked:
- It's just about OAuth2 protocol. In other words, it's narrowly specialized. I appreciate it. All the topics were sufficiently explained. I haven't experienced a feeling of "knowledge gap" anywhere while reading.
- I finally got the clear answers for all of my questions about OAuth2. The authors have done a great job in describing what OAuth2 is (according to the standard and RFCs) and what is not (also, when this protocol is a good fit and when is not)
- Provider implemntation agnosticism. The examples and the project we are building while reading the book have no depenendencies on any specific provider implementation. Just pure JavaScript and no external libraries.
- Side topics (security, JWT, JOSE, OpenID etc.) have been seamlessly embedded in the OAuth domain.
- Rare but super accurate (at least for me!) sense of humor :)
What I didn't like:
- The last two chapters were little fuzzy. In chapter 14, the protocols built on top of OAuth2 were US specific. Chapter 15, on the other hand, described the potential path of evolving OAuth.
I believe that we need more books written in that way. A standarized knowledge provided by the authors that have much experience in a specific area. No frothing and a clear message at the end!
Cheers :)
What I liked:
- It's just about OAuth2 protocol. In other words, it's narrowly specialized. I appreciate it. All the topics were sufficiently explained. I haven't experienced a feeling of "knowledge gap" anywhere while reading.
- I finally got the clear answers for all of my questions about OAuth2. The authors have done a great job in describing what OAuth2 is (according to the standard and RFCs) and what is not (also, when this protocol is a good fit and when is not)
- Provider implemntation agnosticism. The examples and the project we are building while reading the book have no depenendencies on any specific provider implementation. Just pure JavaScript and no external libraries.
- Side topics (security, JWT, JOSE, OpenID etc.) have been seamlessly embedded in the OAuth domain.
- Rare but super accurate (at least for me!) sense of humor :)
What I didn't like:
- The last two chapters were little fuzzy. In chapter 14, the protocols built on top of OAuth2 were US specific. Chapter 15, on the other hand, described the potential path of evolving OAuth.
I believe that we need more books written in that way. A standarized knowledge provided by the authors that have much experience in a specific area. No frothing and a clear message at the end!
Cheers :)
February 8, 2020
It's 2020 and I need to implement OAuth 2 for an application that will act as a client and integrate with providers.
I've read articles, guides, and numerous explanations and feel I've got a good grasp.
Then, after a reference from a collegue, I pick up this book up to see if there's anything here that I might of missed and I'm amazed at how much more there is!
The two authors of the book have an impressive knowledge and a serious ability at taking a complex subject and explaining it.
Using a simple example application they guide you through creating a client and an oauth provider explaining in detail how the two interact and why.
In the middle of the book is a long and detailed discussion on the risks and vulnerabilities of the framework with ways to avoid them.
It then ends on ways to expand the framework, adding more security, and using it for authorisation.
It's the source of truth on OAuth 2 for developers and if you, or your team are tasked with implementing or interacting with it, then it's essential you pick up a copy.
I've read articles, guides, and numerous explanations and feel I've got a good grasp.
Then, after a reference from a collegue, I pick up this book up to see if there's anything here that I might of missed and I'm amazed at how much more there is!
The two authors of the book have an impressive knowledge and a serious ability at taking a complex subject and explaining it.
Using a simple example application they guide you through creating a client and an oauth provider explaining in detail how the two interact and why.
In the middle of the book is a long and detailed discussion on the risks and vulnerabilities of the framework with ways to avoid them.
It then ends on ways to expand the framework, adding more security, and using it for authorisation.
It's the source of truth on OAuth 2 for developers and if you, or your team are tasked with implementing or interacting with it, then it's essential you pick up a copy.
June 9, 2017
Overall, this was good coverage of the OAuth Protocol, it was informative of the different areas and helpful for understanding weaknesses and walking through the "dance". I expect this one to stay on my shelf as a reference going forward.
A few notes that kept it from being 5 stars:
1) Most importantly was the fact that there was no caution put in the literature around JOSE and JWT. Given the timing of the book, the dangers around poorly implementing those protocols should have been present. I view this as a significant oversight.
2) The code samples, while helpful were hard to navigate and know what you needed to do as part of the exercise, it might be for the best in that I actually had to read all of the code to be sure I understood, it became frustrating.
3) It felt overly verbose at times throughout the book.
A few notes that kept it from being 5 stars:
1) Most importantly was the fact that there was no caution put in the literature around JOSE and JWT. Given the timing of the book, the dangers around poorly implementing those protocols should have been present. I view this as a significant oversight.
2) The code samples, while helpful were hard to navigate and know what you needed to do as part of the exercise, it might be for the best in that I actually had to read all of the code to be sure I understood, it became frustrating.
3) It felt overly verbose at times throughout the book.
May 30, 2017
Not a very thrilling cover-to-cover read, but definitely an excellent textbook on OAuth 2 that will cover pretty much all the scenarios anyone could possibly be trying to implement with OAuth.
I would recommend this to people who need information on OAuth 2 for an actual implementation case (this book will definitely cover the situation you are in), but I wouldn't recommend it as a book you might read just to gain some more knowledge (unless you have masochistic tendencies).
I was very happy that the book went into a lot of detail, but it also felt slightly unnecessary and made at times made it feel as if OAuth is a lot more complex than it actually is.
Either way, I'm leaving this book on my work shelf and I am sure the day will come where it will become indispensable.
I would recommend this to people who need information on OAuth 2 for an actual implementation case (this book will definitely cover the situation you are in), but I wouldn't recommend it as a book you might read just to gain some more knowledge (unless you have masochistic tendencies).
I was very happy that the book went into a lot of detail, but it also felt slightly unnecessary and made at times made it feel as if OAuth is a lot more complex than it actually is.
Either way, I'm leaving this book on my work shelf and I am sure the day will come where it will become indispensable.
June 10, 2024
An excellent book about OAuth2, even though it was written in 2017. The book does a perfect job explaining what OAuth 2.0 is all about, with detailed diagrams and concrete implementation examples around the three roles: client, authorization server, and protected resources. These examples clearly demonstrate the workflow of the entire process. Additionally, the fourth section covers extensions on top of OAuth, including OpenID Connect, POP token, UMA, and more, bridging the knowledge gap between OAuth itself and its wider adoption across the industry.
Personally, I went from being a novice who had only heard the terms to feeling super confident about the technology and how to explore it further after reading this book.
Personally, I went from being a novice who had only heard the terms to feeling super confident about the technology and how to explore it further after reading this book.
September 29, 2020
OAuth2 in action is a fantastic walk-through of the OAuth2 delegation protocol, aiming at developers and implementers. The way Justin guides the reader through the "do and don't" of OAuth2 is always balanced and full of practical advices. You won't certainly venture in building your own OAuth2 client or server, but knowing the ins and outs of OAuth2 is absolutely a must to work proficiently with any vendor's SDK when the time comes.
November 27, 2017
Just read this vs geting confused on the internet. Part 2 takes you through building a sample client, auth server and resource using plain NodeJS/Express.
Code along and this will stick with you much better.
Part3 and 4 - i just rushed through because I felt that the content was getting into the weeds. But worth a pass through
Code along and this will stick with you much better.
Part3 and 4 - i just rushed through because I felt that the content was getting into the weeds. But worth a pass through
December 23, 2023
Great reference about OAuth2, this book helped me get the big picture and answered the questions I had.
I can recommend this as a "one-stop shop" for everything related to OAuth2. Before reading this book I tried to cover the gaps in my knowledge by reading short articles or watching video tutorials - that didn't work well in my case.
I can recommend this as a "one-stop shop" for everything related to OAuth2. Before reading this book I tried to cover the gaps in my knowledge by reading short articles or watching video tutorials - that didn't work well in my case.
April 5, 2018
This isn’t a particular fun book to read as it is very technical, but it does a great job at clearly explaining what OAuth2 is, what it can be used for and how it relates to standards built on top of it, like OIDC.
October 13, 2022
I thoroughly enjoyed reading this book. Creating all the oAuth components from scratch was an eye opening, along with the threats and risks associated while creating these components for a production app.
December 31, 2022
Very clear and simple introduction to oauth2. Constructs a bunch of simple examples using nodejs to show typical authorization workflows. Plenty of references to the relevant rfc memos (in fact I think the author may have been involved in writing at least one of them).
March 23, 2024
This book not only explains what OAuth is but shows the intention of the framework, explains each flow in thorough way. It touches on JWKS, JOSE, JWTs, etc.
I have never enjoyed a security book like I enjoyed this one!
I have never enjoyed a security book like I enjoyed this one!
April 22, 2018
Tough read, sometimes dry, but in depth and with real world examples.
March 14, 2020
A very good introduction to OAuth2 with very intuitive and well designed exercises.
My first practical programming book, that i looked forward to reading.
My first practical programming book, that i looked forward to reading.
December 29, 2022
Very fine in terms of explanation. Most of concepts presented are in my known knowledge. However, I highly recommend anyone who didn't know Oauth 2 reading it.
August 15, 2023
The oauth 2 book, a must read.
December 25, 2023
I found it hard to read, and not that useful for building a client that requires authentication. Maybe I’m not the right audience, but it was difficult to digest.
January 1, 2023
Fantastic book by all measures!.
The various different parts of this complex protocol and its subcomponents are explained very thoroughly and easily make you understand how it's implemented, and it's role in the OAuth dance(as the book refers to it)
The book shines in where you build all of the subcomponents in the protocol. Which is enough to give a solid understanding of how things are, and how you can implement them. The code examples shown however, were using outdated JavaScript syntax. ECMAScript seems to not have been acknowledged, which is my only point in reading this book, the code samples were not the best, and i wouldn't write mine in the same way.
It backs away to discuss the gotchas within the protocol and how to combat them.
Fantastic book!
The various different parts of this complex protocol and its subcomponents are explained very thoroughly and easily make you understand how it's implemented, and it's role in the OAuth dance(as the book refers to it)
The book shines in where you build all of the subcomponents in the protocol. Which is enough to give a solid understanding of how things are, and how you can implement them. The code examples shown however, were using outdated JavaScript syntax. ECMAScript seems to not have been acknowledged, which is my only point in reading this book, the code samples were not the best, and i wouldn't write mine in the same way.
It backs away to discuss the gotchas within the protocol and how to combat them.
Fantastic book!
April 8, 2017
Best reference available on this subject
Displaying 1 - 22 of 22 reviews