Sunday Morning Homework

(Or, Refreshing Your OAuth Knowledge)

OAuth BooksAs we are getting ready to work on the next version of OAuth, focused on security and interoperability, it is time to refresh your knowledge of protocol and its design principals. Over the past few days I went back to the OAuth guides to draw ideas for my rewrite of the Core 1.0 specification. I’m trying to produce a purely editorial revision, writing a better specification without making any changes to the meaning of the previous normative text. Something like an unofficial Second Edition.

So if it has been a while since you last read the specification, wrote code, or read the guides, now is the time to refresh…

The guide is still a work in progress, but provides good coverage for those getting started with the protocol. If there are topics you want to see covered, please let me know.

The Beginner’s Guide to OAuth

Part I: Overview

  • Introduction
  • End-user Benefits
  • Scope
  • Specification Structure
  • Definitions

Part II: Protocol Workflow

  • End-use experience
  • Protocol requests

Part III: Security Architecture

  • Beyond HTTP Basic Auth
  • Direct & Delegated Access
  • Credentials
  • Signature and Hash
  • Secrets Limitations
  • Timestamp and Nonce
  • Signature Methods
  • Signature Base String

Part IV: Signing Requests

  • Complete interactive walkthrough on how to sign OAuth requests
  • Tool resource for debugging your OAuth application