is now [learn more]


Intimidated by OAuth? Here’s why you shouldn’t be

Written by Kevin Montalbo  |  April 8, 2021

Editor’s note: This interview with Matthias Biehl was recorded for Coding Over Cocktails - a podcast by Lonti previously known as Toro Cloud.

According to the OAuth website, "OAuth is the industry-standard protocol for authorisation", which focuses on simplicity while providing specific authorisation flows for web applications, desktop applications, mobile phones, and living room devices.

Because of the simplicity and level of security it offers, it has emerged as the de facto standard protocol for securely protecting Web-APIs.

However, according to Matthias Biehl, author of "Oauth 2.0: Getting Started in Web-api Security" a lot of developers are still intimidated by the protocol.

"[OAuth] requires a lot of different players, and a very dedicated way of interacting between those players." Biehl says during an interview on Coding Over Cocktails, a podcast by Toro Cloud.

He further states that the intimidation can often stem from the fact that there are multiple channels that need to be authenticated: typically a UI-based interaction, as well as a back channel for API-based interaction.

This can add to the misconception that OAuth can be quite complicated to implement.

"It’s not." Biehl replies

"Maybe you need to get your head around it once, but I would say: don't be afraid of the OAuth beast. It's actually quite a good and well thought-out, practically proven protocol that we should all use more in our implementations on APIs." he adds.

In order to have a better understanding of OAuth and its flows, Biehl advises developers to look at several resources around it, including this OAuth Cheat Sheet he developed at API University.

"Nowadays, I think there are excellent libraries that you can use as a programmer that gets you around a lot of these difficult parts, and it already incorporates all the best practices. So, instead trying to code the protocol yourself from the start, use something that's already out there."

Understanding OAuth

The key to understanding OAuth is… literally a "key".

Instead of providing passwords, OAuth provides users an "access token" in order to grant them access to websites or applications.

Biehl explains that OAuth works like checking-in to a hotel with keycard access.

"When you check into a hotel, you don't get handed out the master key to all the rooms, right? That is kept secret and only a few people can hold that. But when you check into a hotel, you get a key card that's programmable, and that gives you access to the front door, to your own room and not to any other room in the big house. It also gives you access only for a specific time period, right? And afterwards, I mean, maybe you would leave it in your pocket. You come back a year later, it won't work because it is bound – and that's basically what OAuth brought." Matthias illustrates.

The OAuth 2.0 Authorisation Framework also supports several ways to retrieve these access tokens via "flows".

While there are several flows that can be used depending on the use case, the main one is called the "Authorisation Code Flow".

"What you do in an authorization code flow, is number one: the client requests an authorisation code on the authorization endpoint; then, there you have the end user in the loop. The end user usually authenticates by logging in with biometrics, with a password so forth."

"Then as an outcome of that, the client, the app receives a so-called authorisation code on the redirect endpoint. And with this intermediate code, it can then request an OAuth access token using a back channel – using an API called directly on the OAuth server. Now, when this comes back, the access token has to be validated and then it can be used in order to access those resources." he explains.

OAuth for Microservices

Now that we’ve established how OAuth is mostly utilised for public-facing APIs, can we also use the protocol for east-west configurations, such as between microservices?

"Definitely... but you need to tweak it a little bit differently depending on how you want to use it." Biehl says.

"If you have this East-West type of interaction, then you typically want to have a distributed architecture. You don't want to have any central points, any bottlenecks in your architecture, and you should not really have a reference token because a reference token can only be decoded basically in one point in the whole architecture."

In addition, he explains the concept of a "value token" that’s used for this specific case.

"You can decode this [value] token and see what are the access rights, who is the user and in a very decentralised way, each microservice can decode it and work with that token. And then of course, you can bring both of these patterns basically together, where you have a north-southbound interaction to the outside world, you translate to, say, the reference token that you give out to a value token, that you can then use inside in your microservice architecture." Biehl adds.

Learn more about OAuth with Biehl in this episode of Coding Over Cocktails - a podcast by Toro Cloud.

Coding Over Cocktails is a podcast created by Lonti previously known as Toro Cloud, a company that offers a low-code, API centric platform for application development & integration.

This podcast series tackles issues faced by enterprises as they manage the process of digital transformation, application integration, low-code application development, data management, and business process automation. It’s available for streaming in most major podcast platforms, including Spotify, Apple, Google Podcasts, SoundCloud, and Stitcher.

true true true

You might also like


Security Considerations in Data Mesh

Explore the security considerations in a decentralized data mesh architecture. Learn about the challenges and best practices for maintaining data integrity and privacy in a distributed environment.
Read More


Data Mesh and Microservices: A Perfect Pairing

Discover the powerful synergy between Data Mesh and Microservices in managing data and services. Learn how these architectures promote autonomy, decentralization, and ownership, leading to operational success and innovation.
Read More


Securing the Data Lake: Data Security in a Data Lake

Discover the multifaceted nature of data lake security and the challenges organizations face in protecting their valuable data. Learn about the intricate security measures and governance considerations needed to create a robust and resilient security architecture. Find out how authentication, authorization, data encryption, data masking, tokenization, monitoring, and auditing play a crucial role in securing data lakes. Explore the role of machine learning in data lake security and the future of data lake security in an evolving threat landscape.
Read More