Overview[1]#

OAuth is a an open standard, scalable, RESTful Protocol for Delegation of Authorization to server resources using HTTP.

Generally, OAuth is a solution to the Password Anti-Pattern.

OAuth 2.0 is an evolution of the OAuth Protocol and is NOT backward compatible with OAuth 1.0.

OAuth 2.0 NOT an Authentication protocol#

OAuth Not for Authentication

.

Remember that OAuth 2.0 NOT an Authentication protocol OAuth 2.0 provides Delegation, Consent and Authorization

Developer Simplicity#

OAuth 2.0 focuses on developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. The specification and associated RFCs are being developed within the IETF OAuth WG; the main framework was published in October 2012.

Of course focuses on developer simplicity invokes the Law of Complexity by moving the complexity from the developer realm into the Authorization Server and Resource Server.

OAuth 2.0 was expected to be finalized by the end of 2010 according to Eran Hammer. However, due to discordant views about the evolution of OAuth, Hammer left the working group.

The OAuth 2.0 Framework and Bearer Token Usage were published in October 2012. Other documents were and are still being worked on within the OAuth working group.

• OAuth 2.0 Actors[2]
• OAuth 2.0 Endpoints
• OAuth 2.0 Tokens
  • Access Token
  • Refresh Token
• OAuth 2.0 Profiles
• Grant Types or OAuth 2.0 Protocol Flows
• OAuth 2.0 Vulnerabilities

What is missing in OAuth 2.0#

What is missing in OAuth 2.0.

Additional OAuth 2.0 RFCs#

• RFC 6749 - The OAuth 2.0 Core
• RFC 6750 - OAuth 2.0 Authorization Framework Bearer Token Usage
• RFC 6819 - OAuth 2.0 Threat Model and Security Configurations
• RFC 6755 - An IETF URN Sub-Namespace for OAuth
• RFC 7009 - OAuth 2.0 Token Revocation
• RFC 7519 - JSON Web Tokens
• RFC 7521 - Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
• RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
• RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
• RFC 7591 - OAuth 2.0 Dynamic Client Registration Protocol
• RFC 7592 - OAuth 2.0 Dynamic Client Registration Management Protocol
• OAuth 2.0 Security Considerations

More Information#

There might be more information for this subject on one of the following:

• ACDC Grant type
• ACE-OAuth
• API Service Delivery
• API-Gateway
• AWS Cognito
• Access Token
• Access Token Request
• Access Token Validation
• Access_denied
• App2app
• AppAuth
• Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
• Auth 2.0 Resource Set Registration
• Authentication Double-Hop
• Authentication Protocol
• Authentication Request
• Authentication and Authorization for Constrained Environments
• Authorization API
• Authorization Code
• Authorization Code Flow
• Authorization Code Grant
• Authorization Cross Domain Code 1.0
• Authorization Grant
• Authorization Request
• Authorization Request Parameters
• Authorization Response
• Authorization Server
• Authorization Server Authentication of the End-User
• Authorization_endpoint
• Authorized party
• Back-channel Communication
• Bearer Token
• Best Practices OpenID Connect
• Best Practices for LDAP Security
• BigQuery
• Book
• Claim
• Claimed Https Scheme URI Redirection
• Client Authentication Methods
• Client Secret
• Client_id
• Client_secret_basic
• Code_verifier
• Consent Dialog
• Consent Standards
• Cool Identity Token Uses
• Covert Redirect Vulnerability
• Custom URI scheme
• Dick Hardt
• Digital Identity
• Embedded user-agent
• Encoding claims in the OAuth 2 state parameter using a JWT
• Explicit Endpoint
• External User-Agent
• FAPI Read Only API Security Profile
• FAPI Read Write API Security Profile
• Financial API
• Financial-grade API
• Form Post Response Mode
• Fragment Response Mode
• Grant
• Grant Negotiation and Authorization Protocol
• Grant Types
• Grant_type
• Grant_types_supported
• Health Relationship Trust
• Hybrid Flow
• Identity Broker
• Identity Provider (IDP)
• Identity Token
• Identity Token Claims
• IdentityServer
• Implicit Grant
• Include_granted_scopes
• Insufficient_scope
• Introspection_endpoint
• Invalid_request
• Invalid_token
• Iss
• JSON Identity Suite
• JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
• JSON Web Token Best Current Practices
• Javascript Object Signing and Encryption
• Kerberos
• LeftMenu
• Life Management Platform
• Loopback URI Redirection
• Lua-resty-openidc
• MITRE Corporation
• MITREid Connect
• Macaroons
• Malicious Endpoint
• Mix-up attacks
• Mod_auth_openidc
• Mutual TLS Profiles for OAuth Clients
• Native application
• Neo-Security Stack
• OAuth
• OAuth 2.0 Actors
• OAuth 2.0 Audience Information
• OAuth 2.0 Authorization
• OAuth 2.0 Authorization Server Metadata
• OAuth 2.0 Bearer Token Usage
• OAuth 2.0 Client Registration
• OAuth 2.0 Client Types
• OAuth 2.0 Device Profile
• OAuth 2.0 Dynamic Client Registration Protocol
• OAuth 2.0 Endpoints
• OAuth 2.0 Incremental Authorization
• OAuth 2.0 JWT Secured Authorization Request
• OAuth 2.0 Message Authentication Code (MAC) Tokens
• OAuth 2.0 Multiple Response Type Encoding Practices
• OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens
• OAuth 2.0 NOT an Authentication protocol
• OAuth 2.0 Profiles
• OAuth 2.0 Proof-of-Possession (PoP) Security Architecture
• OAuth 2.0 Protocol Flows
• OAuth 2.0 Security Best Current Practice
• OAuth 2.0 Security Considerations
• OAuth 2.0 Security-Closing Open Redirectors in OAuth
• OAuth 2.0 Software Statement
• OAuth 2.0 Threat Model and Security Configurations
• OAuth 2.0 Token Binding
• OAuth 2.0 Token Exchange
• OAuth 2.0 Token Exchange Request
• OAuth 2.0 Token Introspection
• OAuth 2.0 Token Revocation
• OAuth 2.0 Tokens
• OAuth 2.0 Use Cases
• OAuth 2.0 Vulnerabilities
• OAuth 2.0 for Native Apps
• OAuth Client
• OAuth Dynamic Client Registration Metadata
• OAuth Error
• OAuth Parameters Registry
• OAuth Scope Example
• OAuth Scopes
• OAuth Token Profile
• OAuth and OIDC Adoption
• OAuth state parameter
• OXD
• Oauth.xyz
• Offline_access
• Oidc-client-js
• Open Bank Project
• Open Banking
• Open Banking Implementation Entity
• Open Banking OBIE
• Open Trust Taxonomy for OAuth2
• Open Web Interface for .NET
• OpenAM Endpoints
• OpenID Connect
• OpenID Connect Authentication Response
• OpenID Connect Claims
• OpenID Connect Client Initiated Backchannel Authentication Flow
• OpenID Connect Discovery
• OpenID Connect Dynamic Client Registration
• OpenID Connect Endpoints
• OpenID Connect Federation Async
• OpenID Connect Flows
• OpenID Connect Profile for SCIM Services
• OpenID Connect Provider
• OpenID Connect Scopes
• OpenID Connect Use Cases
• OpenID Connect User Questioning API
• OpenID.Registration
• OpenIG
• Openid scope
• Openid-configuration
• OxAuth
• Ping Identity
• Private URI Scheme
• Private-Use URI Scheme Redirection
• Proof Key for Code Exchange by OAuth Public Clients
• Protection API
• Pushed Authorization Requests
• Query Response Mode
• REST Profile of XACML
• RFC 6750
• RFC 7253
• Refresh Token
• Refresh Token Grant
• Registration_endpoint
• Representational State Transfer
• Request Object
• Requested_token_use
• Resource Owner
• Resource Owner Password Credentials Grant
• Resource Server
• Resource_set_registration_endpoint
• Response Type
• Response_modes_supported
• Response_type
• Response_types_supported
• SCIM 2.0
• Salesforce
• Scopes vs Claims
• Scp (Scopes) Claim
• Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
• Security Token Service
• Select_account
• Server_error
• Service Provider
• Single Sign-On Scenarios
• Social Login
• Standards Based SSO
• State
• Temporarily_unavailable
• The OAuth 2.0 Authorization Framework
• Token Revocation
• Token Service Provider
• Token Storage
• Token Type Identifiers
• Token_endpoint
• Token_endpoint_auth_methods_supported
• UMA 2.0 Grant for OAuth 2.0
• UMA 2.0 Grant for OAuth 2.0 Authorization
• UMA-obligations
• Ui_hint
• Uma-configuration
• Unauthorized_client
• Unsupported_response_type
• Unsupported_token_type
• User
• User-Managed Access
• Userinfo_endpoint
• Username
• WEB Access Management
• What is missing in OAuth 2.0
• Why Access Tokens
• Why OAuth 2.0
• Why OpenID Connect
• Why Use Tokens
• Why is Time Important
• Windows Hello
• XACML
• Yadis

---

• [#1] - The OAuth 2.0 Authorization Framework - based on data observed:2015-05-18
• [#2] - based loosely on http://en.wikipedia.org/wiki/OAuth - Retrieved 2013-03-29