<!DOCTYPE html> <html> <head> <title>OAuth 2.0 Simplified - A guide to building OAuth 2.0 servers</title> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0" /> <link href="https://fonts.googleapis.com/css?family=Droid+Serif|Open+Sans|Open+Sans+Condensed:300" rel="stylesheet"> <link rel="stylesheet" href="/styles.css"> <link rel="indieauth-metadata" href="https://authorization-server.com/fedcm/indieauth-metadata.php"> <meta name="twitter:card" content="summary_large_image"/> <meta name="twitter:site" content="@oauth_2"/> <meta name="twitter:creator" content="@aaronpk"/> <meta name="twitter:title" content="OAuth 2.0 Simplified"/> <meta name="twitter:description" content="OAuth 2.0 Simplified is a guide to building an OAuth 2.0 server. Through high-level overviews, step-by-step instructions, and real-world examples, you will learn how to take advantage of the OAuth 2.0 framework while building a secure API."/> <meta name="twitter:image" content="https://oauth2simplified.com/images/book-cover-large.jpg"/> <meta property="og:url" content="https://oauth2simplified.com/" /> <meta property="og:type" content="book" /> <meta property="og:title" content="OAuth 2.0 Simplified" /> <meta property="og:description" content="OAuth 2.0 Simplified is a guide to building an OAuth 2.0 server. Through high-level overviews, step-by-step instructions, and real-world examples, you will learn how to take advantage of the OAuth 2.0 framework while building a secure API." /> <meta property="og:image" content="https://oauth2simplified.com/images/book-cover.jpg" /> </head> <body class="h-entry"> <section class="cover split"> <div class="left light"> <img src="/images/book-cover.png" alt="OAuth 2.0 Simplified Book Cover" class="u-photo book-cover"> </div> <div class="right dark"> <div class="in"> <h1 class="p-name">OAuth 2.0 Simplified</h1> <h3>Fourth Edition, updated November 2021</h3> <div class=""> <a href="https://www.lulu.com/en/us/shop/aaron-parecki/oauth-20-simplified/paperback/product-1p74yj65.html" class="buy-button"><span>Paperback</span></a> </div> <div class="buy-buttons"> <!-- <a href="https://gum.co/dRihH" class="buy-button"><span>Paperback</span></a> --> <a href="https://aaronpk.gumroad.com/l/NhSw" class="buy-button"><span>PDF</span></a> <a href="https://www.amazon.com/OAuth-2-0-Simplified-Building-Servers-ebook/dp/B08KWP22H1/?tag=oauth2simplified-20" class="buy-button"><span> Kindle</span></a> <a href="https://www.lulu.com/en/us/shop/aaron-parecki/oauth-20-simplified-a-guide-to-building-oauth-20-servers/ebook/product-1z9ndjdm.html?page=1&pageSize=4" class="buy-button"><span>ePub</span></a> </div> <!-- <p style="font-size: 1.3em; line-height: 1.6em; margin: 3em 0;">All editions were updated in November 2021.</p> --> <p style="font-size: 1.1em; line-height: 1.6em; margin: 3em 0;">OAuth 2.0 Simplified is a guide to building an OAuth 2.0 server. Through high-level overviews, step-by-step instructions, and real-world examples, you will learn how to take advantage of the OAuth 2.0 framework while building a secure API.</p> <p style="font-size: 1.6em; line-height: 1.6em; margin: 3em 0;">Subscribe to my email list to be notified about new books, workshops and more!</p> <!-- Begin MailChimp Signup Form --> <div id="mc_embed_signup"> <form action="//nicernet.us12.list-manage.com/subscribe/post?u=3da16cdb35a3696d18f3d5001&amp;id=3565daa7a4" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_blank" novalidate> <div id="mc_embed_signup_scroll"> <div class="mc-field-group"> <label for="mce-EMAIL">Email Address <span class="asterisk">*</span></label> <input type="email" value="" name="EMAIL" class="required email" id="mce-EMAIL" placeholder="enter your email"> </div> <div class="mc-field-group"> <label for="mce-FNAME">First Name </label> <input type="text" value="" name="FNAME" class="" id="mce-FNAME" placeholder="what is your name?"> </div> <div id="mce-responses" class="clear"> <div class="response" id="mce-error-response" style="display:none"></div> <div class="response" id="mce-success-response" style="display:none"></div> </div> <div style="position: absolute; left: -5000px;" aria-hidden="true"><input type="text" name="b_3da16cdb35a3696d18f3d5001_3565daa7a4" tabindex="-1" value=""></div> <div class="clear"> <input type="submit" value="Keep me updated!" name="subscribe" id="mc-embedded-subscribe" class="button"> </div> </div> </form> </div> <!--End mc_embed_signup--> </div> </div> </section> <section style="background: #eee;"> <div class="in" style="max-width: 800px; margin: 0 auto;"> <h1>The Nuts and Bolts of OAuth 2.0</h1> <div class="course-image"><a href="https://www.udemy.com/course/oauth-2-simplified/?referralCode=B04F59AED67B8DA74FA7"><img src="images/nuts-and-bolts-of-oauth.png" style="width: 100%"></a></div> <div class="course-description"> <p>This course includes the latest recommendations from the OAuth working group including covering everything from using PKCE for all types of applications to explaining the motivations behind dropping the Implicit and Password grants from the spec. These security recommendations and more will be rolled up into the new OAuth 2.1 update, so this course will give you an excellent head start on learning the best way to use OAuth going forward!</p> <p>Topics include: OAuth 2.0, OpenID, PKCE, deprecated flows, JWTs, API Gateways, and scopes. No programming knowledge needed!</p> <p>This course covers each of the OAuth flows and applies them to use cases such as implementing OAuth for web apps, native apps, and SPAs. In addition to learning how applications can use OAuth to access APIs, you鈥檒l learn how to use OpenID Connect to get the user鈥檚 identity.</p> <p>If you're building an API, you'll learn the differences and tradeoffs between different access token formats, how to choose an appropriate access token lifetime, and how to design scopes to protect various parts of your APIs.</p> </div> <div><a href="https://www.udemy.com/course/oauth-2-simplified/?referralCode=B04F59AED67B8DA74FA7"><span>Enroll Now</span></a></div> </div> </section> <section style="background: #ccc;"> <div class="in" style="max-width: 800px; margin: 0 auto;"> <h1>Advanced OAuth Security</h1> <div class="course-image"><a href="https://www.udemy.com/course/advanced-oauth-security/?referralCode=E986334DCA7052166B3F"><img src="images/advanced-oauth-security.png" style="width: 100%"></a></div> <div class="course-description"> <p>Certain applications need a higher level of security compared to what is part of the core OAuth 2.0 specifications. This course will guide you through the details of FAPI, a set of extensions of OAuth 2.0 that provide additional layers of security throughout the OAuth flows.</p> <p>Topics include: Pushed Authorization Requests (PAR), JWT Secured Authorization Request (JAR), JWT Authorization Response Mode (JARM), Mutual TLS (MTLS), DPoP, Authorization Server Issuer Identifier (iss), and HTTP Signatures.</p> <p>The content is divided into five parts, beginning with and overview of the OAuth authorization code flow, an overview of the security goals set out by FAPI and related extensions, as well as a description of the types of attacks we are concerned about protecting against. Part two focuses on securing the front channel, where we'll discuss authorization code injection attacks, PKCE, authorization server mixup attacks, and using Pushed Authorization Requests. Part three focuses on the back channel, and discusses the differences between Mutual TLS and Private Key JWT for client authentication. Part four is all about proof-of-possession (sender-constraining) access tokens using Mutual TLS and DPoP. Part five discusses how to achieve non-repudiation throughout each leg of the OAuth flow.</p> </div> <div><a href="https://www.udemy.com/course/advanced-oauth-security/?referralCode=E986334DCA7052166B3F"><span>Enroll Now</span></a></div> </div> </section> <!-- <section class="cover split dzone-refcard"> <div class="left dark"> <div class="in"> <h1>OAuth Patterns and Anti-Patterns</h1> <h3>Download Free!</h3> <div class=""> <a href="" class="buy-button"><span>PDF</span><img src="/images/new-star.png" width="75" class="new"></a> </div> <p>This five-page reference guide covers the latest in OAuth and clarifies some common misunderstandings of applying it to real world use cases. With a focus on OAuth 2.0, OpenID Connect, and best practices, you'll quickly learn how to avoid some common mistakes and how to make your applications and APIs more secure.</p> </div> </div> <div class="right light"> </div> </section> --> <section> <div class="in"> <h1>Stickers</h1> <div class="sticker-preview"> <a href="https://gum.co/sPye"> <img src="/images/jumping-cat-600.jpg"> <span class="buy-now">Buy Now</span> </a> <a href="https://gum.co/sQTx"> <img src="/images/cat-sticker-sheet-600.jpg"> <span class="buy-now">Buy Now</span> </a> <a href="https://gum.co/ludyr"> <img src="/images/reflective-oauth-logo.jpg"> <span class="buy-now">Buy Now</span> </a> </div> </div> </section> <section class="cover split rfc-book"> <div class="left light"> </div> <div class="right dark"> <div class="in"> <h1>The Little Book of OAuth 2.0 RFCs</h1> <h3>Buy Now!</h3> <div class=""> <a href="https://www.amazon.com/Little-Book-OAuth-2-0-RFCs/dp/B084DFYJS1?tag=oauth2simplified-20" class="buy-button"><span>Paperback</span> <!-- <img src="/images/new-star.png" width="75" class="new"> --> </a> </div> <p>This reference guide will help you understand the context of each RFC that is part of OAuth.</p> <p>This book is a reproduction of all the RFCs relating to OAuth, everything from OAuth core RFC6749 to the latest Security Best Current Practice. Each RFC is prefaced by a short introduction to set the context for why it's important to the space.</p> </div> </div> </section> <section> <div class="in"> <h1>Why OAuth?</h1> <p>The OAuth 2.0 authorization framework has become the industry standard in providing secure access to web APIs. OAuth allows users to grant external applications access to their data, such as profile data, photos, and email, without compromising security.</p> <p>Whether you鈥檙e a software architect, application developer, project manager, or a casual programmer, this book will introduce you to the concepts of OAuth 2.0 and demonstrate what is required when building a server.</p> </div> </section> <section class="split about-the-author"> <div class="left dark"><div class="in"> <h1>About the Author</h1> <p>Aaron Parecki is a Senior Security Architect at Okta with over two decades of experience in the industry. He is the author of OAuth 2.0 Simplified, and maintains <a href="https://oauth.net/">oauth.net</a>. He has been invited to speak at events around the world about OAuth, online security, privacy and data ownership. He is a regular contributor to several specs at the IETF including <a href="https://oauth.net/2.1/">OAuth 2.1</a> and <a href="https://oauth.net/gnap/">GNAP</a>.</p> <p>Aaron is the co-founder of <a href="https://indieweb.org/">IndieWebCamp</a>, a yearly worldwide conference on data ownership and online identity. His work has been featured in Wired, Fast Company, and made Inc. Magazine鈥檚 30 Under 30 while building a startup that was later acquired. Aaron holds a B.S. in Computer Science from University of Oregon and lives in Portland, Oregon.</p> </div></div> <div class="right light"> <div class="author-photo"></div> </div> </section> <section class="blue"> <div class="in"> <div style="text-align: center;"> <p><a href="https://twitter.com/aaronpk" class="tweet-me">Questions?<br>Tweet me and I'd be happy to help!</a></p> </div> </div> </section> <section class="footer"> <div class="in"> <p>&copy; 2025 by <a href="https://aaronparecki.com/" class="u-author h-card">Aaron Parecki</a>. All rights reserved.</p> <p>OAuth 2.0 Simplified is published by <a href="https://www.okta.com">Okta, Inc.</a></p> </div> </section> <script src="https://cdn.usefathom.com/script.js" site="UANDOGDQ" defer></script> </body> </html>