<!doctype html> <html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>OAuth 2.0 Simplified &bull; Aaron Parecki</title> <link rel="alternate" type="application/mf2+json" href="https://aaronparecki.com/oauth.json" /> <link rel="alternate" type="application/jf2+json" href="https://aaronparecki.com/oauth.jf2" /> <link rel="alternate" type="application/activity+json" href="https://aaronparecki.com/oauth.as2" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@aaronpk" /> <meta name="twitter:creator" content="@aaronpk" /> <meta property="og:url" content="https://aaronparecki.com/oauth" /> <meta property="og:type" content="article" /> <meta property="og:title" content="OAuth 2.0 Simplified" /> <meta property="og:description" content="" /> <meta property="og:site_name" content="Aaron Parecki" /> <link rel="webmention" href="https://webmention.io/aaronpk/webmention"> <script src="/assets/jquery-1.12.0.min.js"></script> <script src="/semantic/2.2.6/semantic.min.js"></script> <script src="/assets/featherlight-1.5.0/featherlight.min.js"></script> <link rel="stylesheet" type="text/css" href="/assets/font.css"> <link rel="stylesheet" type="text/css" href="/semantic/2.2.6/semantic.min.css"> <link rel="stylesheet" href="/assets/icomoon/style.css"> <link rel="stylesheet" href="/assets/weather-icons/css/weather-icons.css"> <link rel="stylesheet" href="/assets/featherlight-1.5.0/featherlight.min.css"> <!-- <script src="/assets/screensaver.js"></script> <link rel="stylesheet" href="/assets/screensaver.css"> --> <link rel="stylesheet" href="/assets/admin.2.css"> <link rel="stylesheet" href="/assets/pulse.css"> <link rel="stylesheet" href="/assets/styles.8.css"> <link rel="stylesheet" href="/site/styles.2.css"> <link rel="stylesheet" href="/assets/carbon.css"> <link rel="stylesheet" href="/assets/story.css"> <link rel="stylesheet" href="/assets/article.css"> <link rel="openid.delegate" href="https://aaronparecki.com/"> <link rel="openid.server" href="https://indieauth.com/openid"> </head> <body> <div class="sticky-footer-content"> <div class="top-bar "> <div class="ui container"> <form action="/search" method="get" class="search item"> <div class="ui icon input"> <input type="text" name="q" placeholder="Search..." value=""> <i class="search icon"></i> </div> </form> <span class="item">37&deg;F</span> <span class="weather item"> <i class="wi wi-owm-800" title="clear sky in Portland"></i> </span> <span class="time item"></span> <span class="battery item"></span> <div id="logged-in-menu"> </div> </div> </div> <div class="ui container"> <div class="site-header"> <div class="align-bottom"> <div class="left"> <h1><a href="/">Aaron Parecki</a></h1> </div> <div class="right"> <ul> <li><a href="/articles">Articles</a></li> <li><a href="/notes">Notes</a></li> <li><a href="/photos">Photos</a></li> </ul> </div> </div> </div> <div class="post-list permalink"> <ul> <li class="h-entry post-entry post-type-article post has-responses " id="post-id-29444"> <div style="" class="content-area has-responses has-name"> <div class="pad"> <h2 class="p-name post-title"> OAuth 2.0 Simplified </h2> <div class="post-text e-content "><p><img src="/images/oauth-thin.jpg" width="100%"></p> <p><a href="https://oauth2simplified.com/lulu.php?utm_source=aaronparecki.com"><img src="https://aaronparecki.com/oauth/book-cover.png" width="240" style="float: right; margin-left: 4px; margin-right: -10px;"></a></p> <p><a href="https://oauth2simplified.com/">OAuth 2.0 Simplified</a> is a guide to building an OAuth 2.0 server. Through high-level overviews, step-by-step instructions, and real-world examples, you will learn how to take advantage of the OAuth 2.0 framework while building a secure API.</p> <p>You can buy the paperback book <a href="https://oauth2simplified.com/lulu.php?utm_source=aaronparecki.com">on Lulu.com</a> or <a href="https://www.amazon.com/OAuth-2-0-Simplified-Aaron-Parecki/dp/1387130102/?tag=apkdotcom-20">Amazon</a> now! Also available as an <!-- on [Kindle](https://www.amazon.com/OAuth-2-0-Simplified-Aaron-Parecki-ebook/dp/B077TVW1QW/?tag=apkdotcom-20), --> <a href="https://www.lulu.com/en/us/shop/aaron-parecki/oauth-20-simplified-a-guide-to-building-oauth-20-servers/ebook/product-1z9ndjdm.html?page=1&amp;pageSize=4">ePub</a> or <a href="https://www.lulu.com/en/us/shop/aaron-parecki/oauth-20-simplified/ebook/product-12q46zyq.html?page=1&amp;pageSize=4">PDF</a>.</p> <h3>OAuth Course</h3> <p>My video course <a href="https://oauth2simplified.com/course">The Nuts and Bolts of OAuth 2.0</a> is now available on Udemy! With over 3.5 hours of video content, interactive exercises, and access to a web-based tool guiding you through the exercises giving you feedback along the way, you can join over 1500 other students who have already taken this course!</p> <p><a href="https://oauth2simplified.com/course"><img src="https://oauth2simplified.com/images/course-image-with-text.png" width="100%"></a></p> <h3>OAuth Cheat Sheet</h3> <p>I published a cheat sheet "<a href="https://dzone.com/refcardz/oauth-patterns-and-anti-patterns">OAuth Patterns and Anti-Patterns</a>" available for free!</p> <p><a href="https://dzone.com/refcardz/oauth-patterns-and-anti-patterns" style="float: left; margin-right: 20px;"><img src="https://aaronparecki.com/oauth/dzone-refcard-preview.jpg" width="300"></a></p> <p>The "OAuth Patterns and Anti-Patterns" Refcard covers a range of topics including:</p> <ul> <li>Clear and concise definitions of common OAuth terminology</li> <li>Tips for securing tokens in browser-based apps</li> <li>How PKCE is a more OAuth secure flow</li> <li>The difference between access tokens and ID tokens</li> <li>Access token validation tips and techniques</li> </ul> <div style="clear: both;"></div> <h3>Specs</h3> <p>I contribute to the OAuth specs, and co-authored <a href="https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps">OAuth 2.0 for Browser-Based Apps</a> and <a href="https://oauth.net/2.1/">OAuth 2.1</a>.</p> <p>I also maintain <a href="https://oauth.net">oauth.net</a></p> <div style="clear:both;"></div> <h3>Videos</h3> <h4>OAuth: When Things Go Wrong</h4> <iframe width="100%" height="400" src="https://www.youtube.com/embed/H6MxsFMAoP8" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe> <p>Presented at the O'Reilly Software Architecture Conference</p> <p>Slides: <a href="https://speakerdeck.com/aaronpk/oauth-when-things-go-wrong">speakerdeck.com/aaronpk/oauth-when-things-go-wrong</a></p> <h4>OAuth Access Tokens Explained</h4> <iframe width="100%" height="400" src="https://www.youtube.com/embed/BNEoKexlmA4" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe> <h4>OAuth All the Things! What is OAuth 2.0?</h4> <iframe width="100%" height="400" src="https://www.youtube.com/embed/wA4kqKFua2Q" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe> <!-- ### OAuth Talks I'd be happy to come to your meetup and give a talk on OAuth! Fill out the form below if you're interested in having me come give a talk! If I can accept your request, <a href="https://developer.okta.com">Okta</a> will sponsor drinks for your meetup, and I'll bring a few copies of my book to give away as well. <iframe src="https://docs.google.com/forms/d/e/1FAIpQLSdJdgUxtCZ7OiN02eOjfzyn_SlRG-0IfN3DSp1gI9jhT43E-A/viewform?embedded=true" width="100%" height="1300" frameborder="0" marginheight="0" marginwidth="0">Loading...</iframe> --> <!-- ### Training <img src="/images/profile.jpg" width="120" style="float: left; border-radius: 60px; margin-right: 8px;"> I am available to provide OAuth training and consultation for you and your team. I can provide half-day or full-day sessions, starting with an Introduction to OAuth 2.0, followed by spending time addressing the specific questions of your team relating to your product. #### Full-Day Training * Morning: Introduction to OAuth 2.0 * Available to your whole team * Afternoon: Q&A * Break-out session with 5-8 people to address specific questions #### Introduction to OAuth 2.0 Outline * Why OAuth is important * High-level introduction to how OAuth improves security * Demonstrate issues with password authentication for third-party apps * How OAuth 2.0 simplified aspects from OAuth 1 for a better developer experience * Intro to OAuth 2.0 terminology and summary of OAuth 2.0 flows * Definitions of the parties involved * Use cases mapping to grant types * Grant Types and Use Cases * OAuth 2.0 for server-side apps * OAuth 2.0 for browser-based apps * OAuth 2.0 for Native Apps * OAuth 2.0 for browserless and input-constrained devices * Password grant (resource owner) * Refresh tokens * When are refresh tokens used * How to maintain and use refresh tokens * OAuth 2.0 scopes * How services can define scopes to allow users to have control of what they are sharing * How apps can request scopes * Survey of scopes on various popular OAuth 2.0 services * Accessing resources * Using an access token to access protected resources on behalf of a user * Components of an OAuth 2.0 Server * Client registration and lifecycle management * The components of the authorization interface * Listing and managing authorizations * Creating documentation * Next steps * Finding additional documentation and navigating specs and extensions * Overview of available client-side libraries and why a library may not be necessary * Overview of available server-side libraries Please email me at [aaron@parecki.com](mailto:aaron@parecki.com) to schedule a training session. --> <style> ul ul ul { margin-bottom: 0; } </style> </div> </div> <div class="metaline pad"> <a href="https://aaronparecki.com/oauth" class="u-url">permalink</a> </div> <a class="u-author" href="/"></a> <div class="metaline responses-summary pad"> <span><i class="file text outline icon"></i> <span class="p-pk-num-mentions">1</span> mention</span> </div> <div style="clear:both;"></div> </div> <div class="responses" id="responses"> <form class="webmention-form ui form" action="https://webmention.io/aaronpk/webmention" method="post"> <div class="fields"> <div class="twelve wide field"> <label>Have you written a <a href="https://indieweb.org/responses">response</a> to this? Let me know the URL:</label> <input type="url" name="source" class="url"> </div> <div class="four wide field"> <label>&nbsp;</label> <input type="submit" class="ui submit button" value="Send Webmention"> </div> </div> <div class="status hidden"> <div class="ui message"></div> </div> <input type="hidden" name="target" value="https://aaronparecki.com/oauth"> </form> <h3 id="mentions">Other Mentions</h3> <ul> <li class="p-comment h-cite comment"> <div class="p-author h-card author"> <img src="/assets/images/no-profile-photo.png" height="48"> <a class="p-name u-url" href="https://bjoernkw.com"> bjoernkw.com </a> </div> <!-- TODO: should this be e-summary if I've truncated it or if it came from the summary? --> <div class="e-content comment-content"><p>At this year’s <a href="https://beyondtellerrand.com/" rel="nofollow">beyond tellerrand</a> Düsseldorf <a href="https://indieweb.org/" rel="nofollow">IndieWebCamp</a> co-founder and <a href="https://aaronparecki.com/oauth/" rel="nofollow">OAuth consultant</a> <a href="https://aaronparecki.com/" rel="nofollow">Aaron Parecki</a> gave a talk about OAuth, why we need it, and how we can use it to simplify authentication and authorization in web applications:</p><p></p><p><a href="https://vimeo.com/645378255" rel="nofollow">Aaron Parecki – Why Do We Really Need OAuth Anyway? – beyond tellerrand Düseldorf 2021</a> from <a href="https://vimeo.com/beyondtellerrand" rel="nofollow">beyond tellerrand</a> on <a href="https://vimeo.com" rel="nofollow">Vimeo</a>.</p><p>Aaron also provides <a href="https://oauth2simplified.com/" rel="nofollow">a guide to building an OAuth 2.0 server</a> and <a href="https://www.udemy.com/course/oauth-2-simplified/?referralCode=B04F59AED67B8DA74FA7" rel="nofollow">a video course titled “The Nuts and Bolts of OAuth 2.0”</a>.</p> <span><a href="https://bjoernkw.com/2021/12/05/aaron-parecki-why-do-we-really-need-oauth-anyway-beyond-tellerrand-dusseldorf-2021/" rel="nofollow">December 5, 2021</a></span> <span>by <a href="https://bjoernkw.com" rel="nofollow">Bjoern</a></span> <span>in <a href="https://bjoernkw.com/category/software/enterprise-software/" rel="nofollow">Enterprise Software</a>, <a href="https://bjoernkw.com/category/software/" rel="nofollow">Software</a>, <a href="https://bjoernkw.com/category/software/web-development/" rel="nofollow">Web Applications</a></span></div> <div class="metaline"> <a href="https://bjoernkw.com/2021/12/05/aaron-parecki-why-do-we-really-need-oauth-anyway-beyond-tellerrand-dusseldorf-2021/" class="u-url"> <time class="dt-published" datetime="2021-12-05T07:03:26-08:00"> Sun, Dec 5, 2021 7:03am -08:00 </time> </a> </div> </li> </ul> <div style="clear:both;"></div> </div> </li> </ul> </div> </div> </div> <footer class="sticky-footer"> <div class="subfooter"> <div class="ui container h-card"> <div class="about"> <div class="image"><a href="/" class="u-url u-uid"><img src="/images/profile.jpg" class="u-photo"></a></div> <div class="bio"> <div class="p-note"> <p>Hi, I'm <span class="p-name">Aaron<span style="display:none;"> Parecki</span></span>, Director of Identity Standards at Okta, and co-founder of <a href="https://indieweb.org/">IndieWebCamp</a>. I maintain <a href="https://oauth.net/">oauth.net</a>, <a href="/oauth/">write and consult about OAuth</a>, and participate in the OAuth Working Group at the IETF. I also help people learn about <a href="https://aaronpk.tv">video production and livestreaming</a>. (<a href="/bio/">detailed bio</a>)</p> <p>I've been <a href="/gps/">tracking my location</a> since 2008 and I wrote <a href="https://100.aaronparecki.com/">100 songs in 100 days</a>. I've <a href="/presentations">spoken</a> at conferences around the world about <a href="/presentations?tag=indieweb">owning your data</a>, <a href="/oauth/">OAuth</a>, <a href="/presentations?tag=quantifiedself">quantified self</a>, and explained <a href="https://www.youtube.com/watch?v=FGVJ0eXTRpw">why R is a vowel</a>. <a href="/about">Read more</a>.</p> <time class="dt-bday" datetime="--12-28"></time> <data class="p-street-address" value="PO Box 12433"></data> <data class="p-locality" value="Portland"></data> <data class="p-region" value="Oregon"></data> <data class="p-country-name" value="USA"></data> <data class="p-postal-code" value="97212"></data> </div> </div> <div class="right"> <div class="orgs"> <ul> <li class="p-org h-card"> <img src="/images/okta.png" alt="" class="u-photo"> <span class="p-role">Director of Identity Standards</span> at <a href="https://www.okta.com/" class="u-url"> <span class="p-name">Okta</span> </a> </li> <li class="p-org h-card"> <img src="/images/indiewebcamp.png" alt="" class="u-photo"> <a href="https://indieweb.org/" class="u-url"> <span class="p-name">IndieWebCamp</span> </a> <a class="p-role" href="https://indieweb.org/founders">Founder</a> </li> <li class="p-org h-card"> <img src="/images/ietf.ico" alt="" class="u-photo"> <a href="https://oauth.net" class="u-url"> <span class="p-name">OAuth WG</span> </a> <a class="p-role" href="/oauth/">Editor</a> </li> <li class="p-org h-card"> <img src="/images/openid.png" alt="" class="u-photo"> <a href="https://openid.net" class="u-url"> <span class="p-name">OpenID</span> </a> <a class="p-role" href="/oauth/">Board Member</a> </li> <!-- <li class="p-org h-card"> <img src="/images/w3c.png" alt="" class="u-photo"> <a href="https://www.w3.org/" class="u-url"> <span class="p-name">W3C</span> </a> <a class="p-role" href="/w3c/">Editor</a> </li> --> <li><br></li> <!-- <li><img src="/images/spotify.ico" alt=""> <a href="/sunshine-indie-pop/">Sunshine Indie Pop</a></li> <li> <img src="/images/microphone.png" alt=""> <a class="p-callsign u-url" href="https://w7apk.com">W7APK</a> </li> --> <li>🎥 <a href="https://youtube.com/aaronpk">YouTube Tutorials and Reviews</a></li> <li>🏠 <a href="https://www.youtube.com/@TheHouseFilesPDX">We're building a triplex!</li> <li>⭐️ <a href="https://aaronparecki.com/life-stack/">Life Stack</a></li> <li>⚙️ <a href="https://aaronparecki.com/home-automation/">Home Automation</a></li> </ul> <link rel="pgpkey" href="/key.txt"> <link rel="me" href="sms:+15035678642"> <link rel="me" href="https://micro.blog/aaronpk"> </div> <div class="search"> <form action="/search" method="get"> <div class="ui fluid icon input"> <input type="text" name="q" placeholder="Search..." value=""> <i class="search icon"></i> </div> </form> </div> </div> </div> <div class="channels"> <ul class="footer-links"> <li><a href="/all">All</a></li> <li><a href="/articles">Articles</a></li> <li><a href="/bookmarks">Bookmarks</a></li> <li><a href="/notes">Notes</a></li> <li><a href="/photos">Photos</a></li> <li><a href="/replies">Replies</a></li> <li><a href="/reviews">Reviews</a></li> <li><a href="/trips">Trips</a></li> <li><a href="/videos">Videos</a></li> <li><a href="/contact">Contact</a></li> </ul> </div> <div class="elsewhere"> <ul class="footer-links"> <li><a href="https://github.com/aaronpk" rel=""><i class="github icon"></i></a></li> <li><a href="https://youtube.com/aaronpk" rel=""><i class="youtube play icon"></i></a></li> <li><a href="http://foursquare.com/aaronpk" rel=""><i class="foursquare icon"></i></a></li> <li><a href="http://www.linkedin.com/in/aaronparecki" rel=""><i class="linkedin icon"></i></a></li> <li><a href="https://instagram.com/aaronpk_tv" rel=""><i class="instagram icon"></i></a></li> <li><a href="http://flickr.com/aaronpk" rel=""><i class="flickr icon"></i></a></li> <li><a href="https://speakerdeck.com/aaronpk" rel=""><i class="icon-speakerdeck icon"></i></a></li> <li><a href="http://www.slideshare.net/aaronpk" rel=""><i class="slideshare icon"></i></a></li> <li><a href="http://www.last.fm/user/aaron_pk" rel=""><i class="lastfm icon"></i></a></li> <li><a href="https://kit.co/aaronpk" rel=""><i class="icon-kit-co icon"></i></a></li> <li><a href="https://www.duolingo.com/profile/aaronpk" rel=""><i class="icon-duolingo icon"></i></a></li> <li><a href="https://www.w3.org/users/59996" rel=""><i class="icon-w3c icon"></i></a></li> <li><a href="https://en.wikipedia.org/wiki/User:Aaronpk" rel=""><i class="linkify icon"></i></a></li> <li><a href="https://u.wechat.com/kKChiO-sSbgJQFf0UJrpHhE" rel=""><i class="wechat icon"></i></a></li> <li><a href="https://www.amazon.com/shop/aaronparecki" rel=""><i class="amazon icon"></i></a></li> <li><a href="https://www.amazon.com/gp/profile/amzn1.account.AHJ2OJ7NXSYM23FDDEDVZV2UR4MA" rel=""><i class="amazon icon"></i></a></li> <li><a href="https://aaronparecki.com/aaronpk" rel=""><i class="icon-mastodon icon"></i></a></li> <li><a href="https://bsky.app/profile/aaronpk.com" rel=""><i class="icon-bluesky icon"></i></a></li> <li><a href="https://cash.me/$aaronpk" rel=""><i class="icon-squarecash icon"></i></a></li> <li><a href="https://venmo.com/aaronpk" rel=""><i class="icon-venmo icon"></i></a></li> <li><a href="https://paypal.me/apk" rel=""><i class="paypal icon"></i></a></li> <li><a href="mailto:aaron@parecki.com" rel=""><i class="mail icon"></i></a></li> </ul> </div> </div> </div> <div class="footer"> <a href="/login" class="hidden-login"></a> <div> <span>&copy; 1999-2025 by Aaron Parecki.</span> <span>Powered by <a href="https://indieweb.org/p3k">p3k</a>.</span> <span>This site supports <a href="https://webmention.net/">Webmention</a>.</span> </div> <div> <span>Except where otherwise noted, text content on this site is licensed under a <a href="http://creativecommons.org/licenses/by/3.0/" rel="license">Creative Commons Attribution 3.0 License</a>.</span> </div> <div class="badges" style="padding-top: 8px;"> <a href="https://indieweb.org/"><img src="/assets/badges/indieweb.png" width="80" height="15" alt="IndieWebCamp" style="image-rendering: pixelated;"></a> <a href="http://microformats.org/"><img src="/assets/badges/microformats.png" width="80" height="15" alt="Microformats" style="image-rendering: pixelated;"></a> <a href="https://indieweb.org/Webmention"><img src="/assets/badges/webmention.png" width="80" height="15" alt="Webmention" style="image-rendering: pixelated;"></a> <img src="/assets/badges/w3c-valid-html.png" width="80" height="15" alt="W3C HTML5" style="image-rendering: pixelated;"> <a href="http://creativecommons.org/licenses/by/3.0/"><img src="/assets/badges/cc-commons.png" width="80" height="15" alt="Creative Commons" style="image-rendering: pixelated;"></a> </div> </div> </footer> <input type="hidden" id="permalink" value="https://aaronparecki.com/oauth"> <div id="wechat-modal" class="hidden"> <div class="contents"> <div class="text">WeChat ID<br>aaronpk_tv</div> <div class="img"><img src="/images/wechat.jpg"></div> </div> </div> <script src="/assets/photo-albums/justified-layout.js"></script> <script src="/assets/photo-albums/photo-layout.js"></script> <script src="/assets/js-cookie.js"></script> <script src="/assets/story.js" async></script> <script src="/assets/script.js"></script> <script src="/assets/webmention.js"></script> <script src="/assets/admin.js"></script> <script> // Lolz. https://www.youtube.com/watch?v=EZpdEljk5dY // thanks seblog.nl! let photo = document.querySelector('.about .image img') if(photo) { window.addEventListener('deviceorientation', (e) => { let tiltLR = e.gamma; let tiltFB = e.beta; photo.style.transform = `rotate(${tiltLR * -1}deg)` }) } </script> <script src="https://cdn.usefathom.com/script.js" site="JGWUQUCN" defer></script> </body> </html>