WebinarHarden Data Security with Non-Human Identities - Register for webinar!
OAuth: What Everyone Should Know

When you work as intensely with a certain technology as my colleagues and I do, you get a clear picture of how it works and should work. At some point, you realize that you have become an expert in your field; in our case, it’s OAuth. This is also the point where things that are obvious to you are not for others.

Securing API access is part of data security

OAuth enables integrated solutions between users, clients (applications), and APIs. OAuth systems provide the client with an access token with restricted API access. Although there are many guides on OAuth, they are commonly limited to retrieving the access token. As experts, we know there is much more to OAuth than sending the right protocol messages. 

We found that there was a gap in the specialist literature around providing organizations with the strategies to integrate OAuth in particular ways so that security facilitates (modern) technologies and meets developer experiences. We realized that to make the internet a safer place, we needed to make our know-how available to the broader community. Slowly but surely, the idea of a book was born.

We decided on the title “Cloud Native Data Security with OAuth.” Some people may think the title is controversial because OAuth is all about securing access, while data security tends to be about securing data storage and encryption. However, this is exactly the pattern that we want to disrupt. You cannot talk about access control and authorization without also considering the data you want to protect. The goal of OAuth is to protect data (authorization) that APIs expose. It focuses on cloud native because it allows us to recommend solutions you can run anywhere. 

Authentication is secondary to authorization

In OWASP’s top 10 API security risks list, broken authorization takes the front rank. It means that you need to secure access beyond simply authenticating users because your attackers may already have logged in, e.g., via stolen or compromised credentials.

Of course, securing the authentication process is part of the game. However, authorization is not the primary concern because authorization is about granting the least privileges to (authenticated) users. Newcomers to OAuth often focus on user authentication. Many misunderstand that the heart of OAuth is the content of the access token that should enable APIs to enforce least privilege access.

For data security with OAuth, you should rely on identity attributes when evaluating access control policies. For this, you should map scopes to a certain set of identity data to model the access token. The access token and related data are the source for APIs to enforce access rules. This approach combines token-based with attribute-based access control and provides a good foundation for an API security architecture.

A good access token design is essential for API security. Therefore, we devote a whole chapter to access token design, so that you can scale the use of access tokens to many APIs and clients.

There is more to access tokens than their attributes. The API gateway, for example, plays a vital role in an API security architecture with OAuth, as it provides the public interface of an API. The API gateway can compensate for client-application specifics so that you can implement a unified approach for access controls in API services. Having one way to do things simplifies development and, as a result, reduces vulnerabilities. 

Cloud-native technology gives you many choices

The cloud-native aspect of the book focuses on choices like where you store identity data, the components you can use, and where you can operate OAuth. For example, it highlights how to integrate workload identities in an OAuth architecture to strengthen credentials

The book lists best practices for client applications to address the weakest links in the security chain. It provides guidance and examples on implementing OAuth in browser-based and platform-specific applications (“native applications”), covering desktop and mobile clients. 

The cloud native focus enables us to provide code examples that show how to run end-to-end OAuth flows with exactly the same technologies on local computers and cloud deployments. In the last chapter, the book discusses how to fortify authorization with strong authentication to improve assurance in the identity attributes. 

In the end, implementing data security with OAuth is all about the attributes — the characteristics you provide to gain access to data. This is very apparent to us, but we found this message was missing in the OAuth-related literature. We filled the gap with Cloud Native Data Security with OAuth so that more people can utilize the building blocks OAuth provides and combine them with cloud-native technology to protect business assets in a secure and scalable way.

BlogView all tags

Join The Discussion

Follow @curityio on X and Bluesky

Next steps

Ready to modernize IAM?

Start Today - Build security and improve ease of use to stay ahead of the competition.

Free trial icon representing Start a free trial

Start a Free Trial

Calendar icon representing Schedule a demo

Schedule a demo

User with a computer icon representing Speak to an Identity Specialist

Speak to an Identity Specialist

Book icon representing Explore learning resources

Explore learning resources