OAuth 2.0

OAuth Client ID Metadata Document

The OAuth Client ID Metadata Document draft specification provides a convenient way for OAuth clients to identify themselves at the authorization server without having to register upfront.

Mutual TLS Sender Constrained Access Tokens

Use mutual TLS to harden the use of access tokens, so that an attacker cannot use stolen tokens to gain API access.

Mutual TLS Client Authentication

What is Mutual TLS, and how does Client Authentication with Mutual TLS work?

Supported OAuth 2.0 RFCs

An overview of the OAuth 2.0 related standards and their support in the Curity Identity Server.

OAuth Device Flow

Learn how OAuth 2.0 Device Flow enables secure authentication on input-constrained devices like smart TVs and consoles: easy setup and seamless user experience.

OAuth Resource Owner Password Credentials Flow

The OAuth Resource Owner Password Credentials Flow Explained.

OAuth Revoke Flow

Learn how OAuth 2.0 token revocation works to securely revoke access and refresh tokens, enhance security, and prevent unauthorized access.

Which OAuth Flow Should I Use?

Learn how to select the right OAuth 2.0 flow for your app, including code flow, client credentials flow, device flow, and more for various use cases.

Proof Key for Code Exchange Overview

Learn how the Proof Key for Code Exchange (PKCE) should be used in the OAuth server.

Demonstrating Proof of Possession Overview

What is Demonstrating Proof of Possession (DPoP), and how can it be used to improve the security of public clients.

OAuth Client Credentials Flow

The OAuth Client Credentials Flow Explained.

OAuth Implicit Flow

The OAuth Implicit flow explained.

OAuth Token Exchange Flow

OAuth 2.0 Token Exchange Explained.

OAuth Refresh

The OAuth Refresh Tokens and Flow Explained.

OAuth 2.0 Overview

An overview of the OAuth 2.0 authorization framework, summarizing the roles of resource owner, client, resource server and authorization server.

OAuth Code Flow

The OAuth Code Flow Explained.

Client Assertions and the JWKS URI

Protecting APIs with strong security by requiring clients to authenticate using JWT client assertions

Pushed Authorization Requests (PAR)

What is PAR, and how does it help improve security for financial-grade APIs?

Ephemeral Clients (Client ID Metadata Documents)

This tutorial explains how to enable ephemeral clients in the Curity Identity Server and integrate using Client ID Metadata Document.

Resource Owner Password Flow

This tutorial explains how to use the Resource Owner Password Credential Flow (ROPC) to obtain tokens from the Curity Identity Server.

NGINX OAuth Proxy Module

An OAuth proxy module that runs in the NGINX API gateway, to translate secure cookies to access tokens

OpenResty OAuth Proxy Plugin

An OAuth proxy module that runs in the OpenResty API gateway, to translate secure cookies to access tokens

OAuth Proxy for AWS API Gateway

An OAuth proxy that runs in AWS API Gateway, to translate secure cookies to access tokens

OAuth Proxy for Azure API Management

An OAuth proxy module that runs in Azure API Management, to translate secure cookies to access tokens

Google Apigee API Management OAuth Proxy

An OAuth proxy module that runs in Google Apigee API Management, to translate secure cookies to access tokens

Kong OAuth Proxy Plugin

An OAuth proxy module that runs in the Kong API gateway, to translate secure cookies to access tokens

Device Authorization Grant

The OAuth 2.0 Device Authorization Grant solves the problem of authenticating a user on a device that does not have user friendly input capabilities. Authentication instead takes place out-of-band on a different device.

Hybrid Flow

This tutorial explains how to obtain an OAuth access token using the hybrid flow. The guide includes step by step instructions for how to set it up and configure it in the Curity Identity Server.

Revoking OAuth Tokens

Learn how to revoke access and refresh tokens issued according to the OAuth standard

Refresh Tokens

This tutorial explains how to issue Refresh Tokens in the Curity Identity Server, control their lifetime, include/exclude them for certain clients, and use them to get new access tokens

Client Credentials Flow

OAuth has a flow called client credentials, that comes in handy when there are requests to your APIs that are not involving a user. Using the Client Credentials flow, it's possible to let servers communicate with your API without modifying the APIs themselves.

User Consent

Handling user consent for claims

Code Flow

This tutorial explains how to obtain an OAuth access token using the code flow, a popular message exchange pattern used by server-based applications. The guide includes step by step instructions for how to set it up and configure it in the Curity Identity Server.

Implicit Flow

Using the OAuth 2.0 Implicit Flow

MCP Client — Just Another OAuth Client?

A Decade of Identity Innovation: Curity at 10

OAuth Well Played – Mods and Combos for the Cloud Native API Security Game

Show Me Your Wallet to Tell Me Who You Are - Using Verifiable Credentials with OAuth

Ditch the Browser, Native API-Driven App Authentication with Passkeys

Test Different OAuth Flows Using OAuth Tools

OAuth Device Flow

OAuth and OpenID Connect - What's next?

Using Custom Token Issuers in the Curity Identity Server

OAuth Tokens As Your Identity API

Scalable API Security Using OAuth

Financial Grade APIs Using OAuth and OpenID Connect

Securing APIs in a Cloud Native Environment Using OAuth

Securing APIs and Microservices with OAuth and OpenID Connect

OAuth and OpenID Connect for PSD2 and Third-Party Access

REST API Overview with Integration of CLI & UI