OAuth 2.0

OAuth 2.0

Explore OAuth 2.0. What is it and how can you best implement it?

OAuth 2.0 is the industry-standard protocol for authorization and access delegation. It specifies a process for resource owners to authorize third-part access to their resources without sharing their credentials. OAuth facilitates fast and secure authentication and authorization for users to APIs, servers, devices and apps. It does this without sharing password information and instead uses access tokens to prove an identity, keeping user credentials safe.

Supported OAuth 2.0 RFCs

Supported OAuth 2.0 RFCs

An overview of the OAuth 2.0 related standards and their support in the Curity Identity Server.

Pushed Authorization Requests (PAR)

Pushed Authorization Requests (PAR)

What is PAR, and how does it help improve security for financial-grade APIs?

Client Assertions and the JWKS URI

Client Assertions and the JWKS URI

Protecting APIs with strong security by requiring clients to authenticate using JWT client assertions

Mutual TLS Sender Constrained Access Tokens

Mutual TLS Sender Constrained Access Tokens

Use mutual TLS to harden the use of access tokens, so that an attacker cannot use stolen tokens to gain API access.

Mutual TLS Client Authentication

Mutual TLS Client Authentication

What is Mutual TLS, and how does Client Authentication with Mutual TLS work?

OAuth Revoke Flow

OAuth Revoke Flow

Learn how OAuth 2.0 token revocation works to securely revoke access and refresh tokens, enhance security, and prevent unauthorized access.

OAuth Refresh

OAuth Refresh

The OAuth Refresh Tokens and Flow Explained.

OAuth Device Flow

OAuth Device Flow

Learn how OAuth 2.0 Device Flow enables secure authentication on input-constrained devices like smart TVs and consoles: easy setup and seamless user experience.

OAuth Resource Owner Password Credentials Flow

OAuth Resource Owner Password Credentials Flow

The OAuth Resource Owner Password Credentials Flow Explained.

OAuth Client Credentials Flow

OAuth Client Credentials Flow

The OAuth Client Credentials Flow Explained.

OAuth Token Exchange Flow

OAuth Token Exchange Flow

OAuth 2.0 Token Exchange Explained.

OAuth Implicit Flow

OAuth Implicit Flow

The OAuth Implicit flow explained.

Demonstrating Proof of Possession Overview

Demonstrating Proof of Possession Overview

What is Demonstrating Proof of Possession (DPoP), and how can it be used to improve the security of public clients.

OAuth Code Flow

OAuth Code Flow

The OAuth Code Flow Explained.

Proof Key for Code Exchange Overview

Proof Key for Code Exchange Overview

Learn how the Proof Key for Code Exchange (PKCE) should be used in the OAuth server.

Which OAuth Flow Should I Use?

Which OAuth Flow Should I Use?

Learn how to select the right OAuth 2.0 flow for your app, including code flow, client credentials flow, device flow, and more for various use cases.

OAuth 2.0 Overview

OAuth 2.0 Overview

An overview of the OAuth 2.0 authorization framework, summarizing the roles of resource owner, client, resource server and authorization server.

How-tos

Google Apigee API Management OAuth Proxy

Google Apigee API Management OAuth Proxy

An OAuth proxy module that runs in Google Apigee API Management, to translate secure cookies to access tokens

OAuth Proxy for AWS API Gateway

OAuth Proxy for AWS API Gateway

An OAuth proxy that runs in AWS API Gateway, to translate secure cookies to access tokens

OAuth Proxy for Azure API Management

OAuth Proxy for Azure API Management

An OAuth proxy module that runs in Azure API Management, to translate secure cookies to access tokens

NGINX OAuth Proxy Module

NGINX OAuth Proxy Module

An OAuth proxy module that runs in the NGINX API gateway, to translate secure cookies to access tokens

OpenResty OAuth Proxy Plugin

OpenResty OAuth Proxy Plugin

An OAuth proxy module that runs in the OpenResty API gateway, to translate secure cookies to access tokens

Kong OAuth Proxy Plugin

Kong OAuth Proxy Plugin

An OAuth proxy module that runs in the Kong API gateway, to translate secure cookies to access tokens

Device Authorization Grant

Device Authorization Grant

The OAuth 2.0 Device Authorization Grant solves the problem of authenticating a user on a device that does not have user friendly input capabilities. Authentication instead takes place out-of-band on a different device.

User Consent

User Consent

Handling user consent for claims

Resource Owner Password Flow

Resource Owner Password Flow

This tutorial explains how to use the Resource Owner Password Credential Flow (ROPC) to obtain tokens from the Curity Identity Server.

Revoking OAuth Tokens

Revoking OAuth Tokens

Learn how to revoke access and refresh tokens issued according to the OAuth standard

Refresh Tokens

Refresh Tokens

This tutorial explains how to issue Refresh Tokens in the Curity Identity Server, control their lifetime, include/exclude them for certain clients, and use them to get new access tokens

Client Credentials Flow

Client Credentials Flow

OAuth has a flow called client credentials, that comes in handy when there are requests to your APIs that are not involving a user. Using the Client Credentials flow, it's possible to let servers communicate with your API without modifying the APIs themselves.

Hybrid Flow

Hybrid Flow

This tutorial explains how to obtain an OAuth access token using the hybrid flow. The guide includes step by step instructions for how to set it up and configure it in the Curity Identity Server.

Implicit Flow

Implicit Flow

Using the OAuth 2.0 Implicit Flow

Code Flow

Code Flow

This tutorial explains how to obtain an OAuth access token using the code flow, a popular message exchange pattern used by server-based applications. The guide includes step by step instructions for how to set it up and configure it in the Curity Identity Server.

Videos

A Decade of Identity Innovation: Curity at 10
OAuth Well Played – Mods and Combos for the Cloud Native API Security Game
Show Me Your Wallet to Tell Me Who You Are - Using Verifiable Credentials with OAuth
Ditch the Browser, Native API-Driven App Authentication with Passkeys
Test Different OAuth Flows Using OAuth Tools
OAuth Device Flow
OAuth and OpenID Connect - What's next?
Using Custom Token Issuers in the Curity Identity Server
OAuth Tokens As Your Identity API
Scalable API Security Using OAuth
Financial Grade APIs Using OAuth and OpenID Connect
Securing APIs in a Cloud Native Environment Using OAuth
Securing APIs and Microservices with OAuth and OpenID Connect
OAuth and OpenID Connect for PSD2 and Third-Party Access
REST API Overview with Integration of CLI & UI