Book “OAuth 2.0 Identity and Access Management Patterns” is available

I’m proud to announce that the first book I authored, OAuth 2.0 Identity and Access Management Patterns, is out and available for purchase.

Background #

OAuth 2 is a protocol with which I had been working with at my day-job on several occasions, so the practical experience and previous research done on this topic was very useful (just to note, I have been working with OpenID and Persona as well).

When the team at Packt Publishing contacted me, I was happy to author a book on this topic.

What is the book about? #

First a short intro on OAuth: We use OAuth every day, for example: I want my Foursquare check-ins to be auto posted on Facebook. So I go in Foursquare and say add Facebook account. Then I am redirected to Facebook where it asks me if I want to approve the application request – where I say yes or no – and then I am redirected back to Foursquare. In this final step, if the decision was yes, Foursquare gets a unique ‘token’ for my Facebook user, and with that one it can post status updates in my name.

So OAuth basically specifies how this protocol of authorization should work and which data is exchanged in the background between the servers and applications. OAuth 2 is in use by all ‘big players’: Google, Amazon, Facebook, LinkedIn, and so on… so the previous question whether it is a hot topic? It may not be the hottest topic at the moment, but it’s a pretty important one.

The book (in short): Covers how to implement OAuth 2 in all types of applications, web, client-side, desktop, mobile; explains the protocol in detail and outlines security precautions that should be taken in consideration. Altogether with code examples.

But, aren’t there already books on OAuth 2? #

Yes there are. What is different about this book:

• The approach to the protocol/framework: instead of writing a chapter for each authorization flow, there is a chapter for each application type, and then, it is discussed which authorization flow is applicable for that application type, and the flow is covered in detail;
• The code examples: each authorization flow is covered with examples, which can run as standalone applications out of the box (the reader just has to insert the token/secret and etc… the needed information is described in a README.txt file for each example and in the book as well);
• More security considerations: there are two chapters regarding security: one for general security considerations and precautions that developers have to make - covering all flow scenarios; and one for integrating SAML with OAuth 2. No other OAuth 2.0 book that I know covers this that good.

What do I get as a reader? #

Key features of this book are:

• Build web, client side, desktop, or server-side secure OAuth 2.0 client applications, by utilizing the appropriate grant flow for the given scenario. Get to know the OAuth 2’s inner workings and be able to handle and implement various authorization flows with knowledge.
• Learn which features OAuth 2 provides regarding security and which precautions should be taken in consideration.
• Explore practical code examples, which additionally are executable as standalone applications running on top of Spring MVC.

On which information is the book based? #

When writing the book I did extensive research on RFC documents that deal with OAuth 2, these are the main ones:

• OAuth 2.0 spec;
• OAuth 2.0 Threat Model and Security Considerations;
• The OAuth 2.0 Authorization Framework - Bearer Token Usage;
• Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants;
• SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants;

Feedback #

If you red the book and have a comment or an opinion, let me know! If you found something that you think can be improved in the book, go to Packt’s book page and submit errata on the Support section. Thanks!