OAuth 2.0 and API Authorization

Wilson, Yvonne; Hingnikar, Abhishek

doi:10.1007/978-1-4842-5095-2_5

Yvonne Wilson³ &
Abhishek Hingnikar⁴

1279 Accesses

Abstract

Modern applications are often designed around APIs. APIs enable applications to reuse logic and take advantage of innovative services. APIs provide access to valuable data or services, but they typically need to restrict API access to authorized parties. Applications therefore need authorization to call APIs. If an application wants to call an API on a user’s behalf to access resources owned by the user, it needs the user’s consent. In the past, a user often had to share their credentials with the application to enable such an API call on their behalf. This gave the application an unnecessary amount of access, not to mention the responsibility of safeguarding the credential! In this chapter, we will cover how the OAuth 2.0 framework provides a better solution for authorizing applications to call APIs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 34.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
The mechanism by which a user is authenticated to provide consent is outside the OAuth 2.0 specification. It is shown in the diagram (steps 3 and 4) to show where it occurs in the sequence.
2.
The parameters for all of the examples may vary somewhat for your specific provider. See also the OAuth2.0 specification for additional optional parameters.
3.
The mechanism by which a user is authenticated to provide consent is outside the OAuth 2.0 specification. It is shown in the diagram (steps 3 and 4) to show where it occurs in the sequence.
4.
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.1.2
5.
The mechanism by which the application obtains the user credentials is outside the OAuth 2.0 specification. It is shown in the diagram (steps 2 and 3) to provide a more complete picture of the solution.

Author information

Authors and Affiliations

San Francisco, CA, USA
Yvonne Wilson
London, UK
Abhishek Hingnikar

Authors

Yvonne Wilson
View author publications
You can also search for this author in PubMed Google Scholar
Abhishek Hingnikar
View author publications
You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Wilson, Y., Hingnikar, A. (2019). OAuth 2.0 and API Authorization. In: Solving Identity Management in Modern Applications. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-5095-2_5

Download citation

DOI: https://doi.org/10.1007/978-1-4842-5095-2_5
Published: 19 December 2019
Publisher Name: Apress, Berkeley, CA
Print ISBN: 978-1-4842-5094-5
Online ISBN: 978-1-4842-5095-2
eBook Packages: Professional and Applied ComputingProfessional and Applied Computing (R0)Apress Access Books

Publish with us

Policies and ethics