Have you ever tried to use an API that belongs to a large corporation like Spotify, Twitter, or Facebook? If you have you've most certainly run into OAuth 2.0. The first time I saw it like most I was pretty confused, and I didn't really understand it. Eventually I came to grips with it a bit, but never really intuitively understood it. I would just google "why isn't x working" and "this thing failed what does that mean?" until I got things working. It wasn't until I found the resources below that I really understood how things worked.
a quick note: I'll use OAuth and OAuth 2.0 interchangeably. They are different, but here I'm always referring to OAuth 2.0
OAuth 2.0 and OpenID Connect in plain english - This is a video from Okta (an identity and access management company), and they do the best job I've ever seen of explaining OAuth 2.0. Personally this video took me from kinda understanding OAuth to intimately understanding it. Nate (the guy in the video) explains what things where like before OAuth 2.0, what problems it solves, how it works at a high level and detailed level, and finally does some demos to really solidify everything. One thing I really enjoyed about this video is that it talks about OAuths historical context, which isn't usually mentioned. That context provides the information for what OAuth is trying to do and why. I can't recommend this video enough. If you've struggled with OAuth in any way I think this video will help tremendously. It's one of the few resources I've found that actually makes OAuth simple to understand (finally!).
OAuth 2.0 Simplified - Describes its self as "... a guide to building an OAuth 2.0 server. Through high-level overviews ..." I think most people won't need to know how to build an OAuth 2.0 server. That being said, it's still a great resource filled with valuable knowledge. Additionally, sometimes in order to learn things we need to look at them from different angles, and implementation is an angle worthwhile viewing. This resource is separated into 25ish articles. It covers everything from client registration to authorization grant types. If you're not understanding how a particular part of OAuth works then this is a great place to look.
OAuth 2.0 RFC - The RFC (Request for comments) is where OAuth 2.0 is specified. Every detail you could possibly want to know about OAuth 2.0 is in here somewhere. It's a lengthy document so prepare a cup of coffee before you sit down and read the thing.
If you want to understand OAuth 2.0 at an intuitive level then I'd recommend these resources.
- OAuth 2.0 and OpenID Connect in plain english
- Okta oauth website
On top of these resources I'd also suggest getting your hands dirty. Spotify is a great example of an OAuth API you can play with. Additionally, Spotify has published an authorization guide that shows you how OAuth functions with their API.
Finally if you truly want to be an OAuth master then use the above resources and read the RFC in it's entirety
- OAuth 2.0 RFC
That's that! If you enjoyed this article then you can stay up to date with my writings at Learning Computations. Every week you'll get an email covering a CS/programming topic that includes resources, info, and a path for learning that particular topic!