DEV Community

loading...

Discussion on: Dancing with OAuth: a step by step guide

Collapse
thebouv profile image
Anthony Bouvier

I'd like to see this same simple explanation of OAuth when it is app-to-app. There's not a ton of difference really, but go trying to search for a simple explanation on doing OAuth when there is no "user" there for initiating and accepting steps. I've always wanted a great way to help new devs with that -- because they always get hung up on all tutorials focusing on user instead of app-to-app.

Collapse
anabella profile image
anabella Author

Hi Anthony!

I'm a newbie myself, so I've never heard about app-to-app OAuth flows and I can't really think of how it could work.

Could you provide a simple example or use case for something like that?

Thank you in advance! :)

Collapse
thebouv profile image
Anthony Bouvier

Funny, I've almost never had the need to build out a user-initiated OAuth flow. :)

The way I'd normally use app-to-app is having some server side code that needs to talk to an API like pulling down tweets from Twitter, inventory from some ecommerce API, etc. Your app has to be able to work through OAuth without the user accepting anything -- there is no user to click the button!

In the OAuth2 spec the grant type of client_credentials is what does this.

Seems simple, but a wonderful walkthrough like what you made for user auth is something I've always wanted to be able to hand off to my team when this sort of thing comes up. Often the docs for APIs we talk to just never go over client_credential flow instead of user auth flow (LOTS of them lack this documentation); so a junior member might get stuck trying to figure it out for quite a while.

It's not complicated -- if anything it is simpler than user auth. But once you get into expiring keys, re-authing, etc it could get interesting.

I really enjoyed your article. Hope to see more from you! :)