DEV Community 👩‍💻👨‍💻

Discussion on: Dancing with OAuth: a step by step guide

thebouv profile image
Anthony Bouvier

Funny, I've almost never had the need to build out a user-initiated OAuth flow. :)

The way I'd normally use app-to-app is having some server side code that needs to talk to an API like pulling down tweets from Twitter, inventory from some ecommerce API, etc. Your app has to be able to work through OAuth without the user accepting anything -- there is no user to click the button!

In the OAuth2 spec the grant type of client_credentials is what does this.

Seems simple, but a wonderful walkthrough like what you made for user auth is something I've always wanted to be able to hand off to my team when this sort of thing comes up. Often the docs for APIs we talk to just never go over client_credential flow instead of user auth flow (LOTS of them lack this documentation); so a junior member might get stuck trying to figure it out for quite a while.

It's not complicated -- if anything it is simpler than user auth. But once you get into expiring keys, re-authing, etc it could get interesting.

I really enjoyed your article. Hope to see more from you! :)