OAuth 2.0 Simplified Paperback – May 3, 2018

This book was published by OKTA, a company that does a lot to make web security accessible. I've bought books with similar subject matter (namely, web authorization) that were thinly-veiled or blatant book-long ads for some company's proprietary paid product. OKTA legitimately has one of the best SaaS auth services, so I wouldn't have blamed them for similar drivel.That's what makes this book special: it is a real, in-depth look at the OAuth 2.0 spec by people who understand this subject deeply, and a guide to rolling your own solution. Once again, the solution could've been "go to our website and download our product, install our services and give us money", but you won't find that here. It shouldn't be as surprising as it is for someone to cover this important part of web auth without pointing you to a pre-existing service, but try following established publishers' similar offerings. It's a little less surprising, though, when you realize OKTA is well-known for hiring developers who are passionate about maintaining the openness of the web.Relevantly, the author of this book, Aaron Parecki, is a W3C contributor and co-founder of IndieWebCamp, so you can tell he's personally invested in the open web.OAuth isn't a protocol intended to allow the complexity of web security associated with authorization to be captured by a handful of companies with sufficient resources to offer SaaS solutions... and yet that's kind of how things turned out. This book is a good step in the other direction: where people understand the protocol and only choose a SaaS to alleviate overhead, rather than to obscure and defer complexity.

Pros: This book provides a solid overview. It is accessible to those not already familiar with OAuth and will provide you with a much more detailed understanding of the framework. Expect to be able to get through it in a weekend if you put your mind to it.Cons: At several points in the book it puts forward security based best practices, but fail to give the necessary explanation to allow the reader to understand and believe them. To site a couple instances:- On page 24 It describes the importance of using a state parameter to prevent your app from being tricked into sending an attacker's authorization code, but leaves the reader looking elsewhere to figure out how such an attack would actually deliver any value to the attacker.- On page 54 the implicit authorization flow seems to be pretty heavily discouraged relative to other options, but the motivation for this is lacking. Looking at other sources online and from Okta seem to indicate it is the recommended path in some situations, leaving the reader confused as to why it seems so discouraged throughout the book.- Chapter 15 describes the security risks of using embedded web views in native apps, but doesn't clearly articulate who's security risk it is. As a book likely being read by multiple types of developers, clearly articulating whether this is a security risk for a native app developer (which it doesn't appear to be if they consider themselves to be good actors), or strictly for OAuth providers (which appears to be more the case).Overall it is a good resource and I'd happily lend it out to my peers if they are interested in the topic, but if they were wanting to buy a book for their own library I'd probably recommend they try a different book available around the ~$20 price point rather than the ~$40 price here.

This book is a great start to dive into OAuth 2, I like the examples and the description of each concept.

Although the author added a lot of details and flow, we really can use some diagrams for the request flow, it will help a lot to study and see the difference between each client type.The sample of each call is not consistent in the format, for example:<a href="...."then later call is only the linkhttps://...then later call is cUrl style (which I think is the best, all other samples should follow this format): POST /oauth/....<body>It's a nice book, but if the author spends more time to improve it, it'd be great.

This book does not bind to any framework and language though the example is in Python. It is like a rewritten of OAuth2 specification in a easier to understand way. It is a must have book for people to learn OAuth 2.0

Author is very knowledgeable considering his position in the OAUTH community.The book has plenty of text, screenshots, and code snippets. But it needs more diagrams of flows, especially in the beginning.

Aaron Parecki is one of the most knowledgeable people in the world on OAuth. He gives amazing presentations on OAuth, does professional training on it, and has written a ton of excellent articles online about it.I picked up this book from Aaron himself, read through it, and was blown away. This book is the most comprehensive walkthrough of OAuth2 that exists today. Aaron does a great job of explaining the specifications: what you need to know, and all the gotchas along the way.OAuth is a complex framework of protocols, and this book is an invaluable guide that really helps you *understand* what you need to know to be successful with OAuth. I'd definitely recommend reading it if you're a web developer or security architect tasked with building or integrating with OAuth applications.

This book was never released under this name, but is available here:  OAuth 2.0 Simplified

Parecki's writing style is extremely lucid. I disagree with a reviewer who said that that the book is repetitive: it pitches the right balance between concepts and RFC detail and some summarising is sensible: Oauth2 uses terms such as 'user' that have very specific meanings.And to correct another reviewer's comment: the client coding examples are in PHP, not PYTHON.Compared with the the familiar Basic Authentication, OAuth2 is several steps up in complexity, particularly if authentication, authorisation and access-token issue is from Microsoft's Identity Platform (with permissions from Microsoft Graph via Azure AD) and not Google's simpler equivalent, and it would have helped if a Microsoft client example had been included, particularly as Microsoft are now 'deprecating' (trying to phase out) Basic Authentication altogether.Although the different client types (web, single page, native and mobile, ...) are covered, It would also have been useful to structure a section around the different grant types (ROPC, client credentials,...) as the client types to a large extent determine the grant types they use (although implicit grant is indeed covered).Much of the text is abstracted from Okta's website, and could be read online, but the paperback form is an easier read, if a bit pricey.There was no index - hence only four stars.