Published in OAuth 2·Jan 9, 2020Pushed Authorization Requests Draft adopted by OAuth Working GroupThe OAuth Working Group recently adopted the Pushed Authorization Requests (PAR) draft as working group document, which is an important step on its way to become an RFC. PAR improves the robustness and security of the OAuth code flow in a very simple way. Instead of sending all authorization request…API4 min readAPI4 min read
Published in OAuth 2·Sep 21, 2019Rich OAuth 2.0 Authorization RequestsIt’s been a while since I blogged about the new challenges arising from open banking and other use cases when it comes to OAuth authorization requests. Meanwhile, I have been entertaining my ideas with a lot of smart people in the community, combined it with existing proposals, such as the…API3 min readAPI3 min read
Published in OAuth 2·Apr 20, 2019Transaction Authorization or why we need to re-think OAuth scopesHave you ever come across limitations of the way OAuth expresses the requested scope of an access token? Well, I have several times in the course of the last couple of years in the areas of open banking and remote electronic signature creation. Let’s take the example of a payment…API10 min readAPI10 min read
Published in OAuth 2·Nov 9, 2018Why you should stop using the OAuth implicit grant!No one should any longer use the implicit grant! That’s what IETF’s OAuth working group, the authority for official OAuth specifications, recommends in the upcoming OAuth 2.0 Security Best Current Practice RFC. The decision was met during the IETF meeting this week in Bangkok. Here is what the working group…Oauth3 min readOauth3 min read