The Best Hackathon Hack: Use The OAuth API

Published in

About OAuth

4 min readAug 7, 2014

Developers always want to save time. In hackathons, it's even more extreme: saving one hour can make the difference. Whether you hack to win, or just for your pleasure, prioritising to make the funniest app is the number one objective. However, a problem comes up over and over again when integrating APIs: OAuth. Time is often lost in a stupid way.

OAuth is broken for everyone

On the hackathon organisers and API providers side, it's also very important to reduce the integration time. The services who sponsor the hackathons want to be used. If nobody builds anything with the sponsor APIs, the organisers will lose future opportunities, as the service providers will stop throwing out money for nothing.

Recently, a banking API came to us asking if we could add them to our providers list. Their number one concern was that they were organising hackathons and the participants always wasted a lot of time integrating their OAuth.

The problem isn't specific to them: OAuth is broken for everyone: there are more than 50 different implementations coexisting. It's a trap for developers: they tend to think that they know the flow, because they already dealt with one OAuth once.

What seems simple at the beginning turns out to take hours, because it's always different when you get to the details (endpoints hidden in doc, different data formats in responses, different token management policies, etc.).

The developer evangelists from Twitter or Fitbit spend a lot of time helping when they're around, but that isn't always the case.

The solution: An Open OAuth API

To solve this problem, we built an OAuth API that makes this standard really interoperable (note that OAuth 2.0 is not backward-compatible…). Some librairies existed, but we thought it would make more sense to provide a real universal solution, that works no matter which environment.

Jumping from one middleware to the other, depending on the project you're working on is not really convenient. Also, even if some libraries are quite popular, you are never sure to get support for your specific issues.

Last but not least, the list of supported OAuth providers tends to be limited, or not up to date. In the context of a hackathon, you will waste some time installing the different dependancies etc.

During a hackathon: Go for the SaaS

This is why we chose an Open API approach. A bunch of SDKs makes it work in any environment (or almost, dear .NET community, we're still working on it). Because OAuth was built as an open standard, we didn't want to force developers to pay. Hence an Open Source version of OAuth.io is available: oauthd.

So when we say "Open API" it covers all the different meanings that this expression can have. Anyone can consume the API via OAuth.io: this is the traditional (an limited) definition of an "Open API" (cf. Steve Klabnik's talk at API Days).

But it is also "Open" for real, just like "Open Source". If you wish to fork it and host it, oauthd is at your disposal.

The client-side OAuth Flow: Built to hack

So if you are planning to hack an API relying on OAuth, we recommend you to test our client side flow. You can integrate a provider in 2 minutes, just see by yourself: a wizard guides you through all the steps. We even provide all the documentation links that you need. I made a test: even my father was able to make it work.

If you plan to go to a hackathon just check in advance that OAuth.io supports the provider. If it's not the case, please drop us an email. We will do our best to make it happen together. The idea is to be exhaustive: an OAuth API that works with any API, in any environment.

Retrieve tokens & perform CRUD actions

Here's the best part: when we started the project, we addressed only one pain point: token retrieval. People loved it, but we also received a couple of demands: "how about abstracting the whole OAuth flow?" This seemed to be a clever idea.

Therefore, we recently published a Request API, and added a /me functionality that allows you to get user info with a simple API call. OAuth.io acts as a proxy. We expose simple commands and remove the complexity of dealing with the multiple provider specificities.

Final Thoughts: Hack the hackathon

If you want to actually win a prize in a hackathon, it is no secret that you should always play around with the APIs sponsoring the event. We can debate for hours if this is right or wrong, but meanwhile this is the reality. OAuth.io makes this very easy. Even if your hack is not 100% focused on a sponsored API, our OAuth API allows you to multiply your chances of winning. Just in a couple of minutes.

As an early-stage startup, we can't fly developer evangelists on hackathons (yet) and we can't pay many $$$$ to sponsor. However, because of the great value that our service delivers to the hackthon ecosystem, we're going to try to hack our presence to hackathons :P (we'll test this text as a pitch for OAuth providers and hackathon providers).