Why OAuth2?
Over the past year I’ve had the chance to work a lot more within the IAM/CIAM space. I already knew my way around basic OAuth2 flows for my API tests but not quite enough to do fully elaborate testing of a platform. In light of this I went searching for some good sources of information around this subject. Below I will share some of my findings, hopefully they will help others as much as they did for me.
Different grant types
Authorization Code grant type
The Authorization Code grant I feel like is definitely one of the more complicated OAuth2 flows when you’re first introduced to it. Klemen Sever wrote a nice blog about this to really simplify it for anyone to understand. Check out OAuth2 explained with cute shapes for his drawings.
Client Credentials grant type
The client credentials grant type is generally used by applications who have to get access to a resource for themselves instead of access to another user’s data meaning there is no username and password involved. For example some application needs to access another application to do it’s job - machine to machine communication.
Device Code grant type
The device code grant is generally used for “smart” TV’s or other devices that are not very good with input. It allows the user to login to a service like Netflix to get a code through a different device (e.g. a smart-phone) while the TV then can use the code to log into your netflix account.
Deprecated
Password grant type
The password grant consists of literally just sending the username and password to the server, as it doesn’t support any kind of multifactor authentication or other security mechanisms it’s generally not good enough for usage anymore.
Implicit grant type
With the implicit grant a token would be retrieved without any extra authorization steps or check whether the client received it. This presents a lot of risks for other parties to hijack the token. Soon to be removed in OAuth2.1
Learning more about OAuth2
I’m sure many people like me learn better with a more directed learning approach, which is why I also went onto Udemy to search for something useful. I highly recommend the Udemy course “The nuts and bolts of OAuth2.0” by Aaron Parecki, he has a very clear way of explaining the most important parts of OAuth2 and how they relate to the real world. It really helped me solidify my knowledge.
For way more in depth reading on the best current practices for OAuth2 you can also decide to dive into the actual RFC, although it isn’t quite as readable as normal documentation. What it will provide is the definitive definition of anything surrounding OAuth2. IETF RFC.
