Published: 30 October 2017
The OAuth 2.0 framework is the preferred API security method for providing access control to REST-based APIs, but it takes time to master. This document provides technical professionals with advanced OAuth 2.0 guidance and assesses the framework's recent security extensions.
Included in Full Research
- OAuth 2.0 Is Under Attack
- The OAuth 2.0 Framework Is Evolving
- Client to Authorization Server
- Resource Server to Authorization Server
- Authorization Server to Authorization Server
- Client to Resource Server
- Defining and Managing Scopes
- Limiting the Attack Surfaces
- Recentering the Identity Ecosystem for API Access Control
- Use Multiple Security Mechanisms to Form Your API Stronghold
- Use OAuth 2.0: It Is a Proven Technology
- Get All the Mileage You Can From Traditional Bearer Tokens
- Zero in on Your PoP Requirements
- Voice Your PoP Requirements
- Use Full-Featured Authorization Servers
- Harden the Identity Capabilities of the Resource Servers by Answering Six Questions
- Question 1: What Token Format Should I Accept?
- Question 2: What Lifetime Should the Tokens Have?
- Question 3: How Should I Validate the Token?
- Question 4: What Keys Should I Trust?
- Question 5: What Token Should I Use Against Downstream Services and APIs?
- Question 6: How Should Token Revocation Be Handled?
- Don't Underestimate the Complexity of the Client
- Protect the Keys
- Strike the Right Balance in Your Scope Design
- Manage Clients When Using X.509 Certificates
- Proof of Possession Mechanisms
- Token Binding
- Mutual TLS Profile for OAuth 2.0
- Signed HTTP Requests
- JWT Pop (JPOP) Token Usage
- Comparison of Four PoP Mechanisms
- OAuth 1.0 vs. OAuth 2.0