Should We Be on the Lookout for OAuth 3.0?

October 28, 2020 recently shared details around the ongoing effort to create a next-generation protocol based on years of knowledge and experience with OAuth 2. This new specification would encompass many more use cases than OAuth originally set out to solve, and while it’s still in its early stages of development, you can get involved by joining the IETF Working Group or attending OAuth events.

Although the thought of OAuth 3.0 is exciting stuff, OAuth 2 is the industry standard, so we recently interviewed Aaron Parecki, author of the book OAuth 2.0 Simplified, to learn about some of OAuth 2.0’s hidden secrets.

A few highlights from that interview:

  • OAuth was created because of the problems third-party apps had accessing APIs.
  • OAuth 2.0 is a complete rewrite of OAuth 1.0 from the ground up, sharing only overall goals and general user experience.
  • Authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.
  • Don’t build your own OAuth server!
  • PCKE is the most secure way to do authorization code grants.
  • “Short token lifetimes” means reducing the window where the validation may be wrong.
  • When using PCKE the authorization server has the opportunity to deny requests that don’t use PCKE.

Check out the full interview…