After a 3-year long struggle, the IETF finally released the OAuth2 specifications (RFC 6749 & 6750). While all the big players (like Google, Microsoft and Facebook) are already using it, more and more people want to follow. But there is big confusion about what OAuth2 really is, what its uses cases are and which problems it can actually solve. At the same time, also the security experts out there don’t really agree if OAuth2 is a complete failure, or not – or something in between. Dominick walks you through OAuth2, its use cases, dark corners and pitfalls.
Dominick Baier works as a security consultant at thinktecture (www.thinktecture.com). His main focus is security, identity and access control in distributed applications using the Microsoft technology stack. He’s the author of “Writing more-secure ASP.NET Applications” (MS Press) and the security curriculum lead at Developmentor. You can find his blog at www.leastprivilege.com.