Protect Your APIs With OAuth

Fleeting

• Référence externe :

Aaron Parecki

OAuth 2.1

OAuth 2.0 Playground

Protecting Your APIs with OAuth

use different lifetimes for your access tokens depending on the criticality of the scope

reference token vs self-encoded access token ->

JWT Access Tokens profile for OAuth 2.0 may be different from implementations

OAuth0 and Okta did use JWT to encode access token at the same time. They disagreed and finally made a standard together.

Yet, they did not change their implementation to follow the standard aftewards.

a public client CANNOT securely save a client secret

You must be prepared to the fact that someone else can do your flow, with your secret (https://youtu.be/i2wK-cTD_f0?t=1321).

In that case, it is important to show the user consent screen, because that may help the user find out that something might be wrong.

• see,
  • the user consent screen is not compulsory,

the user consent screen is not compulsory

Indeed, if using a first party app, there is no trust issue.

It only makes sense when using a third party app. In that case, you need to check that the user actually asked for that.

Notes pointant ici

• how to deal with permissions in OAuth2?

Permalink