What is The OAuth 2 Game?
The OAuth 2 game is a fun and easy way to learn about how to use OAuth to protect the most common types of applications.
The OAuth 2 specification lists different ways of obtaining access tokens meant to leverage the different capabilities and security characteristics of distinct client (application) types. We call those different ways grants through the years. The OAuth 2 family of specifications gained new methods, called extension grants, meant to provide guidance for new types of clients.
It is not always easy to know what grant to use for your application, especially if you aren’t an identity expert. Usually, SDKs and libraries help, taking care of details for you, but it is often useful to know what is going on behind the scenes - for example, when you need to troubleshoot an issue.
The OAuth 2 game can help you to familiarize yourself with the most common grant choices for the most frequently used application types. It features two dice, one for grants and another for application types. Throw the dice and consult the instructions to discover whether the combination of grant and application type you obtained happens to be a good one! Play a few times, and before you know it, you’ll be familiar with the most common combinations!
Learn More About OAuth 2
Naturally, there’s only so much we can express with two dice. The OAuth 2 game is based on the most obvious choices of grant per application type, but there are always nuances, exceptions, and more things to consider. If you want to take your understanding of OAuth 2 to the next level, here’s a collection of links to help you take your next steps:
- The Authorization code grant, in both its public and confidential client flavors, is defined in the original OAuth 2 core specification. PKCE, a security measure device to further protect the exchange of authorization codes, is defined here.
- The client credentials grant is also defined in the OAuth 2 core specification.
- The device authorization grant is an extension grant defined here.
- The resource owner password grant was introduced in the original OAuth 2 core specification but is being omitted by the OAuth 2.1 revision given its poor security track record.
- You will find useful information on how to apply OAuth 2 in best practice documents - in particular for native clients, browser apps and for security best practices.
- Finally, if you want a high-level discussion on modern identity development and some tips on how to choose grants per-app type, you can check out this session from the Identiverse 2020 conference.
OAuth 2 on Identity, Unlocked Podcast
Want something to listen to while you play? OAuth 2 made several appearances in the last two seasons of Identity, Unlocked.
What’s new with OAuth 2.1 with Aaron Parecki
A Lap Around the OAuth 2 Security BCP with Daniel Fett
JWT Profile for OAuth 2 Access Tokens with Vittorio Bertocci
Wanna Play?
The OAuth2 Game will be available at Identiverse 2021, but check back here soon for your chance to receive your own set.
About the author
Vittorio Bertocci
Principal Architect