By:
2024-06-04
Diving into OAuth 2.0 over lunch
OAuth 2.0 is a web standard for sharing resources between different parties online. You can think of it as an elegant dance between various parties that enables data sharing without users’ passwords being shared.
However, OAuth as a standard is loosely defined, which makes it hard to grasp; it’s easy to drown in a sea of different terms and conflicting information.
We saw addressing the OAuth standard as a valuable part of our initiative to strengthen Dynabyte’s competence base in web security. We organized a learning session, what we call a Dynalearn, that consisted of two main parts. The first part involved going through the basics of the subject and conducting an OAuth flow in a role-playing exercise, where different participants took on each of the four roles in OAuth Authorization Code Flow. Following this, we demonstrated a Python-implemented OAuth 2.0 flow. The implementation went through the same example as before but from a more technical perspective. The role of the resource owner was illustrated through a number of calls in Insomnia, while the client, Auth-server, and resource server were run as three separate web APIs. This resulted in several “aha” moments and interesting discussions about the future needs for authentication and authorization.
Before each organized learning session, the question arises, “How broadly or deeply should we cover the subject?” You may have heard someone say, “I’m a visual learner” or “I need to read it to learn.” The evidence for the model of different learning styles is not very strong. However, what seems to hold true is that learning for most of us benefits from having material presented in multiple ways; the different perspectives contribute to a comprehensive understanding.
Given that we identified OAuth 2.0 as a potentially tricky concept, we chose to go deep rather than broad.
We designed our Dynalearn as a two-part treatment of OAuth – first a demo with people and then a demo with code.