OAuth 2.0 Simplified Book Cover

OAuth 2.0 Simplified

Third Edition! Updated February 2020


All editions were updated in February 2020.

OAuth 2.0 Simplified is a guide to building an OAuth 2.0 server. Through high-level overviews, step-by-step instructions, and real-world examples, you will learn how to take advantage of the OAuth 2.0 framework while building a secure API.


The Little Book of OAuth 2.0 RFCs

Buy Now!


This reference guide will help you understand the context of each RFC that is part of OAuth.

This book is a reproduction of all the RFCs relating to OAuth, everything from OAuth core RFC6749 to the latest Security Best Current Practice. Each RFC is prefaced by a short introduction to set the context for why it's important to the space.

Why OAuth?

The OAuth 2.0 authorization framework has become the industry standard in providing secure access to web APIs. OAuth allows users to grant external applications access to their data, such as profile data, photos, and email, without compromising security.

Whether you’re a software architect, application developer, project manager, or a casual programmer, this book will introduce you to the concepts of OAuth 2.0 and demonstrate what is required when building a server.

About the Author

Aaron Parecki is the editor of the W3C Webmention and Micropub specifications, and maintains oauth.net. He is the co-founder of IndieWebCamp, a yearly worldwide conference on data ownership and online identity. He has spoken at conferences around the world about OAuth, data ownership, quantified self, and even explained why R is a vowel.

Aaron has tracked his location at 5 second intervals since 2008, and was the co-founder and CTO of Geoloqi, a location-based software company acquired by Esri in 2012. His work has been featured in Wired, Fast Company and more, and made Inc. Magazine’s 30 Under 30 for his work on Geoloqi. Aaron holds a B.S. in Computer Science from University of Oregon and lives in Portland, Oregon.

Chapter Outline

  • Background
  • Definitions
  • OAuth 2.0 Clients
  • Client Registration
  • Authorization
  • Scope
  • Redirect URLs
  • Access Tokens
  • Listing Authorizations
  • The Resource Server
  • OAuth for Native Apps
  • OAuth for Browserless and Input-Constrained Devices
  • PKCE: Proof Key for Code Exchange
  • Token Introspection Endpoint
  • Creating Documentation
  • Differences Between OAuth 1 and 2
  • OpenID Connect
  • IndieAuth
  • Map of OAuth 2.0 Specs
  • Appendix

Tweet me and I'd be happy to help!

Third Edition! Updated February 2020