Preface
I’ve been working with web-based APIs since 1999, building SOAP-based web services for internal IT applications and helping thousands of developers using Google’s REST-based APIs for Google Calendar, Picasa Web Albums, YouTube, and more. Each of these APIs has required authorization from users to act on their behalf. Developers using these Google APIs were initially required to use proprietary technologies like ClientLogin and AuthSub. If these same developers wanted to integrate with APIs provided by Yahoo!, they needed to use Yahoo!’s BBAuth. The use of these proprietary authorization technologies made it challenging to build applications using APIs from multiple providers.
The development of OAuth 1.0 reduced many of the headaches for developers and allowed them to use a single authorization technology across hundreds of APIs on the Web. However, OAuth 1.0 came with some challenges as well—cryptographic signatures and limited definition of how to use it for authorizing applications not using a server-to-server web application flow. I’m delighted that the standardization of OAuth 2.0 is nearly complete, as it provides an authorization protocol that’s easy to use both for these types of applications and for a variety of other use cases.
Perhaps most exciting is the upcoming standardization of OpenID Connect—a protocol built on top of OAuth 2.0 to enable using the same identity to log in (authenticate) to multiple applications. While I’ve worked with hundreds of developers who have successfully built earlier versions of OpenID authentication into their web applications, it’s rarely been a very smooth process. Just as OAuth 2.0 makes authorization easier for developers, OpenID Connect does the same for authentication.
I hope this book gives you the foundation knowledge you need to work with OAuth 2.0 and OpenID Connect as the next-generation authorization and authentication technologies for the Web.
Conventions Used in This Book
The following typographical conventions are used in this book:
- Italic
Indicates new terms, URLs, email addresses, filenames, and file extensions.
Constant widthUsed for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords.
Constant width boldShows commands or other text that should be typed literally by the user.
Constant width italicShows text that should be replaced with user-supplied values or by values determined by context.
Tip
This icon signifies a tip, suggestion, or general note.
Caution
This icon indicates a warning or caution.
Using Code Examples
This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.
We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Getting Started with OAuth 2.0 by Ryan Boyd (O’Reilly). Copyright 2012 Ryan Boyd, 978-1-449-31160-5.”
If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at [email protected].
Safari® Books Online
Note
Safari Books Online is an on-demand digital library that lets you easily search over 7,500 technology and creative reference books and videos to find the answers you need quickly.
With a subscription, you can read any page and watch any video from our library online. Read books on your cell phone and mobile devices. Access new titles before they are available for print, and get exclusive access to manuscripts in development and post feedback for the authors. Copy and paste code samples, organize your favorites, download chapters, bookmark key sections, create notes, print out pages, and benefit from tons of other time-saving features.
O’Reilly Media has uploaded this book to the Safari Books Online service. To have full digital access to this book and others on similar topics from O’Reilly and other publishers, sign up for free at http://my.safaribooksonline.com.
How to Contact Us
Please address comments and questions concerning this book to the publisher:
| O’Reilly Media, Inc. |
| 1005 Gravenstein Highway North |
| Sebastopol, CA 95472 |
| 800-998-9938 (in the United States or Canada) |
| 707-829-0515 (international or local) |
| 707-829-0104 (fax) |
We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at:
| http://shop.oreilly.com/product/0636920021810.do |
To comment or ask technical questions about this book, send email to:
| [email protected] |
For more information about our books, courses, conferences, and news, see our website at http://www.oreilly.com.
Find us on Facebook: http://facebook.com/oreilly
Follow us on Twitter: http://twitter.com/oreillymedia
Watch us on YouTube: http://www.youtube.com/oreillymedia
Acknowledgments
I’d like to thank the identity and auth teams at Google for providing years of guidance and expertise, and most importantly Eric Sachs, Marius Scurtescu, and Breno de Medeiros for their review and feedback on this book. I also would like to thank my family, friends, and colleagues in Google’s Developer Relations group for their constant support.
Of course, without the fantastic work of the OAuth spec authors and working groups, nobody would have a chance to use or write about OAuth.