Specifications

Here is a list of RFC's and other specifications that are relevant in the context of this website. Just click the red label and find more information.

[RFC 6479] - The OAuth 2.0 Authorization Framework

This is the RFC that describes the OAuth framework. It is important to understand that it is an authorization framework! It is not a protocol nor describes it anything in detail. It has a lot of space for interpretation.

If you are new to OAuth start off with understanding the difference between public and confidential clients. After that I suggest to understand the difference between response_types and grant_types and how each one of those works. Try to filter out the ones that are relevant for your use case!

Once you got familiar with those concepts sign up as a developer with google or Microsoft or a similar platform and write a first oauth client

If you want to learn more about OAuth 2.0 (which you should!) try to find a helping blog here.

For the spec follow this link: OAuth 2.0

[OpenID Connect] - Adding the identity layer on top of OAuth 2.0

OpenID Connect is built on top of OAuth 2.0. It specifies OAuth SCOPE's, API's, and, very important, the id_token. The id_token identifies an authenticated user and can be used as credential. It enables different parties to accept user logins without the need of creating a local account. If you follow the Sign Up button at the top of this page you can experience how it works if you choose one of the listed providers.

If you want to learn more about OpenID Connect try to find a helping blog here.

For the spec follow this link and start with core: OpenID Connect

[RFC 7636] - Proof Key for Code Exchange by OAuth Public Clients

PKCE as it is referred too is a RFC that helps securing public clients that leverage the authorization_code flow. Especially on mobile devices it is possible for a client to retrieve an authorization_code that was meant for a different client. PKCE adds two parameters to the initial authorization request (code_challenge, code_challenge_method) and one to the token request (code_verifier). These parameters do not prevent a unauthorized client from retrieving an authorization_code but from using it.

If you want to learn more about PKCE try to find a helping blog here.

For the spec follow this link: PKCE

to be continued ...