In OAuth: The valey key metaphor and OAuth: Flow for mobile apps, we talked about why OAuth is good for users - how it allows users to grant third-parties access to their web services or mobile apps without sharing their passwords.
This time, why OAuth is good for API providers whether they are exposing APIs for web apps or APIs designed for mobile apps. OAuth means that Web apps that expose APIs don’t have to share passwords. There are two alternatives ...
In my previous post, I talked about how OAuth allows users to grant third-parties access to their web services without sharing their passwords. In that previous example, our user (Bob) accessed his Twitter account through the bit.ly web site. This time, let's look at what happens when Bob is using a mobile app instead of a web app.
OAuth has taken off as a standard way for apps and websites to handle authentication. But OAuth is a confusing spec that can be hard to pin down.
I wanted to talk a little about what is OAuth and when you should use it for your API – hopefully pin it down a little in a few blog posts. I covered a lot of this in OAuth: The Big Picture. Check out the video and slides!
Let’s start with what is OAuth and why it came about.
Today at #defragcon our @sramji gave this talk making the case for OAuth as a business imperative.
At Apigee, we've been developing a secure, robust API management platform since 2005 and have been running it in the cloud since 2008. We're proud that some of the most demanding enterprise customers like Netflix, Comcast, and GameSpy have made Apigee technology part of their API platform.
We believe that it should be easy to start working with APIs, so last week we launched a new service called the OAuth API, which takes the pain out of getting up and running with APIs that use OAuth.
The story of the OAuth API is the story of yet another function...
Thanks to all that attended last week's webinar: OAuth: The Big Picture (slides and video here).
There were great questions - here are thoughts on those we didn't have time to discuss.
Q: Would you recommend only using oauth for passwords and usernames? What about more confidential items like card numbers? (John G)
I'm not sure I completely understand - but are you asking - if a user can authenticate to OAuth using a credit card number rather than a username/password?
That's theoretically possible but I'm not sure it's a good idea. Also, keep in mind that most credit-card...
We've written on the topic of API threat detection before, and also outlined a top 10 API threats" to guard against, but race conditions are another area in which APIs are also vulnerable. A race condition is a bug where the output is dependent on a sequence of timing of other events. APIs are vulnerable to a type of race condition called TOCTTOU (pronounced "TOCK TOO"). During this crack in time, malicious users are using race conditions that have been exploited as security vulnerabilities in systems for almost 4 decades.