New Pluralsight Course: Getting Started with OAuth 2.0

16 September 2018 OAuth

Pluralsight Logo

I’m really excited to announce the release of my latest Pluralsight course: “Getting Started with OAuth 2.0”.

In this course, we take a look at the OAuth 2 authorization framework and some of the work that’s been happening that makes OAuth and its extensions the gold standard for API security.

This course is going to be entirely programming free and is suitable for software developers of any language or stack. That being said, if you’re looking to get started with IdentityServer4, I highly recommend this course as your first step.

Read more

OAuth is Not Authentication

24 April 2018 OAuth

OAuth 2.0

OAuth is not authentication. It’s an authorization protocol, or, better yet, a delegation protocol. It’s for this reason that authentication protocols such as OpenID Connect exist and legacy protocols such as SAML use extension grants to link authentication and delegation.

There are articles on this subject already, but I still regularly see some confusion as to the reasons why on the internet and with new clients. So in this article, I’m going to discuss the key reasons why OAuth on its own does not provide client applications (relying parties) with user authentication.

Read more

Why the Resource Owner Password Credentials Grant Type is not Authentication nor Suitable for Modern Applications

29 August 2017 OAuth Last Updated: 17 September 2018

OAuth 2.0

When you ask a consultant if you should use the Resource Owner Password Credentials (ROPC) grant type, the standard response is: “It depends”. While this is true, I’m going to take a stand and say no. Unfortunately, many people see the username & password fields and say “Aha! That’s the one for me!”. I then have to spend way too much of my time trying to convince them it’s a bad idea after they’ve already spent a lot of time implementing it.

So, let’s take a look at the ROPC grant type, why it’s so tempting, and what we can do to convince other developers and stakeholders that it is a bad idea.

Read more

The Wrong Ways to Protect an API

06 July 2017 OAuth

OAuth 2.0

Knowing why we don’t use past methodologies can be just as useful as knowing why we use current ones. In this article, we are going to look at past methods for delegating access to an API (the problem that OAuth is the current solution for) and why we shouldn’t use them anymore. Examples in this article are based on systems I’ve seen in the wild or discussed on StackOverflow.


For a user to delegate access (or authorize, give permission) to a mail service to send emails on the user’s behalf. Only send permission must be allowed.

We’re going to use the OAuth terminology of...

Read more

Consuming External OAuth Services using IdentityModel

15 November 2016 OAuth


Recently as part of my audition process to become a Pluralsight author I created a 10 minute video on 'Consuming External OAuth Services using IdentityModel'. I’m pretty pleased with how it turned out, and luckily so were Pluralsight, so I thought I would share it for all to see.

In the video, I talk about why OAuth exists, what a basic OAuth request looks like and how we can use the IdentityModel library to help us simplify the process in .NET.

Read more