FWIW, this is fairly out of date - password grant must not be used and authoriza... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		pverheggen 17 days ago \| parent \| context \| favorite \| on: An illustrated guide to OAuth FWIW, this is fairly out of date - password grant must not be used and authorization code should be used in place of implicit. I highly recommend anyone dealing with OAuth to read the BCP and not just the spec, especially if you're rolling your own: https://datatracker.ietf.org/doc/html/rfc9700 As for your API surface, typically you'd handle this at the gateway level, then individual services don't have to perform authorization.

maxwellg 17 days ago [–]

I would also recommend the OAuth 2.1 IETF draft as a precursor to the BCP: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-...

Although it isn't a published RFC yet, it intends to replace several sometimes-conflicting previous RFCs + the BCP with a single document.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact