Don’t know the difference between a grant type and an auth code? Know the difference but not sure how to implement OAuth 2.0 in your own application? In this talk I’ll start with OAuth 2.0 basics, then jump into implementation details using The PHP League’s oauth2-server library.


Please login to leave a comment

Rob Wilson at 20:15 on 13 May 2020

Oauth is one of the topics that until you start implementing it, it will always baffle you. Some great code examples given, and very to the point slides with great links to RFCs and other sources too.

Would have been great to see further implementations of the code during the talk, but we only had a finite amount of time this evening.

Owen Voke at 20:57 on 13 May 2020

Great talk on a really interesting topic that always confuses me. The slides were informative, and provided a good overview of how OAuth 2.0 works.

It would have been nice to see some more examples of the code (or seen the code for longer during the talk), however due to time constraints that's understandable. And it's on GitHub, so that's great!

Great talk. I finally got some of the OAuth concepts, so thank you for explaining them well.

My very minor suggestion. I was wondering if the there would be a benefit in reordering the slides slightly.

The first flow you introduced was password grant. I think intrroducing the diagram earlier might have helped. There were times when you were talking through the flow (at a high level) and the slide shown was Slide 8 "TRUSTED CLIENTS: PASSWORD GRANT" (with bullet points). It might aid clarity if you did a briefer introduction to the flow, then went straight to the diagram, then had another slide after the diagram which had the bulk of what was on slide 8.

The only other point might be to emphasis why refresh token is needed. Someone might ask why not just issue the longer lasting auth token.

Other than those tiny points it was a great talk and that is the first time I've understood OAuth. I fear it no longer. Thanks

Dan Ackroyd at 16:35 on 16 May 2020

Hi Ian,

Apologies if I don't express the following very well, but I think the talk would be better if it was more 'story' focused rather than technical focused.

I think you could do with spending a bit more time at the start explaining about why people would use oauth, and why companies provide Oauth APIs.

And then for each of the individual topics, they would be easier to understand if they were introduced as a story of that gives a human relateable explanation of why someone would want to use that.

Although the technical details are interesting, unless someone is going to sit down and start using oauth in the next 12 hours, it's unlikely they will be able to remember those details. I think separating the technical details out into a series of small blog posts, e.g. grants and the bearer tokens and linking to them but not discussing them in depth would be a better use of the time in the talk.

And finally, I asked a question about this, but I think it's almost always a good idea to say when not to use a technology, and there's definitely cases when not to use it. That type of info is probably the most valuable info to pass on.