Probably this introduction is good for some purposes but for me it is too informal and too far from (my) reality. I would say it is 90% identical to many other introductions to OAuth.<p>I have been trying to comprehend and formulate the main idea behind the usage of this technology, for example, as follows:<p><pre><code> OAuth allows us to use surrogates (like JWT) instead of the original credentials (like name and password) with the main benefits that once it is available, the original credentials are not needed anymore: neither by the client nor by the server
</code></pre>
Why it is the central idea? Because we do not consider where and how the tokens are obtained: you can get it by USB stick or maybe forge somehow artificially. It is important only that access to resources requires a special piece of data rather than (traditional) credentials. The main question for the client is whether the server will accept this token or not. For the server, the main question is whether it can trust this client and its tokens.We aslo abstract from what is inside this token and how the server decides what to do - these are considered details.<p>Do I miss something more important?
This also has a very nice and simple explanation of the whole thing:<p><a href="https://www.youtube.com/watch?v=996OiexHze0" rel="nofollow">https://www.youtube.com/watch?v=996OiexHze0</a><p>It's about 1h long, but it's really worth it.
This introduction is pretty simple and concise to just understand what it is: <a href="https://www.cloudflare.com/learning/access-management/what-is-oauth/" rel="nofollow">https://www.cloudflare.com/learning/access-management/what-i...</a><p>Follow that up with this SAML and OAuth comparison: <a href="https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/" rel="nofollow">https://www.ubisecure.com/uncategorized/difference-between-s...</a><p>Then see how OpenID Connect fits in: <a href="https://www.okta.com/identity-101/whats-the-difference-between-oauth-openid-connect-and-saml/" rel="nofollow">https://www.okta.com/identity-101/whats-the-difference-betwe...</a> <a href="https://www.gluu.org/blog/oauth-vs-saml-vs-openid-connect/" rel="nofollow">https://www.gluu.org/blog/oauth-vs-saml-vs-openid-connect/</a><p>And this page shows examples of a web app using OAuth2: <a href="https://connect2id.com/learn/oauth-2" rel="nofollow">https://connect2id.com/learn/oauth-2</a>
I like these explanations a lot, they were super useful when I had to dig deep on OAuth2 and OIDC<p><a href="https://connect2id.com/learn/oauth-2" rel="nofollow">https://connect2id.com/learn/oauth-2</a>
I'm an experienced programmer and I've never found anything harder to work with than OAuth 2.0. Every project I work on, there's a two week "WTF" while we figure out all the details.
For what I understand about OAuth, I don't see how it solve the privacy problems. The Authorisation Server is aware of all client requests made on behalves of the user, therefore giving a rich profile of user interests.<p>Am I missing something?
Anyone can recommend me a SMTP server that don't require oauth2? Currently my company use GSuite but oauth2 will be mandatory, but the open source projects we use as base for our internal software won't support it (because they can't get the certifications).