All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Understanding OAuth: The Historical Requirements and Design Rationale

By

cratermoon

3mo ago· 5 min readenInsight
Bagel score 92 of 100
92/100
Golden Brown
Bagelometer

The bagel they save for the regulars. Don't skim, savour.

Score92TypeanalysisSentimentneutral

Summary

The article is a response to a request for a Matt Levine-style explanation of OAuth, focusing not on the technical mechanics but on understanding why OAuth was designed the way it is and what historical requirements led to its current form. The author, who wrote the first OAuth specification 19 years ago, aims to explain the rationale behind OAuth's design by examining the cascade of requirements that shaped it, rather than just describing how it works technically.

Key quotes

· 4 pulled
I desperately need a Matt Levine style explanation of how OAuth works. What is the historical cascade of requirements that got us to this place?
There are plenty of explanations of the inner mechanical workings of OAuth, and lots of explanations about how various flows etc work, but Geoffrey is asking a different question:
What I need is to understand why it is designed this way, and to see concrete examples of use cases that motivate the design
In the 19 years (!) since I wrote the first sketch of an OAuth specification, there has been a lot
Snippet from the RSS feed
Wherein I [try to] answer a seemingly straightforward question: "WTF is OAuth, anyhow?"

You might also wanna read

Understanding WebAuthn credential protection policy and discoverable credentials

This article explains the WebAuthn credential protection policy, specifically how developers can use the `residentKey` option to control whe

pilcrowonpaper.com·7d ago

Explaining the Equals Signs in Old Email Excerpts Shared on Twitter

The article explains the phenomenon of equals signs appearing in old email excerpts being shared on Twitter. The author, who has experience

lars.ingebrigtsen.no·3mo ago

mTOTP: A Manual Human-Computable Alternative to TOTP Authentication

mTOTP is an experimental, manual variant of Time-based One-Time Password (TOTP) authentication designed to be computed by humans without ele

github.com·4mo ago

Technical Insights from Building Passkeybot: Lessons on Passkey Implementation and WebAuthn

The article shares insights from building passkeybot.com, a hosted sign-in page that enables passkey authentication for websites. It explain

enzom.dev·5mo ago

Client ID Metadata Documents (CIMD): OAuth Client Identification Using URLs

Client ID Metadata Documents (CIMD) is a new OAuth approach that allows clients to identify themselves using URLs instead of requiring pre-r

client.dev·6mo ago

The Simplicity and Future of Self-Signed JWTs for Authentication

The article discusses the ease of generating self-signed JSON Web Tokens (JWTs) and JWK keypairs for authentication, highlighting the simpli

selfref.com·10mo ago