Skip to main content

[Book review] OAuth 2.0 Identity and Access Management Patterns


I accepted to do a review of the newly published OAuth 2.0 Identity and Access Management Patterns by Martin Spasovski. He is a friend of mine so with impartiality in mind it would be fail enough of me to give this information beforehand.

OAuth is the most widely known and used authorization framework. There are many service providers like Facebook and Twitter making it easy to connect with millions of users. From the users perspective is significantly simpler than remember and managing different passwords which is easily manipulated. The book make nice introduction to integration of OAuth 2.0 on web applications, desktop and mobile. It also covers various flows and a server side implementation using SpringMVC. While the examples throughout the book are clean one part really caught my attention :
  tokenEndpoint
  .concat("?grant_type=client_credentials")
  .concat("&client_id=").concat(clientId)
  .concat("&client_secret=").concat(clientSecret)
  .concat("&user_id=").concat(user_id)
Concatenating strings using String.concat is something I would consider a premature optimization for speed. Much cleaner way would be the regular + based concatenation or even maybe String.format. In any case that is something that is probably completely irrelevant and off topic but I just can't help it.

What I found really interesting is the chapter titled "Additional Security with SAML", mostly because I did not know there is a thing like this out there let alone used it. SAML or Security Assertion Markup Language is a XML based protocol for exchange of authentication and authorization data between user and provider where the user can be a provider itself. SAML provides Single Sign-on across multiple domains and identity federation which is useful for many enterprise applications.

A thing to note is that the proofreader did not made a good job since even me with my many typos and grammar error noticed this. This is a problem I had in my book  and is an issue with most of the Packt publishing books. Some folks on reddit and over the "internets" have claimed that this was the case because most of the authors are non-native english speakers. This is is not be the case since there many non-native authors for other publishers and they do a great job so why can't Packt?
For me this does not affect the overall impression but I know there are some grammar nazi out there.

One incorrect assumption I made before starting with the book is that it will only cover Java related tooling and implementation. There are sections with references to all major programming languages and various tooling support that will assist you independent from your preferred language.

To sum it up the book is an awesome reference for OAuth 2.0 and the various pattern for integrating it into your system. I know I will get back to it at some point in the future. You should get it if you expect to do any OAuth integration in the future whether it is server or client side.


Popular posts from this blog

HTML 5 data-* attributes, how to use them and why

It is always tempting to add custom attributes in HTML so that you can use the data stored there to do X. But if you do that there is no way of knowing if your HTML attribute will not be overridden in the future and used for something else and additionally you will not be writing valid HTML markup that can pass HTML 5 validator and with that you can create some very bad side effects. That is why there is a spec in HTML 5 called custom data attributes that enable number of useful features.

You may go around and read the specs, but the basic idea is very simple, you can add any attribute that starts with "data-" and that attribute will be treated as non-visible data for that attribute. By non-visible I mean that it is not something that gets rendered to the client so it does not affect the layout or style of the page, but it is there in the HTML so in no way this is private.
So let's get right into it, the following snippet is a valid HTML5 markup

<div id="aweso…

Basic Authentication with RestTemplate

Spring Rest Templates are very good way of writing REST clients. By default they work with basic HTTP so if we need to use Basic Authorization we would need to init the rest template with custom HttpClient. This way the Rest Template will automatically use Basic Auth and append to the HTTP headers "Authorization: Basic BASE64ENCODED_USER_PASS".

HttpClient client = new HttpClient(); UsernamePasswordCredentials credentials = new UsernamePasswordCredentials("USERNAME","PASS"); client.getState().setCredentials( new AuthScope("www.example.com", 9090, AuthScope.ANY_REALM), credentials); CommonsClientHttpRequestFactory commons = new CommonsClientHttpRequestFactory(client); RestTemplate template = new RestTemplate(commons); SomeObject result = template.getForObject( "http://www.example.com:9090/",SomeObject.class );

In EE application this would probably be managed by DI framework like Spring Core and only initialized once sin…

Temporary files and directories in Java 7 and before

Sometimes we want to create a temporary file, whether to save some data that gets written by some other application or just to temporary store stuff. Well, usually applications have their own temporary folder where they do this and it gets somehow configured. But why not use the underlying OS specific file like "/tmp/" in Linux so there must be some system property that has this info and there is. The key is "java.io.tmpdir" resulting in "/tmp" in my case or by code:
String tempDir = System.getProperty("java.io.tmpdir"); We can use tempDir  folder as a temporary place to store files, but there are a lot nicer ways to work with files like this even in JDK6 not just in JDK7:
import java.io.File; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; public class TempFile { public static void main(String[] args) { try { // create a temp file File tempFile = File.createTempFile("old-file",…