[Book review] OAuth 2.0 Identity and Access Management Patterns


I accepted to do a review of the newly published OAuth 2.0 Identity and Access Management Patterns by Martin Spasovski. He is a friend of mine so with impartiality in mind it would be fail enough of me to give this information beforehand.

OAuth is the most widely known and used authorization framework. There are many service providers like Facebook and Twitter making it easy to connect with millions of users. From the users perspective is significantly simpler than remember and managing different passwords which is easily manipulated. The book make nice introduction to integration of OAuth 2.0 on web applications, desktop and mobile. It also covers various flows and a server side implementation using SpringMVC. While the examples throughout the book are clean one part really caught my attention :
  tokenEndpoint
  .concat("?grant_type=client_credentials")
  .concat("&client_id=").concat(clientId)
  .concat("&client_secret=").concat(clientSecret)
  .concat("&user_id=").concat(user_id)
Concatenating strings using String.concat is something I would consider a premature optimization for speed. Much cleaner way would be the regular + based concatenation or even maybe String.format. In any case that is something that is probably completely irrelevant and off topic but I just can't help it.

What I found really interesting is the chapter titled "Additional Security with SAML", mostly because I did not know there is a thing like this out there let alone used it. SAML or Security Assertion Markup Language is a XML based protocol for exchange of authentication and authorization data between user and provider where the user can be a provider itself. SAML provides Single Sign-on across multiple domains and identity federation which is useful for many enterprise applications.

A thing to note is that the proofreader did not made a good job since even me with my many typos and grammar error noticed this. This is a problem I had in my book  and is an issue with most of the Packt publishing books. Some folks on reddit and over the "internets" have claimed that this was the case because most of the authors are non-native english speakers. This is is not be the case since there many non-native authors for other publishers and they do a great job so why can't Packt?
For me this does not affect the overall impression but I know there are some grammar nazi out there.

One incorrect assumption I made before starting with the book is that it will only cover Java related tooling and implementation. There are sections with references to all major programming languages and various tooling support that will assist you independent from your preferred language.

To sum it up the book is an awesome reference for OAuth 2.0 and the various pattern for integrating it into your system. I know I will get back to it at some point in the future. You should get it if you expect to do any OAuth integration in the future whether it is server or client side.


Popular Posts