OAuth 2 in Action and OAuth 2.0 Identity and Access Management Patterns by Martin Spasovski

Today i review two books !

OAuth 2 in Action

This book was very interesting, it provided with enough theory and hands on experience.

Very nice and understandable diagrams, even further more it has examples and references to Github repos as Node JS projects. This book discuss not only how to do Oauth , but give examples how to attack Oauth !

It covers different Oauth2 Flows, and gives really good recommendations.

Still one important thing is missing, explanation how to identify the context of Oauth2 token, which means if a client get a access token, it should be clearly separated in which type of access it allowed.
What I mean by that?
Client need to read and write on the page and OAuth2 as authorization protocol should exactly define where as user have access to and to which action, user shouldn’t access administration page or edit posts done by moderators or admins.
This book doesn’t provide any good explanation or examples how to use security context together with an access token.
Still, I can recommend reading this book to anyone who interested to learn Oauth2, because it is one of the best introductions of Oauth2!

OAuth 2.0 Identity and Access Management Patterns by Martin Spasovski

This book have motto “hands on” experience first, you will see in this book a lots of code, but you will see some diagrams too.

For my taste it just too short, and once again missing a complete picture how to do OAuth2 “right”

It use Facebook, Linkedin as identity providers, but really this not my case, I do not plan to rely on any public identity providers!

Can I recommend this book? No, this book won’t give you the type of information which you probably looking for, sure it has some examples of Oauth2 implementation, but before you actually take into production, you should evaluate risks and security concerns and ask yourself is this a “good” or “right” solution for your business case.

In my opinion, the author of this book concentrated on the question how to implement Oauth on premise and not to depend on public identity providers , the book would be large , but it would include the most complete experience, but right now in 2021 this book is only a quick reference material not more and no less.

I don’t really recommend to buy this book.

Here you go, two review in one, further impression of Oauth2 it’s not ultimate solution, because client can be compromised and his access token can be stolen and identity provider can be hacked and the access token of users can be stolen too!

Sure absolute security does not exist, still I hope that in my case, after reading so much books my implementation of Oauth2 would be as clear as possible, i strongly recommend to visit my github project: Job Manager Angular version 2020