Designing Evolvable Web APIs with ASP.NET
by Glenn Block, Pablo Cibraro, Pedro Felix, Howard Dierking, Darrel Miller
Chapter 16. The OAuth 2.0 Authorization Framework
Delegata potestas non potest delegari.
The OAuth 2.0 Authorization Framework, defined by RFC 6749, is an evolution of the OAuth 1.0 protocol. At the time of writing, it is used by several popular Web APIs such as the Google APIs, Facebook, and GitHub. Its main usage scenario is delegated constrained authorization. As an example, consider the fictional scenario depicted in Figure 16-1.

In the figure, you can see that:
- storecode.example is a website for storing and managing code repositories, with an associated Web API.
- checkcode.example is a service for building and analyzing code, providing functionalities such as continuous integration, coding rules checking, error estimation, and test coverage.
- Alice uses the storecode.example site to store and manage her private code.
Alice wants to use the checkcode.example service to analyze the code she’s stored at storecode.example. The fact that storecode.example provides an API is an important enabler for this scenario, but a problem remains: how can Alice allow checkcode.example to access some of her private code repositories?
A solution to this problem would be for Alice to provide her storecode.example credentials (e.g., username and password) to checkcode.example, so that this service could access her private code. However, this solution has ...