OAuth is an emerging Web standard that lets users grant third-party clients restricted access to resources they own. In the past, it was common to ask a user to share username and password information with the client. OAuth is more secure as it allows the user to grant restricted access to applications and data, by issuing a token with limited capabilities. OAuth is rapidly becoming a foundation of the modern Web and has grown far beyond its social media roots. This evolution is being driven by the corporate need to support increasingly diverse clients—particularly mobile devices. Organizations are aggressively deploying APIs to service the mobile delivery channel and OAuth is the best practice for API authorization. However, OAuth is only one component of a full API access control and security solution. It is important not to lose sight of the big picture of API management—including user management, auditing, throttling and threat detection. APIs are often a direct conduit to mission-critical enterprise applications. They need a full, enterprise-class security solution to protect them.
This white paper describes what OAuth is and how it fits into a complete API security solution, why implementing OAuth can be complex and how you can make OAuth implementation simple for your organization.