OAuth2 extensions
These extensions are useful for Oauth2 to work
- OpenID connect
- JWT
- Token revocation
- Token introspection
- Dynamic client registration
- Authorization server metadata discovery
JWT
- It is
RFC 7519 - JWT is encoded not encrypted. Do not put sensitive info in a JWT
Token Revocation
- It is
RFC 7009 - Revokes (cancels) a token via API
Token Introspection
- It is
RFC 7662 - Examine the token to examines its contents
- Useful for opaque tokens
- Describe if the token is active or not
- Mandatory if you have token revocation
- With introspection, your client applications can query the authorization server to learn whether the token is expired or not
Dynamic Client Registration
- It is
RFC 7591 - Defines consistent API for creating OAuth Clients
- Useful in self-service API developer console
- Followed by
RFC 7592Dynamic Client management
Authorization Server Metadata
- It is
RFC 8414 - It is Authorization server metadata specification (aka OAuth Discovery Document)
- Allows us to query the authorization server itself, get back the JSON file with its capabilities and related endpoints, and then configure our applications
Misc Extensions
SMART on FHIR
- designed specifically to integrate with electronic health records or patient portals and to more easily share data between them safely.
- This allows the receptionist in your doctor’s office to see which tests were performed but not necessarily the results. only your doctor can see those
HEART
- Health Relationship Trust
- To share specific data within that.
Open Banking
- Banking Information should be easily but securely accessible via APIs.
- Some countries have implemented Open Banking laws