Continuing last weekend's documentation of all the un-specified parts of OAuth 2.0, things were going pretty well until I hit the "Security Considerations" section, which basically recommends but doesn't require a whole bunch of things. Basically this means an API can be fully OAuth 2.0 compliant and also completely insecure.
If you want to know more, keep an eye out for this blog post. Or hire me as an independent OAuth consultant and I'd gladly spend a day with you.
Aaron Parecki is CTO of Esri's Portland R&D Center,
and the co-founder of IndieWebCamp. He is known for having tracked his
location at 5 second intervals since 2008, and for co-founding Geoloqi, a location-based software company
acquired by Esri in 2012. His work has been featured in Wired, Fast Company and more. He was featured in
Inc. Magazine's 30 Under 30 with Geoloqi co-founder Amber Case.
When running nginx as the front-end web service for your API, you may need to put up a "maintenance" page and send back "HTTP 503 Service Unavailable" for all incoming HTTP requests. ...continue reading