| ▲ | pverheggen 7 days ago | |
FWIW, this is fairly out of date - password grant must not be used and authorization code should be used in place of implicit. I highly recommend anyone dealing with OAuth to read the BCP and not just the spec, especially if you're rolling your own: https://datatracker.ietf.org/doc/html/rfc9700 As for your API surface, typically you'd handle this at the gateway level, then individual services don't have to perform authorization. | ||
| ▲ | maxwellg 7 days ago | parent [-] | |
I would also recommend the OAuth 2.1 IETF draft as a precursor to the BCP: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-... Although it isn't a published RFC yet, it intends to replace several sometimes-conflicting previous RFCs + the BCP with a single document. | ||