Runscope API Testing and Monitoring    Learn More →

Taming OAuth's Split Personality

By John Sheehan on .


If you use a lot of APIs, there's no doubt you've encountered OAuth in one of its various forms. That will continue to the case for the foreseeable future now that the OAuth 2.0 spec has settled and mainstream web services with public APIs have adopted it almost universally.

Like most people, we have a love/hate relationship with OAuth. The good parts outweigh the bad parts, but there are many frustrations one encounters implementing it (on both the provider and consumer sides) . Runscope CTO Frank Stratton recently wrote up his thoughts from building the OAuth 2-powered Runscope API. He sums up his experience thusly:

After writing the Runscope API, and several OAuth API clients to other services. I’ve finally had some time to figure out how I feel about OAuth 2.0… OAuth is awesome, OAuth is horrible.

Frank's post is worth a read, but I'll sum it up like this: OAuth is a necessary evil for building API-driven ecosystems. Love it or hate it (or both), it's part of the world we operate in.

But wait, there's hope!

Thankfully there are tools to make working with OAuth easier. Here are a couple that we offer or are involved with.

Runscope OAuth 2 Token Generator

In Frank's post, he mentions that one of the biggest drawbacks of OAuth is that the client must also be a server. Sometimes you just want an access token without having to set up a web site to handle the auth flow. That's where our token generator comes in. Enter your app credentials (we recommend creating an app just for this tool) and the auth flow endpoints and a few clicks later, you've got an access token to test with. OAuth for one

Marty Alchin was also annoyed with OAuth, and thought of a clever way to solve it. That idea turned into, a service that allows you to connect with 56 OAuth-powered services once, and then use a single username and password (and HTTP basic auth) to access your data on those services. If you just need to prototype against a service, or want to access your own data, is a great solution.

Like other OAuth aggregators, requires you to hand over the keys. Because this doesn't work for every situation, Marty recently released a private OAuth proxy that you can run for yourself with a free Heroku account. The private proxy also has automatic Runscope support if you have our add-on installed. If you've got particularly sensitive credentials, the private proxy is the way to go. is exactly the kind of tool we like to support, and so we've sponsored the project so Marty can continue to dedicate resources to it. We're excited to see where he takes it next.

Get your free Runscope account and stop fighting with OAuth.  Hopefully these two tools will help you the next time you run into a wall. If there's anything else we can do to help as well, feel free to get in touch

Categories: community, security, api ecosystem

Everything is going to be 200 OK®