Runscope API Monitoring    Learn More →

Posts filtered by tag: oauth2

Understanding OAuth 2.0 and OpenID Connect

Understanding OAuth 2.0 and OpenID Connect

By Keith Casey on .

Keith Casey, an API Problem Solver at Okta, covers the basics of OAuth 2.0 and OpenID Connect to help you build applications that are secure, reliable, and protect your systems and data the way you expect.

In the last few years, I’ve worked with dozens of companies to understand their needs, goals, and design on how they’ll use OAuth within their systems. Throughout those projects, I’ve found good news and bad news.

The good news is the tools and supporting libraries are steadily getting better, both in terms of ongoing support and security overall. As a result, mistakes that were common just a few years ago are steadily disappearing. This is a major win because if we start with better, more secure tools, we’ll build more secure software by default.

The bad news is there are still too many easy ways to build systems that look secure and seem secure but leak user information, application data, or inadvertently encourage bad security practices in downstream applications.

Therefore, let’s talk about some of those common mistakes and how we can improve security from day one. […]

Read More →

Categories: apis, featured guest series


Jump start your app development with Runscope's OAuth 1.0a and OAuth 2 Token Generators

By John Sheehan on .

OAuth2.png

If there's one thing we consistently hear from developers it's that getting started with OAuth is too hard. There are a daunting number of concepts to understand: complex multi-legged authentication flows, different grant types, request signatures and a bevy of other things you don't care about when you're first building your app.

Generating Tokens with the Runscope OAuth Token Generators

We wanted to make it easy to bypass the server requirement most APIs require to get valid tokens for making requests. Some providers (like Twitter and App.net) do a great job of letting you generate tokens for your own account. For the rest, we present the Runscope OAuth Token Generators.

The token generators are available for both OAuth 1.0a and OAuth 2. To get started, create a new application with the API provider (we recommend creating an application just for this purpose) and make note of the client key and secret. Paste in the credentials, the API-specific URL endpoints for the auth flow and start the auth process. Token exchange requests made along the way will show up in your default bucket so you can see what was sent back and forth.

We have tested the generators with many popular services including: Facebook, Twitter, LinkedIn, Tumblr, GitHub, App.net, Instagram, Google, Stripe, 37Signals, Box, Microsoft Live Connect, Stack Exchange, Wordpress, Foursquare, MailChimp and more. If you're using a service that requires an authentication flow and follows the standard, it will probably work. 

Get Started

To get started, sign up for your free Runscope account and head over to the token generator that uses the style of OAuth the API uses: 

→ Runscope OAuth 1.0a Token Generator

→ Runscope OAuth 2 Token Generator 

If you run into any issues or APIs that don't work, let us know

Categories: api ecosystem, testing, security


Taming OAuth's Split Personality

By John Sheehan on .

DR.JEKYLL_AND_MR.HYDE___31_.jpg

If you use a lot of APIs, there's no doubt you've encountered OAuth in one of its various forms. That will continue to the case for the foreseeable future now that the OAuth 2.0 spec has settled and mainstream web services with public APIs have adopted it almost universally.

Like most people, we have a love/hate relationship with OAuth. The good parts outweigh the bad parts, but there are many frustrations one encounters implementing it (on both the provider and consumer sides) . Runscope CTO Frank Stratton recently wrote up his thoughts from building the OAuth 2-powered Runscope API. He sums up his experience thusly:

After writing the Runscope API, and several OAuth API clients to other services. I’ve finally had some time to figure out how I feel about OAuth 2.0… OAuth is awesome, OAuth is horrible.

Frank's post is worth a read, but I'll sum it up like this: OAuth is a necessary evil for building API-driven ecosystems. Love it or hate it (or both), it's part of the world we operate in.

But wait, there's hope!

Thankfully there are tools to make working with OAuth easier. Here are a couple that we offer or are involved with.

Runscope OAuth 2 Token Generator

In Frank's post, he mentions that one of the biggest drawbacks of OAuth is that the client must also be a server. Sometimes you just want an access token without having to set up a web site to handle the auth flow. That's where our token generator comes in. Enter your app credentials (we recommend creating an app just for this tool) and the auth flow endpoints and a few clicks later, you've got an access token to test with.

foauth.org: OAuth for one

Marty Alchin was also annoyed with OAuth, and thought of a clever way to solve it. That idea turned into foauth.org, a service that allows you to connect with 56 OAuth-powered services once, and then use a single username and password (and HTTP basic auth) to access your data on those services. If you just need to prototype against a service, or want to access your own data, foauth.org is a great solution.

Like other OAuth aggregators, foauth.org requires you to hand over the keys. Because this doesn't work for every situation, Marty recently released a private OAuth proxy that you can run for yourself with a free Heroku account. The private proxy also has automatic Runscope support if you have our add-on installed. If you've got particularly sensitive credentials, the private proxy is the way to go.

foauth.org is exactly the kind of tool we like to support, and so we've sponsored the project so Marty can continue to dedicate resources to it. We're excited to see where he takes it next.


Get your free Runscope account and stop fighting with OAuth.  Hopefully these two tools will help you the next time you run into a wall. If there's anything else we can do to help as well, feel free to get in touch

Categories: community, security, api ecosystem


Everything is going to be 200 OK®