Advanced API Security: OAuth 2.0 and Beyond

I have read the first edition of the Advanced API Security book by Prabath when it first published and I was very impressed by the content of the book. I read it when I had to complete a project on identity management which required detailed knowledge about OAuth and OpenID Connect. The book was so comprehensive that I did not have to refer to any other material through out the project.After several years, I was delighted to see that the 2nd edition of the book has been published. The 2nd edition covers a number of new topics (TLS token binding, UMA 2.0, new security best practices around OAuth 2.0 and OAuth 2.0 for native apps) while preserving the same high quality of the 1st edition.Therefore, I highly recommend this new edition of the Advanced API Security book, for anyone interested in both theoretical and implementation details of the latest API security standards.My review on the first edition of this book is copied here too, for any one interested.-------------------------------------------------------------------------------------------------Advanced API Security by Prabath is a very informative and comprehensive book that covers both theoretical and practical aspects of the current industry standards for API security, in a very reader-friendly manner.The organization of this book is amazing, which starts with the early standards used in API security and proceeds to explain the cutting edge standards and concludes with the details of very useful patterns designed to address different enterprise use cases surrounding API security. This enables the readers to get a very good understanding on how the API security standards have evolved over time and to design a quality solution for their enterprise security problem at hand, by avoiding potential pitfalls and anti-patterns.Another excellent feature of this book is that each key concept of a particular standard is followed by a practical example illustrated using real world products and services which implement such standards, making this book equally useful for both architects and developers of enterprise API security solutions.I learned all the important aspects of different standards used in API security within a short period of time by reading this book which otherwise I would have had to learn by reading very lengthy specifications of those standards.I followed this book when I had to design and implement a secure solution in one of my projects and the book helped me immensely to advance with the project in a faster phase by providing both conceptual details as well as practical examples.Therefore, I highly recommend this book as the go-to book on enterprise API security standards, technologies, patterns and practices.

Let me tell you first that I’ve also read the first edition of this book which was very thorough and to this day I have a copy of the first edition on my bookshelf. The first edition changed my career in the way I’ve designed and implemented secure web applications. My peers were always lacking the fundamentals that I’ve had in designing secure applications and my secret was this first edition. Many people still struggle to recollect security terms like Digest authentication that the original book clarified in great lengths. I would recommend anyone to start with first edition to understand the BASICS. But, I wouldn’t say that you have to. Second edition followed the same footsteps in making the topics easier for the reader with many examples and references to the actual specifications. The second edition not only refreshed many of these fundamentals, but helped me look at recent additions in Web Security and API security specifications like Token Binding, role of WAF in API security, TLS, JWE, OAuth2 profiles, federation, and best practices in security. This second edition has already made me to take the right design decisions in our API security under federated use case. I applied token exchange solution to one of our complex requirements which really made sense. As any other book, there may be typos, minor mistakes. But don’t let them distract you and leave the journey you started in the middle. If you are working on Application Security problems, this book is a must read!What I missed from the real book though are the actual curl examples and using a proprietary authorization server like WSO2. The author chose to keep the topic simple by executing spring boot examples for spinning up an authz server. I don't think it's bad, but how many people would really use Spring Security as an authorization server in the days of SaaS and PaaS solutions. Although this is simple, I would have loved to play with a real WSO2 server that the author had been working at for years. This didn't however let me down in learning the concepts which is why I love this book. Thanks Prabath for publishing another good read and it's worth the wait.

RFC and Protocols information - that's all

+ Author seems very knowledgable and presented in an easy to understand manner.+ Flow diagrams were super useful in understanding oAuth and OpenID Connect+ Good coverage of topics overall- Some code examples were cut off in Kindle (even in landscape with smallest font)- Above code examples - highlighting didn't work- Some code examples were in too much detail (note all code examples are ONLY in Java using Spring/Maven)- In very few occasion I felt, a term is used without eloborating on it. Quick google did answer what Author meant though.

This book covered all the complex scenarios in API securities with best real time examples.

Amazing book covering from fundamentals to design scenarios

Fantastic book covered all the use-cases

This is a badly written verbose book on how to apply security to apis. It does not explain the "why" part of several techniques. This is more of a guide for Java developers to get started with securing their APIs. "OAuth 2 in action" is a much better book.

The book is advanced but uses an understandable words to explain API security even for beginners.

good book

I work as a Solution architect in the public sector, and have many years of designing software. My current initiative requires me to understand API specific security practices in detail, and the reason i bought this book after much research on multiple books. I found this book to be an excellent read with a broad coverage on the subject of API security, including TLS, OAuth, OIDC, JWS/JWE and Patterns to cover multiple use cases .Prabath does an excellent job of initially introducing the reader to the general security design principles for designing API's and then takes the reader through a sample API implementation (developed using Spring Boot and Maven). He starts with a basic API, with only TLS specific protection, and then extends through multiple chapters to include an API gateway, OAuth 2.0 protection. All of this is done step by step with very detailed instructions. As such in my view not only is it great for someone who want the design exposure, but also is hands down in development.Once this is done, Prabath introduces us to JWS/JWE, with great detail in both the token structures and also the difference between compact and JSON serialization. Again there are sample applications to enable the reader to get a grasp of how the technology works in practice.I found the native mobile channel based API security and also Token Binding chapters to be particularly interesting. In those Prabath introduces us to PKCE and details out the Token Binding concepts, and why we need to do so for added security.There are also excellent chapters which introduce the reader to OIDC, Federation; where SAML/JWT based extensions to OAuth is discussed, OAuth 2.0 specific security to consider, and Patterns. The last 2 of these (OAuth 2.0 security and Patters are exceptional, and a must read for any solutions architect).There is also a ton of references to RFC's which will enable to reader to extend their knowledge as they read this book.Overall, i would highly recommend this book to anyone who wants to get a detailed understanding on API specific security principles from ground up. A must read I would say for any developer, solutions architects who wants to design better and more secure API's.

This is a really bad written book. Confusing in the most parts of it. The examples, the definitions, the explanations are incomplete, blurry and inhuman.

This is a pretty good book, IF what you're looking for is a detailed explanation of all aspects of OAuth 2, OpenID Connect (OIDC), and JSON Web Tokens (JWTs). The book explains almost every detail of these protocols and their various components (both the requests/messages, and the tokens themselves, as well as the various interactions between relevant clients & servers, that are involved in securely interacting through their use).Where this book is NOT what I expected, however, is on the API side. There's almost nothing about actually _implementing_ OAuth (or any of the other flavors or extensions thereof) in an _actual_ API or server of any sort. The book does make use of Netflix's open source Zuul API gateway to do a little demo sample app (using Java Tomcat, etc.). However, it barely dives any source code at all, and it doesn't really show you how to implement anything from scratch besides wiring a few basic components together and testing them via cURL API calls.My other complaint about this book is that the book suffers from countless minor grammatical mistakes throughout. I've gotten used to this from the tech publishers, but I can't understand why they don't have better editors to catch all the obvious grammatical errors. This book isn't the worst I've read in that regard, and overall it doesn't ultimately prevent anything the author wrote from being understandable with a little more focus, but it's just a constant distraction and I'm kind of sick of it from tech publishers. GET BETTER EDITORS!!!Final word - this isn't an implementation book, and it won't teach you anything about building an API, but IF learning every detail of OAuth is your goal, this book will get you there.