What technical detail should programmers consider while developing their own oAuth service?

Question

What technical detail should programmers consider while developing their own oAuth service?

Have been trying to find out guidelines, but found most of the oAuth related articles discuss as a consumer point of view (i.e. how to consume others service). I want to design my own oAuth system with my authorization service and resource service. What technical detail should I follow?

Answer 1

You probably have read the RFCs but just in case you haven't, they're the place you want to start:

1. oAuth 2.0 "core" (RFCs 6749 and 6750)
2. Proof Key for Code Exchange (PKCE) (RFC 7636)

The best 'packaged' guidance for oAuth implementers (client or otherwise) is available via IETF Best Current Practices (BCPs). Most people know about IETF RFCs and (confusingly) BCPs are published as RFCs with a RFC number. Despite that, they're best practices and not formal specifications:

The BCP process is similar to that for proposed standards. The BCP is submitted to the IESG for review, and the existing review process applies, including a "last call" on the IETF announcement mailing list. However, once the IESG has approved the document, the process ends and the document is published. The resulting document is viewed as having the technical approval of the IETF, but it is not, and cannot become an official Internet Standard.

BCPs you want to review:

1. oAuth security (up to date as of this writing)
2. oAuth for browser-based apps (up to date as of this writing).
3. oAuth for native apps (published in 2017 as an update to "core" oAuth 2.0 RFC, still a good read)
4. JSON Web Tokens for oAuth (up to date)

These documents are framed in threat model terms - they cover attacks (or "security considerations" as a diluted format) and countermeasures. You might be looking for a more straightforward building blocks type of a roadmap and perhaps there should be one as an educational tool. Real-world oAuth implementations must be developed with a prima facie evidence of a threat model.

As one samurai said: ...swordsmanship untested in battle is like the art of swimming mastered on land.

Answer 2

I would also be interested to hear why you want to develop your own auth solution.

But putting that aside, there is an open source project that does exactly what you ask - Identity Server. You can check out their source code or fork it and build something on top of it.

Also, please check "identigral" answer on various docs.