Archive for August, 2013

Aug 27 2013

2-legged OAuth Java client made easy

Some scenario

When you build up your RESTful web API, there comes a time when authorization comes in the game. You need to provide means to restrict and control the access to your protected resources.
One of the most popular approaches involves the use of OAuth, an open authorization protocol (in its 1.0 version, than a framework in its 2.0 counterpart) that puts simplicity and security as part of its main goals.
I will not spend time discussing the good and the bad of OAuth, or the large controversy around the development of the version 2.0. I’d like instead to focus on how to secure your API without losing your mind around the potential complexities of OAuth.

A good and nowadays fairly recognized approach to deal with this is the so-called 2-legged OAuth. For the details, I invite you to check the excellent article Designing a Secure REST (Web) API without OAuth. Don’t get confused by the title, the author describes the authorization methodology applied by Amazon for its AWS API which is basically identical to 2-legged OAuth, the latter being only a bit more restrictive on some protocol aspects (i.e. the hash algorithm, the order of the parameters to be hashed). Read More >>


Globetrotter Software Engineer. I try to conjugate where the ambitions lead me with an environment that makes me feel happy. I love sun and sea. My mind is always spinning, for good and for bad. I enjoy traveling and experiencing new places by being constantly surprised by things I would have never even conceived.