Although OAuth is the standard for API authorization, a lot of implementers struggle to use it correctly. One reason might be the multitude of options and protocol extensions, which are the basis of the protocol's versatility and flexibility. This talk presents the essential parts and patterns needed to implement OAuth in end-user scenarios for web apps, mobile apps and SPAs. The selection is based on the presenter’s experience gathered while working on the standard and practically implementing and running OAuth implementation in large scale consumer services for the last 10 years. Topics: - OAuth Architecture explained (AS vs RS) Benefits of the architecture (centralize authn/authz, no credential sharing 1st and 3rd parties, authn once used it for multiple requests, APIs independent of auth and channel, central authz & permissions mgmt) - Explain and strip down RFC6749 - code, refresh, client + explain Security BCP - user authorizes access -- user consent — AS to RS - JWTs vs introspection — authz code is versatile (web, SPA, native) --- app2app redirect — refresh tokens, impact on UX, short living tokens (JWTs!) and downscoping Add modules as need - mtls, par, rar, server metadata Explain FAPI (substantial and high security use cases)