Allowing Users to Get Their Own OAuth Tokens for Accessing an API
Let's take a look at an opinion about allowing users to get their own OAuth tokens for accessing an API.
Join the DZone community and get the full member experience.Join For Free
I run a lot of different applications that depend on GitHub and that use GitHub authentication as the identity and access management layer for these apps. One of the things I like the most about GitHub and how I feel it handles it’s OAuth more thoroughly than most other platforms is how they let you get your own OAuth token under your settings > developer settings > personal access tokens. You don’t need to set up an application and do the whole OAuth dance, you just get a token that you can use to pass along with each API call.
I operate my own OAuth server, which allows me to authenticate using OAuth with many leading APIs, so generating an OAuth token and setting up a new provider isn’t too hard. However, it is always much easier to go under my account settings, create a new personal access token for a specific purpose, and get to work playing with an API. I wish that ALL API providers did this. At first glance, it looks like GitLab, Harvest, TypeForm, and ContentFul all provide personal access tokens as a first option for on-boarding with their APIs. Demonstrating this is more of a pattern than just a GitHub feature.
One of these days I’m going to have to do another story documenting the entire GitHub OAuth system because they have a lot of interesting bells and whistles that make using their platform much more secure and just a more frictionless experience than other API providers I use on a regular basis. GitHub has ground down a lot of the sharp corners on the whole authentication experience when it comes to OAuth. It would make a nice blueprint to share, and work to convince other API providers it is a pattern worth following. Reducing the cognitive load around OAuth management for any API integration, and standardizing how API providers support their API consumers and end-users.
I have 3 separate Twitter Apps setup for specific purposes, but I wanted to have a separate personal application just for managing my person @kinlane account. I submitted a Twitter application for review, but haven’t heard back after almost a month. As an individual user of any platform, I should be able to instantly issue a personal access token that lets me, or someone I sanction, access my data and content on the platform. Personal access tokens should be a default feature for any consumer focused platform, putting API access more within the control of each end-user, and the platform power users.
Published at DZone with permission of Kin Lane, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.