Apress Advanced API Security: OAuth 2.0 and Beyond

good book

I work as a Solution architect in the public sector, and have many years of designing software. My current initiative requires me to understand API specific security practices in detail, and the reason i bought this book after much research on multiple books. I found this book to be an excellent read with a broad coverage on the subject of API security, including TLS, OAuth, OIDC, JWS/JWE and Patterns to cover multiple use cases . Prabath does an excellent job of initially introducing the reader to the general security design principles for designing API's and then takes the reader through a sample API implementation (developed using Spring Boot and Maven). He starts with a basic API, with only TLS specific protection, and then extends through multiple chapters to include an API gateway, OAuth 2.0 protection. All of this is done step by step with very detailed instructions. As such in my view not only is it great for someone who want the design exposure, but also is hands down in development. Once this is done, Prabath introduces us to JWS/JWE, with great detail in both the token structures and also the difference between compact and JSON serialization. Again there are sample applications to enable the reader to get a grasp of how the technology works in practice. I found the native mobile channel based API security and also Token Binding chapters to be particularly interesting. In those Prabath introduces us to PKCE and details out the Token Binding concepts, and why we need to do so for added security. There are also excellent chapters which introduce the reader to OIDC, Federation; where SAML/JWT based extensions to OAuth is discussed, OAuth 2.0 specific security to consider, and Patterns. The last 2 of these (OAuth 2.0 security and Patters are exceptional, and a must read for any solutions architect). There is also a ton of references to RFC's which will enable to reader to extend their knowledge as they read this book. Overall, i would highly recommend this book to anyone who wants to get a detailed understanding on API specific security principles from ground up. A must read I would say for any developer, solutions architects who wants to design better and more secure API's.

The book is advanced but uses an understandable words to explain API security even for beginners.

This is a really bad written book. Confusing in the most parts of it. The examples, the definitions, the explanations are incomplete, blurry and inhuman.

This is a pretty good book, IF what you're looking for is a detailed explanation of all aspects of OAuth 2, OpenID Connect (OIDC), and JSON Web Tokens (JWTs). The book explains almost every detail of these protocols and their various components (both the requests/messages, and the tokens themselves, as well as the various interactions between relevant clients & servers, that are involved in securely interacting through their use). Where this book is NOT what I expected, however, is on the API side. There's almost nothing about actually _implementing_ OAuth (or any of the other flavors or extensions thereof) in an _actual_ API or server of any sort. The book does make use of Netflix's open source Zuul API gateway to do a little demo sample app (using Java Tomcat, etc.). However, it barely dives any source code at all, and it doesn't really show you how to implement anything from scratch besides wiring a few basic components together and testing them via cURL API calls. My other complaint about this book is that the book suffers from countless minor grammatical mistakes throughout. I've gotten used to this from the tech publishers, but I can't understand why they don't have better editors to catch all the obvious grammatical errors. This book isn't the worst I've read in that regard, and overall it doesn't ultimately prevent anything the author wrote from being understandable with a little more focus, but it's just a constant distraction and I'm kind of sick of it from tech publishers. GET BETTER EDITORS!!! Final word - this isn't an implementation book, and it won't teach you anything about building an API, but IF learning every detail of OAuth is your goal, this book will get you there.