If you are working with APIs I am sure you have heard about OAuth 2. It is used for securing access to APIs.
OAuth 2 is a standard for delegating authorization for accessing resources via HTTP.
OAuth 2 offers a solution for the scenarios of the examples in the previous post without the risks of the password anti-pattern. With OAuth 2 we can give access rights to the mobile app, without providing the password. Instead, a token is handed to the app. The token represents the access rights for a subset of the data, for a short time frame. To obtain the token, the user first logs in on the website of the OAuth server. The generated token can be an authorization code, an access token, or a refresh token. An access token allows access to a resource during a limited time period. In case the token gets compromised, the access rights associated with the token can be revoked.
Sarah and Tim from the examples in the previous post will not notice any difference, whether OAuth is used or not. They can use their mobile apps and cloud apps in a secure manner if OAuth is used under the hood.
Also published on Medium.