Aaron Parecki · Mar 1, 2021 · 6:26 PM UTC

Aaron Parecki

Aaron Parecki @aaronpk

1 Mar 2021

I just finished making a cheat sheet "OAuth Patterns and Anti-Patterns" and it's available for download now for free! developer.okta.com/blog/2021…

OAuth Patterns and Anti-Patterns - a DZone Refcard

I'm happy to announce a brand new OAuth refcard: OAuth Patterns and Anti-Patterns

developer.okta.com

Juliano Mohr · Mar 1, 2021 · 9:59 PM UTC

Juliano Mohr @juliaaano

1 Mar 2021

At the end you say to use local validation in the API gateway and "if" a particular API requires, then do the remote. Are you implying there are cases the resource server does not need to do any validation at all if the gateway already handles it?

Aaron Parecki · Mar 1, 2021 · 10:01 PM UTC

Aaron Parecki · Mar 1, 2021 · 10:01 PM UTC

Aaron Parecki @aaronpk

1 Mar 2021

Replying to @juliaaano

Yeah, super context dependent of course, but imagine a read-only API method for returning the user's rewards points balance. Not terribly sensitive info, not likely to change often. The gateway validation is likely good enough.

Mar 1, 2021 · 10:01 PM UTC