Microservices Best Practices for Java

Readers' comments

Readers' comments (2) 

lockedThis discussion is now locked

Posted by Ralph Henze on 8 November 2016 at 8:51

I'm not satisfied with section 6.2 ("Identity and Trust").

OAuth 2.0 does not stand for "Open Authentication".
As RFC 6749 states, OAuth 2.0 is an authorization framework (for delegated authorization, not primarely authentication).

OpenID Connect ist mentioned without any explanation. It would be helpful if there was a short section that explains that OpenID Connect builds on top of OAuth 2.0, clarifies (e. g. mandatory usage of JWT tokens) and adds features (e. g. UserInfo endpoint).

Posted by Erin Schnabel on 21 November 2016 at 10:47

you're right. An oversight / over-simplification. I have updated the chapter to clarify the terms, though without going into significant detail. Security really is an entire additional book on its own.


Publish Date
07 December 2016

Last Update
13 March 2017

Rating: Not yet rated



IBM Form Number