How would an efficient OAuth2.0 server / provider work?

Question

I may need to implement an OAuth2.0 server for an API I\'m creating. This API would allow 3rd parties to perform actions on the user\'s behalf.

OAuth2.0 has 3 mains

Answer 1

Seems your description started off OK, but then I must confess I could only partly follow your approach. AFAIK OAuth2 relies heavily on HTTPS rather than signed requests, although I guess you're free to use such.

I'm not sure about the concept you present to revoke access. Typically this would rely just on the access token (it should expire at some point in time, you could revoke it, and it could be renewed). If for API requests you are pulling keys for a userid then possibly your code is too closely tied to "user" concepts and not OAuth clients (with role, scope, resources)

In any case it's not a simple standard and I guess the discussion could go on quite long and even then I am not sure all could be covered. I trust you've reviewed the RFC at:

http://tools.ietf.org/html/rfc6749

I see also from your profile you're likely a Java developer. In such case it may be a good idea to review Spring-security-oauth2 at:

https://github.com/SpringSource/spring-security-oauth

If your solution won't use Java a lot of the issues you allude to in your question were approached and solved by such project, so it should give you lots of ideas. If you will use Java then it may help you a lot.

Hope it helps!