For a current project both me and a [colleague] are working on a big API system that authenticates through an OAuth system. Normally, such an API does all the necessary OAuth checking, handling of tokens etc, but we wanted to have a system that actually offloads our authentication just the same way one could offload HTTPS traffic for keeping the API simple, extendible and even performant.
Oauth is a very popular authentication mechanism used for a lot of web applications. And not without good reasons. It is relatively easy to implement, has different flavours (2-legged, 3-legged system) so you can use almost anywhere that requires authentication and authorization. This post is not about how to implement oauth. That can be found in much greater detail than I can explain here, but about two tiny details that can make or break your oauth security: the oauth nonce and timestamp.