Everything You Ever Wanted to Know About OAuth and OIDC

Поділитися
Вставка
  • Опубліковано 25 лис 2024

КОМЕНТАРІ • 34

  • @yapayzeka
    @yapayzeka Рік тому +7

    I watched a lot of videos about the context and this is the most clear and satifying explanation of them all. thank you very very much.

  • @xdaniel3936
    @xdaniel3936 Рік тому +3

    This is by far the best explanation. Thank you so much!

  • @Shukla-ji_knp
    @Shukla-ji_knp Місяць тому

    Give that person a Raise 🎉🎉
    Just 6 min of the video and I feel more confident on Oauth vs OIDC 5:52

  • @marcom.
    @marcom. Рік тому +2

    Thanks a lot, Aaron. This is by far the best and comprehensive video I saw about these topics.

  • @soumyagupta4910
    @soumyagupta4910 4 місяці тому +1

    didn't think I'd enjoy learning about OAuth so much. Thanks a ton!

  • @jagan4269
    @jagan4269 3 роки тому +1

    Wow!!! This is SPOT ON. Thanks for the excellent presentation Aaron.

  • @interdechile
    @interdechile 2 роки тому

    Thanks Aaron! This is the clearest explanation about oauth that I have seen

  • @danchisholm1
    @danchisholm1 2 місяці тому

    WOW truly excellent tutorial. good examples and description.
    surprising that it’s from a company who don’t always do so well on tutorial.
    thanks okta guys!!

  • @clz230
    @clz230 3 роки тому +3

    It was nicely done, Aaron! Excellent presentation and effortless communication!

  • @ledgentai1227
    @ledgentai1227 2 роки тому

    Fantastic video, thank you. In fact the only explanation of these concepts I could find that made sense.

  • @chrislegaxy6355
    @chrislegaxy6355 2 роки тому +2

    By far the best explanation! 🙌
    Thank you! You rock!

  • @floid33556
    @floid33556 Рік тому +1

    Really great explanation. Thank you!

  • @emiliocolombo142
    @emiliocolombo142 6 місяців тому

    Great high level overview of these protocols. Thank you a lot

  • @martijn1967b1
    @martijn1967b1 27 днів тому

    Thanks Aaron

  • @gitahinganga3136
    @gitahinganga3136 2 роки тому

    Very clear and concise Thanks a bunch!

  • @debkr
    @debkr 2 роки тому +1

    Nice 👍 Please post some videos on OIDC Single Sign on.

  • @4ortson
    @4ortson 5 місяців тому

    this should be watched by more devs

  • @shaunpx1
    @shaunpx1 2 роки тому

    Great video, thank you for clearly explaining this topic!!!
    Also Where did you get that shirt it is awesome!

  • @AshenafiDemisse
    @AshenafiDemisse Місяць тому

    Cross domain post requests or in general Cross origin requests (CORS) were not having much support in older browsers as you said. Particularly browsers older than Internet Explorer 10 do not support CORS requests.

  • @leminhdung1981
    @leminhdung1981 2 роки тому

    Excellent! Thank you very much!

  • @cli2701
    @cli2701 3 роки тому

    Excellently explained! Thanks!

  • @kevincornally8392
    @kevincornally8392 3 роки тому

    Such a great presentation !!!!

  • @masteredd
    @masteredd 2 роки тому

    Great explanation! Thanks

  • @li.tan.activities
    @li.tan.activities 2 роки тому

    Fantastic explanation! Thank you!

  • @jamesallen74
    @jamesallen74 3 роки тому

    Fantastic video!

  • @drakezen
    @drakezen 3 роки тому

    Amazing explanation.

  • @ftlight2362
    @ftlight2362 3 роки тому

    that is soooo useful! )
    great explanation, thanks!

  • @gobindrawat3496
    @gobindrawat3496 3 роки тому

    Hi , I have a question regarding Refresh Token Use case especially when we have a unreliable clients ( Native Apps) . The new best practice about Refresh Token mentions that it should be replaced with each new token exchange request . So basically with new token exchange request , client receives a new refresh Token along with Access & ID Token . How should we tackle a Logout scenario if client is mobile app . Mobile App can have very unreliable network and due to this User can be logout due to expired Token . Is there any best practices regarding this use case ? Thanks I’m advance . Ok

  • @gobindrawat3496
    @gobindrawat3496 3 роки тому

    One more question : As mentioned in the use case , if the Access Token has 8 hours validity and during the registration/login , user gave consent for some explicit scopes ( example vehicle data) , the access token has the claims information and if clients are checking the claims information and validity against IDP token introspection endpoint and based on the response are letting the user uses their api. What if in the meantime , user revoke some of the consent ? Access Token will still consist the previously given consent information and if the client is based on IDP token introspection response then critical service access will become accessible. Revoking the token and asking the user to log in again so correct consent based token can be generated can lead to very bad user experience if IDP has global logout & SSO . Any best practices here ? Please share some . Thanx

  • @meepk633
    @meepk633 Рік тому

    So I should be using PKCE for my confidential OIDC client that's already checking state and nonce? I'd rather not rewrite it if those older DPOPs are sufficient.

    • @aaronpk
      @aaronpk Рік тому +1

      If you are checking the nonce, as well as checking the ath claim in the ID token to compare it to the access token, then you are protected from access token injection. However there is no protection from ID token leakage in the front channel if you are using the OIDC implicit flow. The other way to look at it is you can remove a bunch of code and replace it with a smaller amount of code that does PKCE, and removing code means less opportunity for bugs and errors.

  • @cd-stephen
    @cd-stephen Рік тому

    ftw

  • @cmkjfnve
    @cmkjfnve Місяць тому

    can't follow without setting the speed to 0.75. 🙂 Can't understand what the rush is.

  • @nestorguemez4846
    @nestorguemez4846 2 роки тому

    Excellent content!