WOW truly excellent tutorial. good examples and description. surprising that it’s from a company who don’t always do so well on tutorial. thanks okta guys!!
Cross domain post requests or in general Cross origin requests (CORS) were not having much support in older browsers as you said. Particularly browsers older than Internet Explorer 10 do not support CORS requests.
Hi , I have a question regarding Refresh Token Use case especially when we have a unreliable clients ( Native Apps) . The new best practice about Refresh Token mentions that it should be replaced with each new token exchange request . So basically with new token exchange request , client receives a new refresh Token along with Access & ID Token . How should we tackle a Logout scenario if client is mobile app . Mobile App can have very unreliable network and due to this User can be logout due to expired Token . Is there any best practices regarding this use case ? Thanks I’m advance . Ok
One more question : As mentioned in the use case , if the Access Token has 8 hours validity and during the registration/login , user gave consent for some explicit scopes ( example vehicle data) , the access token has the claims information and if clients are checking the claims information and validity against IDP token introspection endpoint and based on the response are letting the user uses their api. What if in the meantime , user revoke some of the consent ? Access Token will still consist the previously given consent information and if the client is based on IDP token introspection response then critical service access will become accessible. Revoking the token and asking the user to log in again so correct consent based token can be generated can lead to very bad user experience if IDP has global logout & SSO . Any best practices here ? Please share some . Thanx
So I should be using PKCE for my confidential OIDC client that's already checking state and nonce? I'd rather not rewrite it if those older DPOPs are sufficient.
If you are checking the nonce, as well as checking the ath claim in the ID token to compare it to the access token, then you are protected from access token injection. However there is no protection from ID token leakage in the front channel if you are using the OIDC implicit flow. The other way to look at it is you can remove a bunch of code and replace it with a smaller amount of code that does PKCE, and removing code means less opportunity for bugs and errors.
I watched a lot of videos about the context and this is the most clear and satifying explanation of them all. thank you very very much.
This is by far the best explanation. Thank you so much!
Give that person a Raise 🎉🎉
Just 6 min of the video and I feel more confident on Oauth vs OIDC 5:52
Thanks a lot, Aaron. This is by far the best and comprehensive video I saw about these topics.
didn't think I'd enjoy learning about OAuth so much. Thanks a ton!
Wow!!! This is SPOT ON. Thanks for the excellent presentation Aaron.
Thanks Aaron! This is the clearest explanation about oauth that I have seen
WOW truly excellent tutorial. good examples and description.
surprising that it’s from a company who don’t always do so well on tutorial.
thanks okta guys!!
It was nicely done, Aaron! Excellent presentation and effortless communication!
Fantastic video, thank you. In fact the only explanation of these concepts I could find that made sense.
By far the best explanation! 🙌
Thank you! You rock!
Really great explanation. Thank you!
Great high level overview of these protocols. Thank you a lot
Thanks Aaron
Very clear and concise Thanks a bunch!
Nice 👍 Please post some videos on OIDC Single Sign on.
this should be watched by more devs
Great video, thank you for clearly explaining this topic!!!
Also Where did you get that shirt it is awesome!
Cross domain post requests or in general Cross origin requests (CORS) were not having much support in older browsers as you said. Particularly browsers older than Internet Explorer 10 do not support CORS requests.
Excellent! Thank you very much!
Excellently explained! Thanks!
Such a great presentation !!!!
Great explanation! Thanks
Fantastic explanation! Thank you!
Fantastic video!
Amazing explanation.
that is soooo useful! )
great explanation, thanks!
Hi , I have a question regarding Refresh Token Use case especially when we have a unreliable clients ( Native Apps) . The new best practice about Refresh Token mentions that it should be replaced with each new token exchange request . So basically with new token exchange request , client receives a new refresh Token along with Access & ID Token . How should we tackle a Logout scenario if client is mobile app . Mobile App can have very unreliable network and due to this User can be logout due to expired Token . Is there any best practices regarding this use case ? Thanks I’m advance . Ok
One more question : As mentioned in the use case , if the Access Token has 8 hours validity and during the registration/login , user gave consent for some explicit scopes ( example vehicle data) , the access token has the claims information and if clients are checking the claims information and validity against IDP token introspection endpoint and based on the response are letting the user uses their api. What if in the meantime , user revoke some of the consent ? Access Token will still consist the previously given consent information and if the client is based on IDP token introspection response then critical service access will become accessible. Revoking the token and asking the user to log in again so correct consent based token can be generated can lead to very bad user experience if IDP has global logout & SSO . Any best practices here ? Please share some . Thanx
So I should be using PKCE for my confidential OIDC client that's already checking state and nonce? I'd rather not rewrite it if those older DPOPs are sufficient.
If you are checking the nonce, as well as checking the ath claim in the ID token to compare it to the access token, then you are protected from access token injection. However there is no protection from ID token leakage in the front channel if you are using the OIDC implicit flow. The other way to look at it is you can remove a bunch of code and replace it with a smaller amount of code that does PKCE, and removing code means less opportunity for bugs and errors.
ftw
can't follow without setting the speed to 0.75. 🙂 Can't understand what the rush is.
Excellent content!