OAuth 2.0: An Overview
Вставка
- Опубліковано 5 вер 2024
- See the benefits of OAuth 2.0 technology and get an introduction to how it works. To explore introductory videos about InterSystems technologies, visit the featured overviews page on our Learning website: learning.inter...
Probably the best short overview of OAuth 2.0
probably the most benefecial advertisement i've ever watched. FANTASTIC
Wow, amazing how some people can explain complex technology in such a simple way. As my friend A.Einstein said, "If you cant explain it simply, you dont understand it well enough".
In a very superficial way.
If you would have been requested to implement an App authentication with this knowledge -
Would you know how to?
For me it's insufficient.
True but 50% of the burden is on the listener to be interested. A disinterested or just plain stupid one may claim an explanation isn't clear as well. That's the trouble with maxims.
This is overview, implementing is details. If you read only documentation for details, it is surprising hard to understand and get whole picture, because such documentations assumes that reader already understands whole picture.
I went through 10 different oauth 2 videos, finally its explained in the easy to understand format. Thanks
This is the best video of OAuth 2.0 I've found so far.
My only request is if there was another screen showing how the client ID, client secret and callback URL are integrated into the flow shown at 4:00.
exactly
The workflow diagram does not distinguish between front channel (appbank) and back channel communication (app's serverbank). I.e. from the description it's hard to understand why Memorial Bank doesn't send the Access Token directly (and skips the additional Authorisation Grant round-trip). The explanation is that the first round-trip happens on the front-channel (appbank), however, the 2nd round-trip happens on the back-channel (app serverbank). I.e. the app (the web browser) never sees the Access Token (at least in case of the Authorisation Code Grant flow described in this video).
Agreed, that detail is very important. I spent hours to understand it.
Nice, I actually got the same question when I watched the video and now it makes sense to me. Thanks!
Thanks, I had this same question too
He explained at 4:29 mark with having already registered with Memorial bank API before hand.
If I understand correctly it's an extra technical detail. Of which there are probably even more, which are relevant when you're actually there trying to implement the thing. Which may not be the scope of this video, so this higher abstractional level might not be by chance.
When your granny asks what you do for work you don't go into all the details do you.
short, straightforward, and very easy to understand. thanks a lot
Others make a 30 minutes long video and can't do shit. Thanks to you for being able to explain it in much shorter time and in the most comprehensive way.
decatechlabs.com/oauth2-explained-and-how-oauth2-works-oauth-in-action
Great video. Thanks. For folks totally new to the concept, listen at 0.75 speed :)
Took 20 mins to watch a 6 min video, Great Video 10/10
top notch even 4 years later! thanks!
Excellent, non-Indian accented short overview (for those having difficulties understanding Indian accented English)!
An Authorization Server is doing the same function as a firewall with additional functions. Thanks for sharing.
Short and clear explanation of OAuth 2.0 ..
The Best !!!!!!!!
The only video which helped me understand the working of oauth2!!!!!
Excellently done and simple to understand examples. Thank you!
I gotta admit
This was a very good tutorial
I love how you covered everything in detail
A short and simple explanation of OAuth 2.0. Thanks!
Best and simple explanation of OAuth2
today I understood oauth2 after going through within other waste article☺️
Thanks for this detailed and clear explanation.
This is a type of ad that i would definitely watch!
Excellent content.
Inspired from you Even I started sharing my interview Experiences.
Thank you-this is a great walkthrough of the process. I am recommending this channel to my coding bootcamp cohort.
Amazing explanation! I read the actual specification (which is also amazing) but for people looking for a spot-on basic walkthrough of OAuth’s Authorization Code flow, this is it!
Short and Crisp to the point needed..Thanks for sharing the info..
Now this is what I call an explaination.
superb explanation, simple and easy to understand. Nice work
Glad you liked it
In the example, when Sarah access the app's portal (to see bank's balance) for the 1st time, she needs to tell the username/password for the bank. correct? Otherwise, the authorization server would not be able to tell to whom the access token will be issued.
Yes Sarah need to be authenticated. OAUTH 2.0 flow does not include authentication. Authentication can be done in any of the ways like SAML. Yes, for sure Sarah need to authenticate to memorial bank.
This is a great video with easy explanation of how oauth 2.0 is used. It does mention the use of openid for authentication but i guess that happens with the identity provider resource.
Now, I understand the proper wokflow
Terrific explanation
Nice, easy and straightforward!
You guys are lifesaver. Well done video
Well explained, thank you very much 🙏
Awesome video with clear explanation on how all of this works. Thank you
Helpful, nice explanation!!
Great explanation
Easy and Crisp. Thanks for this!
Much good information, thank you.
thank u, saved my life
I personally liked this video as it gave me what OAuth exactly means. Thanks a ton!
Great video. Makes complete sense!
Really great explanation. Thanks.
Simply the best overview video... Short and clear... thanks for this!
Excellent tutorial 👌 the best one on oauth. Thanks a ton
Very good Explanation. 👍
The best thing on this topic.
Awesome explanation, thanks buddy.
Great content!
Very useful. Thank you!
Thanks much, that was clear and easy to understand. Please share links for other
Amazing explanation.
Excellent explanation
On 6:03 you wrote "Sarah will need to login once to access all accounts across different banks. Should not Sarah has to login for each bank?
I think he means that after initially setting up the individual logins of all of her bank accounts on MyBucks, she will be able to access the information she wants by only logging into MyBucks instead of having to login to all of her banks individually. But yes, she will have to login for each bank during the initialization.
great video
Excellent explanation of the OAuth2 framework! This makes the whole process a lot more understandable
Awesome explanation of OAuth 2!
Fantastic explanation 👏
Glad you liked it
Excellent video
Very well explained, thank you
I don't really know why 272 people didn't like this ? 😂😂😂😂😂
Great video!!!
Thank you!!
Thanks for useful video. Be useful to know the purpose of a public Client Id, when the private key should be enough to validate the callback?
MAY BE YOU WILL TELL IM BAD AT MATH BUT THIS VIDEO CAN BE MARKED 101/100
nicely explained, thanks
Fabulous explanation.... Well done
I am not sure how the resource server check the access token. The resource server will make request to auth. server for check the access token or resource server has the secret-key (solt) for check the signature of the access token?
in the case, Sarah have accounts in different banks, not only at Memorial Bank, so how is the process of authorization between MyBucks and all the banks?
To watch multiple movies, we need ticket for each movie. Same goes here i.e. Sarah need to share Name, Web Site and Call back URL to the other banks that have her accounts.
Awesome explanation! :D
Thanks a bunch!!
Great job! Thank you. Tried to learn this from my Microsoft cert book and as usual, I'm left utterly confused!
Does this, on the conceptual level, differ in any way from how Kerberos works?
Well-done, thanks. Short and sweet.
I would like to tentatively point out a typo/mistake. At @0:43 you say the API has an authentication server and a resource server. I believe you meant to say that the API has an authorization server and a resource server. The other diagrams show authorization server.
Hoping the author sees this and can confirm.
What is the maximum limit of cliend ID in oauth 2.0?
OAUTH is very useful
Where is the login from Sarah at the Memorail Bank which she have to proceed? Without the login at the memorial bank, they dont knwo which token belongs to which account.
Understood! Can this framework be implemented on a PHP/MySQL website ?
Why is can't the authorization server just send back the access token once the user authenticates/authorizes the app? What's the benefit of having an authorization grant passed around before the access token is granted?
sending back access token directly to client is another authorization grant type mentioned in oauth 2.0 framework of ietf, named "implicit".
"The implicit grant is a simplified authorization code flow optimized
for clients implemented in a browser using a scripting language such
as JavaScript. In the implicit flow, instead of issuing the client
an authorization code, the client is issued an access token directly
(as the result of the resource owner authorization). The grant type
is implicit as no intermediate credentials (such as an authorization
code) are issued (and later used to obtain an access token).
When issuing an access token during the implicit grant flow, the
authorization server does not authenticate the client. In some
cases, the client identity can be verified via the redirection URI
used to deliver the access token to the client. The access token may
be exposed to the resource owner or other applications with access to
the resource owner's user-agent."
The implicit way ( send back access token to client/resource owner directly ) will expose access token to resource owner, which is simplified but not reasonable.
This video is very basic if you are asking this type of question.. but let me answer:
access_token is not passed directly because we don't want the user to get to see the access_token, why? because user level is never trusted, or he may deplete our API quota by doing calls by himself or If a hacker is sitting in the user code or the application, he can grab the access_token which is bad, he now sees the "code" but this code is nothing without client_id and secret which are perfectly safe (at least under your control)
You may say if a hacker is sittin on client side, he can also grab directly the facebook password, this is not always true depending on the hacker type.. if there is an xss vulnerability on your website he can grab the "code" but cannot intervene to facebook login.
This video (and the series) probably answers your question.
ua-cam.com/video/xcT6OCbI77k/v-deo.html
but in the authorization code grant whats the benefit of having an auth grant pass
You said Sarah can login only 1 time to access many of her banks. But doesn't she need fill out many consent forms ? Or to be able to achieve this, a different grant other than authorization code need to be used?
exactly my thoughts too.. it said Sarah needs to login JUST ONCE to access all of her account information across various banks.. is it really a valid statement? having been a user of acorns, i think the practical approach would be once per bank account? more of a one time setup per bank till Sarah changes her creds with the bank.. did you ever happen to receive a reply on this one from the content creator?
thank you!
A great Explanation, I have a small doubt How Resource server validate the token? Does resource server internally communicate with Authorization Server, As i know authorization server refresh the token after some time span, How Resource server come to know refresh token is valid? Please help
Pls some one., I need an answer for the same
Same
Finally got it thanks man thanks 🙏
Great, thanks!!
That was great, thanks!
Is this regarding authentication or authorization?
It appears to me that this video is about both
Wonderful lecture!
Not at all clear what happens in your client app versus the app server.
Simple and best...
thank you for this nice tutorial.
Missing a critical info here. If you just send the auth code, you will not get access token. The auth code need to go in with nonce & code verifier. Only then the server can authenticate you
0:40 You say that the API has a AUTHENTICATION server and a resource server, but later you call it - and label it - as an AUTHORIZATION server.
Not clear betwen authentication and authorization.
Could you please let me know ...how to ignore session_state while sending it token endpoint
Thanks a lot ....
At 3:56 how does memorial bank verify that the access token it received is a valid token ?
The application would have client Id and Client Secret. Using client Id and client secret, response would be decoded, and access token would be retrieved. This access taken would later be used to get resource.
How does the server know that it is "Sarah" making the request, since user credentials arent send along the calls. What prevents the "MyBucks" application from making calls for other users besides "Sarah".
Sarah has to put in her username and password in memorial bank if she hasn't logged into that yet in the auth request phase. I'm betting the access token identifies Sarah which MyBucks application uses the grant to get it. The resource server will deserialize (decode) the access token and figure out its Sarah. If there is any modifications in the token, I'm guessing it will become an invalid token. The Auth server has a key to encode the token and the resource server has a key to decode the token. These are known as private and public keys. I don't remember which one encodes and which one decodes xD
Great Video....thanks
Brilliant explanation
If the authorisation server and the resource server are separate, how does the resource server know that token is legit since there's no "session" shared between them?