Hi you mentioned that client credential grant should only be used for trusted services and not internet facing services. If i have a public web app with frontend and backend and i want to only allow this public web backend to access my custom backend resources, should i pick a different method? If so, what wouls you recommend? Thanks!!
I want to run automated tests in my staging environment, but I have to simulate a user to do so (need email address associated with token). How should I achieve this?
@2:30, how does the resource-server ensure the access-token is authentic? Is there implicit trust, or does it call authorization server to validate the token?
@@WillJohnsonio No it does not. The application will need to verify the JWT: From AuthO: Auth0 uses JSON Web Token (JWT) for secure data transmission, authentication, and authorization. Tokens should be parsed and validated in regular web, native, and single-page applications to make sure the token isn’t compromised and the signature is authentic. Tokens should be verified to decrease security risks if the token has been, for example, tampered with, misused, or has expired. JWT validation checks the structure, claims, and signature to assure the least amount of risk.
isn't IoT devices not a trusted client if they operate autonomously like a vending machine in a parking lot that make requests to a DB aka resource? I say this because they are susceptible to be stolen and reversed engineered to get the "secrets"
You completely skipped how the resource server validates an access token presented by the client, before allowing access.
Good stuff, helpful terminology and use case review.
Hi you mentioned that client credential grant should only be used for trusted services and not internet facing services. If i have a public web app with frontend and backend and i want to only allow this public web backend to access my custom backend resources, should i pick a different method? If so, what wouls you recommend? Thanks!!
I want to run automated tests in my staging environment, but I have to simulate a user to do so (need email address associated with token). How should I achieve this?
@2:30, how does the resource-server ensure the access-token is authentic? Is there implicit trust, or does it call authorization server to validate the token?
Great question, the resource server verifies the token signature
@@WillJohnsonio No it does not. The application will need to verify the JWT:
From AuthO:
Auth0 uses JSON Web Token (JWT) for secure data transmission, authentication, and authorization. Tokens should be parsed and validated in regular web, native, and single-page applications to make sure the token isn’t compromised and the signature is authentic. Tokens should be verified to decrease security risks if the token has been, for example, tampered with, misused, or has expired. JWT validation checks the structure, claims, and signature to assure the least amount of risk.
isn't IoT devices not a trusted client if they operate autonomously like a vending machine in a parking lot that make requests to a DB aka resource? I say this because they are susceptible to be stolen and reversed engineered to get the "secrets"