OAuth 2.0 & 2.1 Explained
Вставка
- Опубліковано 15 жов 2024
- OAuth 2.0 and OAuth 2.1 explained. JWT in OAuth
Patreon 🤝 / raw_coding
Courses 📚 learning.raw-c...
Shop 🛒 shop.raw-codin...
Discord 💬 / discord
Twitter 📣 / anton_t0shik
Twitch 🎥 / raw_coding
📃 Source Code / raw_coding
⏭ ASP.NET Core JWT Authentication • ASP.NET Core JWT Authe...
📀 Authentication and Authorization Playlist • ASP.NET Core Authentic...
⏮ ASP.NET Core Angular Authentication • ASP.NET Core Angular A...
🧐 oauth.net/
#oauth #oauth2 #aspnetcore
11:35 perfectly sums up a big part of my confusion on OAuth. awesome video
Best coding channel by far.
100%
Clearly explained. Well done and of course thank you for your effort
You're awesome. You rap and teach so nicely.
love the bit of humour dispersed throughout this complex spec
😀
Very cool videos! Thanks for the detailed explanation of all this mess, in my head.
great explanation with details 🚀
thank you for your effort.
With the advent of "cookiepocalypse" breaking frontend communication with AzureAD I would love to see you do a video with a SPA and API (e.g. React ASP) using Backend for Frontend pattern to mange AuthN/Z using AzureAD. I just discovered your work recently and it is such a big help. I have a lot of videos to watch :) Thanks
Check my more recent videos on OAuth
in some of your videos i heard that OpenId gives you id and refresh in addition, which contains user data (claims).Now i'm confused a bit because here you said that access token gives access to user's data as well.Maybe I misunderstood. @@RawCoding
Yep access token (OAuth) gives you access to api, refresh tokens are part of OAuth still and can be used to refresh access tokens. OpenId introduces id tokens which Identify the user (aka authentication)
Claims can go in all tokens (only in oidc, because the spec says all tokens should be jwt tokens). Oauth doesnt say that tokens need to be jwts, but rather can be any value (so more of a reference rather than a payload)
This video was really cool. Easy to follow and understood very well oauth2. Can you do the same (if not already done) with saml, openId connect and pretty much any other popular auth protocol? I'd love to watch that.
Hey man! Nice video like always and... nice new hair :)
I know u already have series on auth. But would love to see how to integrate aspnetcore api with Azure app registrations things including diff scopes and things.
i think he did
the best oauth explain
This video is so helpful! Thank you
Thanks for such a didactic explanation.
FWIW, on slide "Flow - PKCE (1)", see around 24:10, your exposition won't get any better if you fix that typo in: "[code_challange + method]". But you might want to fix it anyway 😉
Oh shit u got that fresh cut? 😊😝 thanks for this lecture! liked 👍
Cheers :D
18:56 LOL
Very informative video, though, thanks a lot
Cheers, glad you enjoyed it)
🔥 18:47
Great content, very detailed as I wasn't aware of the 2.1 changes.
How does Authentication fit in with OAuth?
Can software use OAuth like this safely for controlling access to applications/apis without first authenticating a user / user request?
Is this where OpenId Connect comes in to sit on top / to be used in conjunction with OAuth to provide the authentication part of the puzzle?
I guess I'm wondering how we can Authorise a request without first knowing who is making the request i.e. without the authentication part?
edit: I'm currently thinking that we can use OAuth when we want the authorisation part irrespective of any particular user, and need authentication first when we want to allow different claims/roles/permissions depending upon a specific user.......I maybe wrong though \o/
Yep OpenIdConnect solves the authentication issue. Ofc you can implement so that the token would authn the user but it’s frowned upon.
Things are getting really complicated these days. In the old days a company had to create and manage each user's login and password. Nowadays they can utilize a third party like Google, Facebook, MSN... to do the authentication. And then if they purchase third party software/service, a company can register the third party's endpoint URL to implement the authorization (OAuth).
Azure has it all covered though. Pretty much just some configurations.
Hi
One question during video you mentioned that RPOC can be used if client + authorization server + resource server are one application. Please note by single application i don't necessarily mean are built in same technology say AspNetCore or Java. Fronend could be angular, react and backend could be dotnet. But all entites are under same company or team and can be trusted. But later in video you mentioned that RPOC is deprecated.
So can we use RPOC if all three entities can be trusted or it should be avoided.
Great video.
Cheers
It can be used but it’s not part of the protocol. From OAuth 2.1 perspective there is no RPOC. From your perspective you’re getting a token by posting credentials to your server. Do remember it’s for authorisation if you are authenticated and you have to post credentials one more time it’s gonna feel a little weird.
@@RawCoding Yes i understand. To authenticate again if token expires, i have used refresh token that has longer expiration
Thank you. Good job.
Nice Video, Can anybody suggest the best flow for Desktop Application, based on this video i feel it is implicit flow but saving credentials in desktop application that is deployed on client machine doesn't feel to be secure.
f*cking best video on youtube !
What if you are doing oAuth 2 with a WPF client? Does WPF client has to do all the things that are built into the browser?
WPF would have to open a browser to obtain the token. You see this when you authenticate with Visual Studio as well.
russians can travel only to belorussia. That was the most amazing moment in the video!!!
I thought it was well done. Didn't realize others commented on it already. I should say that I enjoyed it for pointing out Western hypocrisy. I’m starting to understand people may enjoy it for different reasons though.
Ну вообще в Казахстан еще, но подъ*б засчитан)
I still don't really understand what the 'code' is, you said a collection of strings, ok, but what is it.
It’s a random string, it’s purpose is to be exchanged for a token. The reason we give out a code instead of the token directly is because code is passed via browser url which is public and we want to keep the token secret. code is a 1 time use and is exchanged for the token via back channel.
@@RawCoding gotchaa, thank you so much. yeaah so I work for the govenment, they are doing this unified identity system and wants to integrate that to all gov sites for citizens to login.
I saw one string called just code, and something called a x_login_code, so was trynna understand the difference. In any case, tysm, you helped me get my middle level developer job in the gov without a degree hehe.
Absolute boss well done!
i like the picture at the end of the wall, plus dude too many ads! come on it's exaggerating !
31:42 I think these poor souls are SPAs with only static files. like no backend operation.
Resource Owner Password Credential should be ROPC, not RPOC...?
It is, nice spot
I'd love to know how to see this flow happen slowly in debugger, espeically since this back channel stuff can't be seen on browser
have you seen the playlist? checkout the building your own oAuth server
@@RawCoding Oh, I just saw it, thanks! Hope you know, we really, really, appreciate what you're doing.. truly, Thank you.
What does "opt" in the diagram mean in this context? Options?
Nothing, the modelling tool came with it I couldn’t remove it
@@RawCoding lol - here I was, all excited to learn a new term 🤣
😂
woohooo super great!
Now make a video on Azure ad b2c authenticating and authorizing a .net6 api
B2C!
@@michaelestrinone2111 right
I procrastinated for 6 years
Can you Please make one video on salting and hasing password to store in db?
18:57 If you in Russia, with international passport and some visas you can travel anywhere, and you don't even need a passport to travel to Ukraine for a nice vacation there.
антон... волосы куда...
Надоели )
@@RawCoding смотрю все выпуски уже пару лет и ни разу не возникло мысли, что этот парень может говорить по-русски 😮Спасибо за видео, контент и подача как всегда на высоте!
Спасибо 😉
@@pavelakimov1713 я спалил его, когда он в одном из видосов в качестве экземпляров класса рассматривал машины и назвал одну из них "Лада".
@@semen083 точно точно, было такое! 😂😂😂
Nice -haircut- video.
1)What the point of exchage of authcode to code? Why don't instantly return token like in implicit flow? What secure advantages it provides?
2)Client Secret it the thing, what user input in password textbox or it is single secret for client aplication(like javascript client)?
3)What the secure place for storing acses token in Vue js application?Vuex?
4)What the good auth flow for service-to-service communication, like between microservices?
Thanks
1) the token will reach the browser in the query, which can further get logged and it’s a mess.
2) when you create a record of your app with the authorisation server it will give you a client secret to add to your app.
3) a dedicated backend or encrypted cookie.
4) client credentials, if it’s your services use firewall rules.
Fine, you can have a like for the Khabib reference 😜
Thanks for the video and content. I am trying to make a fetch request to the API endpoint and then set the response location header to the google auth server but I get the Cors Error.
Access to fetch at 'accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?response_type=code&client_id=&redirect_uri=localhost:5279/weatherforecast&scope=openid%20profile%20email&state=CfDJ8IJqa1zOV1dOvnKTY_TMWjX1NvVUBThwVVYECnjxe4diq7xwtCmzJROXuQWLGhCMr2cSUpjVecB4Pl8LYpsF4wHZ0fu_ehXsJf9NDnDelzlN8YsEqKjUL_fVI02c-rHBD4FxM743ByQfH8uttr7kA-gbFybFfxctgjz7W_0PCVIRz9AFMUu_AQccsP1m2c0snJogwpJZcedeFKpVZjgWEfAhJethY-ouIEJZiKCF9BkZs5WeRKMjlFLVefW5RGCVk6fAgCL3BKLOWT-Qsfcjk3JU9XoFztWhI2u6XDzQL2dD&service=lso&o2v=2&flowName=GeneralOAuthFlow' (redirected from 'localhost:5279/LoginToGoogle') from origin 'localhost:5279' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
how are you redirecting?
you want to do window.location.href = redirect_uri