วีดีโอ

thank you sir

Good Stuff

Done thanks! HMAC or RSA can be used for the signature If using HMAC then need to share the secret used to sign if you want to verify the signature which is risky if only the issuer that issued the token needs to verify its integrity then they already have their own secret no need to share it but if you want the receiver of the jwt to confirm that it was issued by you then use rsa for signature so they can verify with your public key With RSA the token signature can be verified with the public key without knowing private key of the token issuer So can confirm that token was issued by a specific issuer if you know their public key

Done thanks RSA can be used to create the signature also, signing with private key HMAC can also be used to create the signature Elliptic curve cryptography can also be used

Jwt uses hmac function message authentication code

Done thanks Audience is the claims body of the jwt identifies who the token is intended for (who’s using the token) and issuer is who signed the token (the server issuing it)

Done thanks! With regular jwt, the content is just base 64 url encoded so anyone can read the contents (but the issuer attaches a signature made of the header, claims (body) and appends it to the token to verify integrity. JWE is like jwt but the body is encrypted, so when you made 64 url decide it, you can see the body as cipher text and only issuer can read it

Done thanks! 1:00 You base 64 url encode the header and the claims (body) and generate a digital signature with those two and your secret_key of the server issuing the token You the concatenation the signature also so the final token is header, claims and signature concatenation with .

Good explanation. Naive question. Isnt it possible for a malicious app to cache all the communication which means also the hash code and the string as soon as i send it to the auth server for authentication? Im aware this is a naive question, i just want to understand it fully :)

Appreciate it for sharing! Hoping for some advice: My wallet on OKX contains some Tether USDT, and I possess the recovery phrase: ▲clean▲ ▲party▲ ▲soccer▲ ▲advance▲ ▲audit▲ ▲clean▲ ▲evil▲ ▲finish ▲tonight▲ ▲involve▲ ▲whip▲ ▲action▲. Could you suggest how should I go about transferring them to Binance?

Perfect!

Thank you very much!

Hi, after the user successfully login, why google don't just give the user access_token? Why google give auth_code, and then we request access_token using auth_code? I'm kinda lost in here. Can you help me to explain? Thank you

What an amazing explanation! Thank a lot! 🙇 Fabulous animations!

Really simply explained. Seen some much more complex explanations of something that is really pretty staright-forward.

Nice. But I'm looking for a way to generate that schema from an open api spec. This way, it would all depend on the spec. Is there a way to do it?

Saying "should not use" and "anti-pattern" is a huge stretch. You should clarify the context cause if the audience is the issuer such as the case with first-party apps, then it's perfectly valid. Not every OAuth flow is about a service to another, where Authorization Flow would of course be better.

Thank you for your efforts and time ^^.

Yeah that's me. I know all these things are important but too comfortable with my job to actually go do them.

What a splendorous video. Thank you so much!

thank you

thank you so much for this video .

after knowing jwt is not that kinda secure enough: 💀💀

sexyyyyyyyy

Awesome video, man. Congratulations.

Simple straight to the point explanation! Thanks.

👍

🤙🤙

👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌👌🧙‍♂🌐🛰🎣👑 you nailed it thank you so much

Thank you ! For me I understand the principle (listening at 0.75 speed) but I don't see why the attacker cannot intercept a normal request to the resource server where the access token and the original PKCE are sent, and intercept and get the PKCE code (original) there. With that, it can then itself request authentication (an auth token), for example he can intercept both authentication and authorization requests to get the mix of parameters he needs to act on behalf of the user. Isn't this possible?

This is a gem! Thank you for this video!

Great job explaining the pieces of a HMAC and the practical use cases. Thank you!

awesome explanation and presentation, new sub :)

If anyone is looking for a simple schema validation library checkout "jet-schema"

Thanks for sharing such valuable information! I have a quick question: I have a SafePal wallet with USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). How can I transfer them to Binance?

Thank you Jan

Thanks

Spring has webflux for streaming (now virtual threads but they werent available at the time of this video so leave that aside), why was that not brought up? A steeper learning curve is absolutely a valid criticism but you're just ignoring functionalities. Kind of questioning your knowledge on these environments

Well explained, Thank you!

great!

Great explanation. Thanks

well explained, thank you!

Thank you so much for the great explanation!

What if there are nested objects or arrays ? Or the entities are always 1 level ?

HI Great explanation, can you give me your diagrams to learn from it, please

Furman Forks

Aida Stravenue

Schowalter Mission

Halie Valley

Rebeca Island