OAuth 2.0: An Overview
ฝัง
- เผยแพร่เมื่อ 8 ก.ย. 2024
- See the benefits of OAuth 2.0 technology and get an introduction to how it works. To explore introductory videos about InterSystems technologies, visit the featured overviews page on our Learning website: learning.inter...
![[UNCUT] The Loyal Pin ปิ่นภักดิ์ EP.6 (2/4)](http://i.ytimg.com/vi/GgeGQOP10RQ/mqdefault.jpg)
Probably the best short overview of OAuth 2.0
probably the most benefecial advertisement i've ever watched. FANTASTIC
The workflow diagram does not distinguish between front channel (appbank) and back channel communication (app's serverbank). I.e. from the description it's hard to understand why Memorial Bank doesn't send the Access Token directly (and skips the additional Authorisation Grant round-trip). The explanation is that the first round-trip happens on the front-channel (appbank), however, the 2nd round-trip happens on the back-channel (app serverbank). I.e. the app (the web browser) never sees the Access Token (at least in case of the Authorisation Code Grant flow described in this video).
Agreed, that detail is very important. I spent hours to understand it.
Nice, I actually got the same question when I watched the video and now it makes sense to me. Thanks!
Thanks, I had this same question too
He explained at 4:29 mark with having already registered with Memorial bank API before hand.
If I understand correctly it's an extra technical detail. Of which there are probably even more, which are relevant when you're actually there trying to implement the thing. Which may not be the scope of this video, so this higher abstractional level might not be by chance.
When your granny asks what you do for work you don't go into all the details do you.
Wow, amazing how some people can explain complex technology in such a simple way. As my friend A.Einstein said, "If you cant explain it simply, you dont understand it well enough".
In a very superficial way.
If you would have been requested to implement an App authentication with this knowledge -
Would you know how to?
For me it's insufficient.
True but 50% of the burden is on the listener to be interested. A disinterested or just plain stupid one may claim an explanation isn't clear as well. That's the trouble with maxims.
This is overview, implementing is details. If you read only documentation for details, it is surprising hard to understand and get whole picture, because such documentations assumes that reader already understands whole picture.
This is the best video of OAuth 2.0 I've found so far.
My only request is if there was another screen showing how the client ID, client secret and callback URL are integrated into the flow shown at 4:00.
exactly
I went through 10 different oauth 2 videos, finally its explained in the easy to understand format. Thanks
short, straightforward, and very easy to understand. thanks a lot
Others make a 30 minutes long video and can't do shit. Thanks to you for being able to explain it in much shorter time and in the most comprehensive way.
decatechlabs.com/oauth2-explained-and-how-oauth2-works-oauth-in-action
Excellent, non-Indian accented short overview (for those having difficulties understanding Indian accented English)!
An Authorization Server is doing the same function as a firewall with additional functions. Thanks for sharing.
Took 20 mins to watch a 6 min video, Great Video 10/10
Great video. Thanks. For folks totally new to the concept, listen at 0.75 speed :)
Excellently done and simple to understand examples. Thank you!
Short and clear explanation of OAuth 2.0 ..
The Best !!!!!!!!
The only video which helped me understand the working of oauth2!!!!!
top notch even 4 years later! thanks!
I gotta admit
This was a very good tutorial
I love how you covered everything in detail
Thanks for this detailed and clear explanation.
today I understood oauth2 after going through within other waste article☺️
Best and simple explanation of OAuth2
A short and simple explanation of OAuth 2.0. Thanks!
superb explanation, simple and easy to understand. Nice work
Glad you liked it
Terrific explanation
Amazing explanation! I read the actual specification (which is also amazing) but for people looking for a spot-on basic walkthrough of OAuth’s Authorization Code flow, this is it!
Excellent content.
Inspired from you Even I started sharing my interview Experiences.
Thank you-this is a great walkthrough of the process. I am recommending this channel to my coding bootcamp cohort.
This is a great video with easy explanation of how oauth 2.0 is used. It does mention the use of openid for authentication but i guess that happens with the identity provider resource.
Short and Crisp to the point needed..Thanks for sharing the info..
Great explanation
You guys are lifesaver. Well done video
This is a type of ad that i would definitely watch!
In the example, when Sarah access the app's portal (to see bank's balance) for the 1st time, she needs to tell the username/password for the bank. correct? Otherwise, the authorization server would not be able to tell to whom the access token will be issued.
Yes Sarah need to be authenticated. OAUTH 2.0 flow does not include authentication. Authentication can be done in any of the ways like SAML. Yes, for sure Sarah need to authenticate to memorial bank.
Helpful, nice explanation!!
Well explained, thank you very much 🙏
Now, I understand the proper wokflow
Great content!
Very good Explanation. 👍
Really great explanation. Thanks.
Now this is what I call an explaination.
Nice, easy and straightforward!
thank u, saved my life
Awesome video with clear explanation on how all of this works. Thank you
Much good information, thank you.
Awesome explanation, thanks buddy.
Great video. Makes complete sense!
great video
Excellent explanation
Amazing explanation.
Fantastic explanation 👏
Glad you liked it
Fabulous explanation.... Well done
Thanks much, that was clear and easy to understand. Please share links for other
Excellent video
I personally liked this video as it gave me what OAuth exactly means. Thanks a ton!
Very useful. Thank you!
Great video!!!
Thank you!!
Excellent tutorial 👌 the best one on oauth. Thanks a ton
Simply the best overview video... Short and clear... thanks for this!
nicely explained, thanks
Excellent explanation of the OAuth2 framework! This makes the whole process a lot more understandable
Easy and Crisp. Thanks for this!
The best thing on this topic.
Very well explained, thank you
Awesome explanation of OAuth 2!
Great, thanks!!
thank you!
On 6:03 you wrote "Sarah will need to login once to access all accounts across different banks. Should not Sarah has to login for each bank?
I think he means that after initially setting up the individual logins of all of her bank accounts on MyBucks, she will be able to access the information she wants by only logging into MyBucks instead of having to login to all of her banks individually. But yes, she will have to login for each bank during the initialization.
Wonderful lecture!
That was great, thanks!
Why is can't the authorization server just send back the access token once the user authenticates/authorizes the app? What's the benefit of having an authorization grant passed around before the access token is granted?
sending back access token directly to client is another authorization grant type mentioned in oauth 2.0 framework of ietf, named "implicit".
"The implicit grant is a simplified authorization code flow optimized
for clients implemented in a browser using a scripting language such
as JavaScript. In the implicit flow, instead of issuing the client
an authorization code, the client is issued an access token directly
(as the result of the resource owner authorization). The grant type
is implicit as no intermediate credentials (such as an authorization
code) are issued (and later used to obtain an access token).
When issuing an access token during the implicit grant flow, the
authorization server does not authenticate the client. In some
cases, the client identity can be verified via the redirection URI
used to deliver the access token to the client. The access token may
be exposed to the resource owner or other applications with access to
the resource owner's user-agent."
The implicit way ( send back access token to client/resource owner directly ) will expose access token to resource owner, which is simplified but not reasonable.
This video is very basic if you are asking this type of question.. but let me answer:
access_token is not passed directly because we don't want the user to get to see the access_token, why? because user level is never trusted, or he may deplete our API quota by doing calls by himself or If a hacker is sitting in the user code or the application, he can grab the access_token which is bad, he now sees the "code" but this code is nothing without client_id and secret which are perfectly safe (at least under your control)
You may say if a hacker is sittin on client side, he can also grab directly the facebook password, this is not always true depending on the hacker type.. if there is an xss vulnerability on your website he can grab the "code" but cannot intervene to facebook login.
This video (and the series) probably answers your question.
th-cam.com/video/xcT6OCbI77k/w-d-xo.html
but in the authorization code grant whats the benefit of having an auth grant pass
Awesome explanation! :D
Thanks a bunch!!
Finally got it thanks man thanks 🙏
Thanks for useful video. Be useful to know the purpose of a public Client Id, when the private key should be enough to validate the callback?
in the case, Sarah have accounts in different banks, not only at Memorial Bank, so how is the process of authorization between MyBucks and all the banks?
To watch multiple movies, we need ticket for each movie. Same goes here i.e. Sarah need to share Name, Web Site and Call back URL to the other banks that have her accounts.
Great Video....thanks
Nice explanation!
Brilliant explanation
Thanks a lot ....
You said Sarah can login only 1 time to access many of her banks. But doesn't she need fill out many consent forms ? Or to be able to achieve this, a different grant other than authorization code need to be used?
exactly my thoughts too.. it said Sarah needs to login JUST ONCE to access all of her account information across various banks.. is it really a valid statement? having been a user of acorns, i think the practical approach would be once per bank account? more of a one time setup per bank till Sarah changes her creds with the bank.. did you ever happen to receive a reply on this one from the content creator?
Well-done, thanks. Short and sweet.
Simple and best...
thank you for this nice tutorial.
OAUTH is very useful
Is this regarding authentication or authorization?
It appears to me that this video is about both
Great job! Thank you. Tried to learn this from my Microsoft cert book and as usual, I'm left utterly confused!
A great Explanation, I have a small doubt How Resource server validate the token? Does resource server internally communicate with Authorization Server, As i know authorization server refresh the token after some time span, How Resource server come to know refresh token is valid? Please help
Pls some one., I need an answer for the same
Same
What a fantastic tutorial ! Best ever.
I am not sure how the resource server check the access token. The resource server will make request to auth. server for check the access token or resource server has the secret-key (solt) for check the signature of the access token?
Very good. THank you
Does this, on the conceptual level, differ in any way from how Kerberos works?
Understood! Can this framework be implemented on a PHP/MySQL website ?
At 3:56 how does memorial bank verify that the access token it received is a valid token ?
The application would have client Id and Client Secret. Using client Id and client secret, response would be decoded, and access token would be retrieved. This access taken would later be used to get resource.
I would like to tentatively point out a typo/mistake. At @0:43 you say the API has an authentication server and a resource server. I believe you meant to say that the API has an authorization server and a resource server. The other diagrams show authorization server.
Hoping the author sees this and can confirm.
Where is the login from Sarah at the Memorail Bank which she have to proceed? Without the login at the memorial bank, they dont knwo which token belongs to which account.
Really nice !
What is the maximum limit of cliend ID in oauth 2.0?
MAY BE YOU WILL TELL IM BAD AT MATH BUT THIS VIDEO CAN BE MARKED 101/100
If the authorisation server and the resource server are separate, how does the resource server know that token is legit since there's no "session" shared between them?
Great !!!
Great
Could you please let me know ...how to ignore session_state while sending it token endpoint