Want to clarify that OAuth is primarily an authorization framework, not an authentication protocol. It enables secure access to resources without sharing user credentials. While authentication often occurs within the OAuth flow, it's not the core function.
Your explanation is too good. Could you please make a Video how authorization and authentication is working in web application. How JWT is working, OAuth vs JWT.
How does exchange of authorization code enhance security, instead of directly exchanging the access token. What benefit does the authorization code provide..when we can directly get an access token through the implicit flow.
1. Reduced Exposure of Tokens Authorization Code Flow: The access token is not exposed in the user-agent (browser) or returned directly to the client application via the front channel (e.g., as a URL fragment). Instead, the authorization code is obtained through the user-agent but must be exchanged for an access token using a back-channel request from the server. This means the access token is transmitted directly from the authorization server to the application server, never passing through the client's browser. Implicit Flow: The access token is delivered directly to the user-agent, making it more susceptible to being exposed in URLs, browser history, logs, or potentially malicious scripts running in the browser. 2. Client Authentication Authorization Code Flow: This flow allows the client (application) to authenticate itself to the authorization server when exchanging the authorization code for an access token. This is typically done using the client secret, which only the client and the authorization server know. This step significantly reduces the risk of tokens being issued to malicious parties. Implicit Flow: There is no client authentication involved when obtaining the access token, which makes it less secure, particularly for applications that can maintain confidentiality (e.g., server-side applications). 3. Short-Lived Authorization Codes Authorization Code Flow: The authorization codes are short-lived and can only be used once. If an authorization code is intercepted, it becomes useless once it's exchanged for an access token. This minimizes the window for potential misuse. Implicit Flow: Since access tokens are directly issued, any interception gives immediate access to the attacker. 4. Possibility of Using Refresh Tokens Authorization Code Flow: This flow supports the issuance of refresh tokens (depending on the authorization server's policy), allowing applications to obtain new access tokens without requiring the user to authenticate again. This is particularly useful for applications needing long-term access to a resource server without compromising security. Implicit Flow: Typically, refresh tokens are not issued because of the security implications of having such tokens in a less secure environment (like a browser). 5. Secure Token Handling and Storage Authorization Code Flow: Since the tokens are obtained via a back-channel and can be stored securely on the server, it mitigates common threats such as Cross-Site Scripting (XSS) or other attacks that could compromise tokens stored or handled client-side. Implicit Flow: Tokens stored in the browser are more vulnerable to being stolen through XSS or other similar attacks. The Authorization Code flow, by requiring an intermediate step (the exchange of the authorization code for an access token), adds a significant layer of security that protects both the resource owner and the client application. It is particularly suited for applications that can maintain the confidentiality of their credentials and for scenarios where token theft or leakage could lead to significant security risks. The Implicit flow, while simpler and more direct, is generally recommended only for clients that are unable to securely store credentials and where the access token has limited permissions and a short lifespan.
I must say thats a fantastic question, from business perspective Google or Amazon knows that eventually users will end up using thier platforms if there is a dependency created like oAuth does. Secondly these giants needs user data insights for thier own business and letting other Apps use oAuth enable them to do so.
Want to clarify that OAuth is primarily an authorization framework, not an authentication protocol. It enables secure access to resources without sharing user credentials. While authentication often occurs within the OAuth flow, it's not the core function.
Am I correct if I say, the Authorization is done once at the set-up time, and access code is generated for every request?
Thank you sir for this video. Explained with the same example in an interview, interviewer was impressed. Got my first job. Thanks a lot 🙌
very good and clear, I just checked this video for a specific information, even I know the concept. And I got the clear idea. Keep it up..
Such a good explanation with a nice understandable example. You are making our life simple, thank you so much for your efforts.
Thankyou 🙏
simple explanation bro.. so easy to understand. thank you.
If I haven't watched this video I would never understand OAuth this well.
Your explanation is too good.
Could you please make a Video how authorization and authentication is working in web application.
How JWT is working, OAuth vs JWT.
How does exchange of authorization code enhance security, instead of directly exchanging the access token. What benefit does the authorization code provide..when we can directly get an access token through the implicit flow.
1. Reduced Exposure of Tokens
Authorization Code Flow: The access token is not exposed in the user-agent (browser) or returned directly to the client application via the front channel (e.g., as a URL fragment). Instead, the authorization code is obtained through the user-agent but must be exchanged for an access token using a back-channel request from the server. This means the access token is transmitted directly from the authorization server to the application server, never passing through the client's browser.
Implicit Flow: The access token is delivered directly to the user-agent, making it more susceptible to being exposed in URLs, browser history, logs, or potentially malicious scripts running in the browser.
2. Client Authentication
Authorization Code Flow: This flow allows the client (application) to authenticate itself to the authorization server when exchanging the authorization code for an access token. This is typically done using the client secret, which only the client and the authorization server know. This step significantly reduces the risk of tokens being issued to malicious parties.
Implicit Flow: There is no client authentication involved when obtaining the access token, which makes it less secure, particularly for applications that can maintain confidentiality (e.g., server-side applications).
3. Short-Lived Authorization Codes
Authorization Code Flow: The authorization codes are short-lived and can only be used once. If an authorization code is intercepted, it becomes useless once it's exchanged for an access token. This minimizes the window for potential misuse.
Implicit Flow: Since access tokens are directly issued, any interception gives immediate access to the attacker.
4. Possibility of Using Refresh Tokens
Authorization Code Flow: This flow supports the issuance of refresh tokens (depending on the authorization server's policy), allowing applications to obtain new access tokens without requiring the user to authenticate again. This is particularly useful for applications needing long-term access to a resource server without compromising security.
Implicit Flow: Typically, refresh tokens are not issued because of the security implications of having such tokens in a less secure environment (like a browser).
5. Secure Token Handling and Storage
Authorization Code Flow: Since the tokens are obtained via a back-channel and can be stored securely on the server, it mitigates common threats such as Cross-Site Scripting (XSS) or other attacks that could compromise tokens stored or handled client-side.
Implicit Flow: Tokens stored in the browser are more vulnerable to being stolen through XSS or other similar attacks.
The Authorization Code flow, by requiring an intermediate step (the exchange of the authorization code for an access token), adds a significant layer of security that protects both the resource owner and the client application. It is particularly suited for applications that can maintain the confidentiality of their credentials and for scenarios where token theft or leakage could lead to significant security risks. The Implicit flow, while simpler and more direct, is generally recommended only for clients that are unable to securely store credentials and where the access token has limited permissions and a short lifespan.
Sir, your explaination is amazing, Plz make a video on SSO protocols like Oauth, LDAP, OpenID,SAML and their differences PLZ
thanks u so much, i have never seen a clear explaination like this! great work!
Another great video, i've been using oauth and, i didnt even know it thanks again
You are mixing the terms authentication and authorisation in this video.
Very good and informative explanation sir. many thanks and appreciate your efforts to explain this topic in the most simple way.
Thanks Anish ❤️☺️
What is there in it for the providers by giving out this Oauth API access? How do Amazon make money by giving somebody access to another site?
I must say thats a fantastic question, from business perspective Google or Amazon knows that eventually users will end up using thier platforms if there is a dependency created like oAuth does. Secondly these giants needs user data insights for thier own business and letting other Apps use oAuth enable them to do so.
Please also make video on oauth grant types
Super sir....can u explain in this in code with full example
Really a great, relatable example to make this concept more familiar. I appreciate it very much.
Тот самый индус который объясняет лучше всего интернета
good explanation
what about the clientid and scope that we send before getting access code
Wah bhai kya mast Samjhaya apne❤
Excellent explanation.
But how is this flow related to the sign up process?? U just explained how a third party app accesses a user's resource..
Very clear 👌
Thank you from France 🇫🇷
You are a genius bro
very well explained,, thnaks
Do you have a video on jwt as well?
Good and clear. Thanks.
Very nicely explained the concept.👍 Thanks bro. Keep up the good work!!⏫
what a explanation brother 👍👍👍👍 great !!!!!!!
Thank you For ur well explanation
Explained very well👌
Explained with clarity
oAuth :) Great way to login with high security.
Thanks
Good Video..Thank you.
nice explanation
thank you for this masterpiece 🙏
lovely explanation
Thanks, it is useful
excelent 🙂
Thanks
Bhadiya Tha
Thanks!
thank you for the info
Me: Having problems with understaning many IT courses and can't find courses online
Some Indian in youtube : I got you bruder.
thank you
nice
👌👌👌
❤️❤️❤️
step 11 be like : hn hn apna hi bnda hai dede jo mang rha 😂
My brother!! Your examples are plain text. 😂
All the explanations Lack step 11