OAuth 2.0 explained with examples

แชร์
ฝัง
  • เผยแพร่เมื่อ 21 ธ.ค. 2024

ความคิดเห็น • 110

  • @MdThamidulHasanSakib
    @MdThamidulHasanSakib 17 วันที่ผ่านมา +2

    Bro just casually terminated my sufferings... thanks for the simple and comprehensible way to explain things

  • @ArvindKumarAvinash
    @ArvindKumarAvinash 2 หลายเดือนก่อน +6

    Great tutorial! It's worth mentioning that there are two types of bearer tokens: Identifier-based and Self-contained. You explained the self-contained bearer token in this tutorial. Self-contained bearer tokens are easy to scale with distributed applications as they do not require the resource server to validate the token with the authorization server. On the other hand, an Identifier-based token is a hard-to-guess string, which the resource server needs to validate by making a call to the authorisation server's introspection endpoint, which adds latency and makes it difficult to scale with distributed applications.

    • @ByteMonk
      @ByteMonk  2 หลายเดือนก่อน +4

      Thanks for pointing that out! You're absolutely right-there are two types of bearer tokens. I focused on the self-contained token in this tutorial since it’s easier to scale in distributed systems due to the lack of dependency on the authorization server for validation. Identifier-based tokens, while secure, do introduce additional latency because they require the resource server to call the authorization server for validation. It’s a trade-off between ease of scalability and real-time validation. Appreciate you adding that clarification!

  • @narekpapukyan5455
    @narekpapukyan5455 9 หลายเดือนก่อน +10

    Been searching for an easy to understand visual of OAuth...and this is one of the best videos by far! Thank you!

    • @LobbanVlogs
      @LobbanVlogs 9 หลายเดือนก่อน

      Same here...I needed the visuals for clarity.

  • @termsofblunder
    @termsofblunder ปีที่แล้ว +30

    I'm sorry, but you are truly a genius. Your ability to explain all these various different topics and technologies is absolutely remarkable. It is very clear and comprehensible. You are extremely extremely talented, not only in your grasp of technology but in your ability to communicate and convey your knowledge in a manner that others can easily consume and comprehend. Bravo! Bravo! Once again, one of the most talented individuals I have ever seen on the internet.

    • @ByteMonk
      @ByteMonk  ปีที่แล้ว +2

      Thank you so much for this lovely comment and your support 🙏

    • @SleepeJobs
      @SleepeJobs ปีที่แล้ว +1

      +100

    • @extremeweirdness1528
      @extremeweirdness1528 ปีที่แล้ว +1

      @@ByteMonk You are really good most of my doubts got cleared .

    • @rpvaghasiya
      @rpvaghasiya 11 หลายเดือนก่อน +4

      why are you sorry for a compliment 😀

    • @rstheg
      @rstheg 8 หลายเดือนก่อน +1

      ​@@rpvaghasiyais it not a criminal offence to compliment? 😅

  • @Z3kyTw0
    @Z3kyTw0 2 หลายเดือนก่อน +2

    This channel deserves 100k subscribers. Its that good

    • @ByteMonk
      @ByteMonk  2 หลายเดือนก่อน

      Maybe one day!

  • @josiahroa177
    @josiahroa177 ปีที่แล้ว +16

    Just found this channel and it's amazing. Keep it up man, you're providing tons of value to the software design industry.

  • @daddylubarsky3049
    @daddylubarsky3049 2 หลายเดือนก่อน +2

    Great content, thanks for posting this. You have a gift to explain the stuff without overcomplication, but also going deeper than just scratching the surface.

  • @mubafaw
    @mubafaw 8 หลายเดือนก่อน +2

    Nice and elegant explanation. Thanks 👍

  • @srawat1212
    @srawat1212 ปีที่แล้ว +4

    Underrated channel. You'll be having thousands of views in no time. Keep it up.

  • @mdk1983
    @mdk1983 10 หลายเดือนก่อน +4

    a minor audio improvement suggestion for your videos. Applying an EQ which removes frequencies below 80 Hz or 90 Hz (High pass filter), will remove the boominess in your voice and give more clarity and comfortable listening experience.

    • @ByteMonk
      @ByteMonk  10 หลายเดือนก่อน

      Thanks for the tips!

    • @ByteMonk
      @ByteMonk  10 หลายเดือนก่อน

      Would love to connect with you sometime to ensure my audio processing is correct

  • @dibeakoffibadjo9780
    @dibeakoffibadjo9780 3 หลายเดือนก่อน +2

    Thanks a lot. You explanation is very clear and easy to understand.

  • @sowmiyavenkatesan2525
    @sowmiyavenkatesan2525 ปีที่แล้ว +1

    Oauth 2.0 is very well explained in this video. Thank you!

  • @khushbooJahanRiaz
    @khushbooJahanRiaz 9 หลายเดือนก่อน +1

    very precise nice expalnation thanku so much

  • @notgreen11
    @notgreen11 4 หลายเดือนก่อน

    you’re one of the best at what you do, you give the perfect level of depth, wide variety of subjects, and often include answers to follow up questions

  • @GalPovsod2022
    @GalPovsod2022 ปีที่แล้ว +3

    I just recently founded your channel andI'm amazed! Keep up the great work! God bless!

  • @PC-pr8gi
    @PC-pr8gi ปีที่แล้ว +4

    Great explanation with nice animation showing all the steps!! Thanks!

  • @satya5067
    @satya5067 ปีที่แล้ว +3

    Brilliant explanation that even a layman like me can understand these concepts to some extent atleast .. thank you so much 🙏

  • @viswanadhkasi2168
    @viswanadhkasi2168 7 หลายเดือนก่อน +3

    Your video editing skills are amazed brother and colors are great

  • @adveshsworld4962
    @adveshsworld4962 11 หลายเดือนก่อน +1

    Excellent explanation on OAuth concepts in plain language to reach broader audiences. Thank you!

  • @carlotadias9335
    @carlotadias9335 หลายเดือนก่อน +1

    Hello,
    How would the resources server interprets the authorization token to know it is valid and ok. Does it talk with the Auth Server again ?

    • @ByteMonk
      @ByteMonk  หลายเดือนก่อน

      Great question! How the resource server checks the token depends on the type of token. If it’s a JWT, the resource server doesn’t need to talk to the authorization server again. The JWT has everything it needs, like user info and expiration time, and it’s signed, so the resource server can verify the signature and ensure it hasn’t been tampered with.
      However, if it’s an identifier-based token, then yes, the resource server typically has to reach out to the authorization server's introspection endpoint to confirm that the token is still valid. This adds a bit of latency but ensures the token is actively verified. So, for JWTs, no extra server call; for identifier-based tokens, the resource server usually needs to check with the auth server.

    • @carlotadias9335
      @carlotadias9335 หลายเดือนก่อน

      Ok, thank you so much for the response.
      Nevertheless it is still not 100% clear how the resource validates the JWT. I could just pass it a valid JWT from another random application, together with the client Id and Secret, maybe the resource server has to have some private key or some tool to check that the signature is actually one made by its auth server ?

  • @lustyleopard123
    @lustyleopard123 3 หลายเดือนก่อน +3

    @0:22 - OAuth was never a authentication protocol (its a authorization protocol)

    • @spacebuddy5339
      @spacebuddy5339 2 หลายเดือนก่อน

      Yup. Now I don't know if I should keep watching.

  • @zingerengineer
    @zingerengineer 5 หลายเดือนก่อน +1

    Great explanation! Thank you!

  • @ruksharalam173
    @ruksharalam173 9 หลายเดือนก่อน

    How did you creat the OAuth 2.0 flows?

  •  5 หลายเดือนก่อน

    4:00 Does the Resource server communicate with Authorization Server when validating the Access Token?
    I assume it should have...

    •  5 หลายเดือนก่อน

      Hmm, maybe it does not. AI gave me this response:
      "The Resource Server can validate the JWT independently, without contacting the Authorization Server, by:
      a. Verifying the signature using the public key of the Authorization Server.
      b. Checking the expiration time (exp claim) of the token.
      c. Validating other claims in the token (e.g., issuer, audience, scope)."

    • @noyou174
      @noyou174 4 หลายเดือนก่อน

      The ressources server validate by either a public key or forwarding to authorization server but mostly by public key

  • @sarimhaque3253
    @sarimhaque3253 9 หลายเดือนก่อน +1

    that was soo good!

  • @JagjitSingh-pf3ji
    @JagjitSingh-pf3ji ปีที่แล้ว +1

    Best channel So far in terms of explanation in short duration on basic topics… kudos🔥

  • @khatibjunior733
    @khatibjunior733 หลายเดือนก่อน +1

    Am very gratefully for the easy understandable
    knowledge about OAuth20... Thanks Bro, God bless you

    • @ByteMonk
      @ByteMonk  28 วันที่ผ่านมา

      Appreciate the support, thank you :)

  • @sandyj342
    @sandyj342 ปีที่แล้ว +1

    This is too good! Subscribed 😊

    • @ByteMonk
      @ByteMonk  11 หลายเดือนก่อน

      Thank you so much 😁

  • @BuddharajAmbhore
    @BuddharajAmbhore 25 วันที่ผ่านมา +1

    at time 5:07 you mentioned, OAuth2.0 is used to authenticate with google. Please correct me on this "OAuth is for authorization, not for authentication". OpenID Connect is used to authenticate the user which is build on top of OAuth2.0

  • @ismailhamdach2672
    @ismailhamdach2672 5 หลายเดือนก่อน +1

    Thank you it was clear and concis.

  • @KhalidWar
    @KhalidWar 4 หลายเดือนก่อน

    This was a well done and well documented video. Thanks very much.

  • @ViswanathTumbalamGooty
    @ViswanathTumbalamGooty 7 หลายเดือนก่อน

    How the resource-server will validate the token? Do the resource server still need to connect to authoriztionserver to get the token validated, once get validated it will fetch the access/permission details from the token?

  • @Loki-vy5vg
    @Loki-vy5vg 8 หลายเดือนก่อน

    How does the resource server variefies/validates the access/jwt token?

  • @antonyfernando674
    @antonyfernando674 ปีที่แล้ว +1

    This is an awesome video, very detailed. Thanks for sharing !!!

  • @sandovalvaz6093
    @sandovalvaz6093 3 หลายเดือนก่อน +1

    Hi, do you know why this error occur? "OAuth 2 parameters can only have a single value: scope"

    • @ByteMonk
      @ByteMonk  3 หลายเดือนก่อน

      This error typically occurs when the OAuth 2.0 protocol is being used incorrectly, particularly with how parameters are being handled in requests. In OAuth 2.0, certain parameters, like scope, are expected to have only a single value or a single list of values. This error usually happens if you have Multiple Values for Single-Value Parameter
      So, ensure that your request is formatted correctly. For scope, you should provide a single string with space-separated values (e.g., scope="read write"). Avoid sending scope multiple times or in conflicting formats.Verify the OAuth 2.0 API documentation for the correct parameter usage. And If you have control over the server-side implementation, make sure the server correctly parses and handles OAuth 2.0 parameters. The server should be able to process a single scope parameter with a space-separated list of values.

    • @sandovalvaz6093
      @sandovalvaz6093 3 หลายเดือนก่อน +1

      @@ByteMonk Thanks for answer, I finally solved it

  • @edgiefive1317
    @edgiefive1317 9 หลายเดือนก่อน +1

    excellent, thank you

  • @ashwithchandra2622
    @ashwithchandra2622 11 หลายเดือนก่อน

    what if i wanted to authorize which does not uses application of the authorization server i.e, you said in the example that google authorization to access google calendar in an app but what if my app doesn't uses any of those?

  • @Joseph-oz7tx
    @Joseph-oz7tx 6 หลายเดือนก่อน +1

    very good video bro , thanks for sharing us

  • @arifmohiuddin9933
    @arifmohiuddin9933 ปีที่แล้ว +1

    precise and well explained with well animations👍

  • @yaswanthyv3837
    @yaswanthyv3837 4 หลายเดือนก่อน

    What tool using to built presentations?

  • @varsityoftruth
    @varsityoftruth 11 หลายเดือนก่อน

    Should there be an arrow or two between auth and resource servers?

  • @SHERSHAAH555
    @SHERSHAAH555 4 หลายเดือนก่อน

    i want to utilize the oauth with jwt can u plz give me any example repo to refer

  • @BLACKNETWORKENTERTAINMENT
    @BLACKNETWORKENTERTAINMENT 5 หลายเดือนก่อน

    Please can I use this to reset password in my web application

  • @RicardoSilvaTripcall
    @RicardoSilvaTripcall ปีที่แล้ว +1

    Great Explanation !!!

  • @premraj.m
    @premraj.m 11 หลายเดือนก่อน

    Excellent video on OAuth 2.0, but small confusion at 5:15 convert access token encodes to JWT

  • @BhageerathJoshi-k9m
    @BhageerathJoshi-k9m ปีที่แล้ว

    hello
    currently i worked with django application & i have one query about authentications
    is oauth2.0 is more secure then session ??
    because currently i using session authentication flow that return session key when we pass user name or password

  • @44Whisper44
    @44Whisper44 ปีที่แล้ว +1

    I love the animations explaining how it works. May I know what app you use for these?

    • @ByteMonk
      @ByteMonk  ปีที่แล้ว

      FCP, Adobe, Photoshop, Ppro. Takes about 10 hours for a 5-10 minutes video :)

    • @44Whisper44
      @44Whisper44 ปีที่แล้ว +1

      @@ByteMonk I'd say it's worth it.

  • @cccc2740
    @cccc2740 10 หลายเดือนก่อน +1

    I am not clear how does resource server validates token. Video doesnt mention any interaction between resource server and authorization server.

    • @abimanoharan2378
      @abimanoharan2378 9 หลายเดือนก่อน

      this is my confusion as well

    • @cccc2740
      @cccc2740 9 หลายเดือนก่อน

      @@abimanoharan2378 i got it. Token provided by authorization server has the information that resource server needs to contact authrization server. So when resource server receives token, it parses it and then uses that info to connect to auth server and validates the authenticity of token.

    • @TragicGFuel
      @TragicGFuel 4 หลายเดือนก่อน

      Don't have to

  • @sumeetsinha8575
    @sumeetsinha8575 ปีที่แล้ว

    The Access token is not generated the way it has been represented. First an Authorization Code is generated and sent to the client app via the user agent. The authorization code is then sent by the client app directly with the the AS to generate the access token which is then used to access the resources.

  • @termsofblunder
    @termsofblunder ปีที่แล้ว +1

    @ByteMonk, just a small piece of feedback: when listening to your videos with headphones, the music at the end is noticeably louder than your voice. The difference in volume makes it uncomfortable for the ears. It would be helpful if the music volume was lower, or at least not louder than your voice, for a more comfortable listening experience. Thank you!

    • @ByteMonk
      @ByteMonk  ปีที่แล้ว

      Thank you 🙏

  • @DheerajKumar-tf8dr
    @DheerajKumar-tf8dr 8 หลายเดือนก่อน +1

    nice explanation

  • @MTX1699
    @MTX1699 10 หลายเดือนก่อน +1

    Hey can you make one for macaroons as well. There aren't enough resources for it online

  • @almedinshala8794
    @almedinshala8794 8 หลายเดือนก่อน +1

    good explanation

  • @thecatleo
    @thecatleo 5 หลายเดือนก่อน +1

    @3:24 u made a mistake saying google's APIs . the correct one is Resource Server.

    • @ByteMonk
      @ByteMonk  5 หลายเดือนก่อน

      Thank you 🙏

  • @ziaullahhassan3162
    @ziaullahhassan3162 6 หลายเดือนก่อน +1

    Great Thank you

  • @Jetter638
    @Jetter638 4 หลายเดือนก่อน

    Nice video. You mentioned that there were 4 OAuth flows but I'm mistaken you only described 3 of the 4 in the video. Was that intentional?

    • @ByteMonk
      @ByteMonk  3 หลายเดือนก่อน

      thank you, I will look into this

  • @priyanshusahu7869
    @priyanshusahu7869 9 หลายเดือนก่อน

    Thanks man for the explanation, I have one request do you have any research papers related to 0auth 1.0 and 0auth 2.0, any reference would work also, I would be very helpful to you, Thanks again.

    • @ByteMonk
      @ByteMonk  9 หลายเดือนก่อน

      Thank you! Its primarily based on my previous experience with OAuth and SSO in general. Unfortunately I did not maintain the list of papers and articles I went thru to make this video.

  • @chessmaster856
    @chessmaster856 3 หลายเดือนก่อน

    How is client id secret created . I did not hear this word Sr all

  • @richyeva2149
    @richyeva2149 ปีที่แล้ว +1

    Thanks! Good explanation. Could you do a video on CA certificates or self-signed certificates?

    • @ByteMonk
      @ByteMonk  ปีที่แล้ว +1

      Here :) th-cam.com/video/BQwKZ6zfyk0/w-d-xo.html You may also checkout relevant videos in the playlist in description.

  • @2550a
    @2550a 10 หลายเดือนก่อน

    but once the client app has that token, it can request any information Google stores about the user??? it can consult his emails? his calendar? his maps history??? so instead of signing up in that web app filling a basic form with basic personal data, we use Oauth with Google (in this example) so the wep app can retrieve A LOT MORE INFORMATION about the user??!

    • @elliotthuff5634
      @elliotthuff5634 10 หลายเดือนก่อน

      Whenever you grant it access it shows what information the app wants to access. It doesn't get everything

  • @ganesha3559
    @ganesha3559 ปีที่แล้ว +1

    Can you do 1 video on SAML?

    • @ByteMonk
      @ByteMonk  ปีที่แล้ว +1

      SAML video just released!

    • @ganesha3559
      @ganesha3559 ปีที่แล้ว

      @@ByteMonk awesome.

  • @calebmunuru3598
    @calebmunuru3598 หลายเดือนก่อน +1

    Thank you sir. Unfortunately I am here 1 year too late

    • @ByteMonk
      @ByteMonk  หลายเดือนก่อน

      Better late than never!

  • @abolfazlsoltani12
    @abolfazlsoltani12 18 วันที่ผ่านมา

    👍🏾

  • @saravanasai2391
    @saravanasai2391 8 หลายเดือนก่อน

    JWT is not a protocol. OAuth2.0 is protocol. JWT is used like access card which holds the required information for authorization.

  • @ravisankarp61
    @ravisankarp61 หลายเดือนก่อน

    Good tutorial but I feel there should be some spaces while you speak, so that we can digest what you have explained. Your voice is continuously running and we are unable to grasp and comprehend.

  • @bryantwooters9527
    @bryantwooters9527 6 หลายเดือนก่อน

    The ping is so freaking loud. My gosh.

  • @moathdw910
    @moathdw910 2 หลายเดือนก่อน

    When your title is OAuth 2.0 explained you should not be explaining google OAuth 2.0 ! I expected a taqnice for implementing customer OAuth 2.0

    • @ByteMonk
      @ByteMonk  2 หลายเดือนก่อน

      I understand what you were expecting. The video focused on Google OAuth 2.0 as an example to illustrate the overall OAuth 2.0 flow. That said, I can see how a deeper dive into custom OAuth 2.0 implementation would be more helpful for some viewers.
      The main difference between Google OAuth 2.0 and custom OAuth 2.0 comes down to the provider and how the flow is implemented:
      In case of Google OAuth 2.0: Google is the authorization provider. It handles user authentication and issues access tokens.This is Often used for allowing users to log into third-party applications (like a website or mobile app) using their Google account.
      In Custom OAuth 2.0 you build and maintain your own authorization server or use a third-party provider tailored to your application’s specific needs.So you have more control over the entire flow and can define your own scopes, tokens, and permissions
      Hope this helps

  • @pavanimmadisetty5099
    @pavanimmadisetty5099 4 หลายเดือนก่อน +1

    All the topics are covered....but the animations are poor.

    • @ByteMonk
      @ByteMonk  4 หลายเดือนก่อน

      Thanks for your feedback. Please let me know what to be improved and if you have any reference animated videos.

  • @ashutoshsingh5568
    @ashutoshsingh5568 หลายเดือนก่อน

    Access token will be sent in request header which we can see in the browser network tab.
    So, any user can pick this access token from the network tab and make a request using postman?
    Then, how can we say that it’s safe? Can anyone please explain!

    • @a_maxed_out_handle_of_30_chars
      @a_maxed_out_handle_of_30_chars 18 วันที่ผ่านมา +1

      if someone has access to your laptop then it's not safe they can read the access token but usually the token is stored in httponly cokie which cannot be directly read
      and we're using https so the requests in encrypted in transit