Great explanation! Two minor clarifications: the authorization code is sent to printMagic service via the user with a HTTP redirect rather than the auth server directly sending the authorization code to PrintMagic. Also depending on OAuth server implementation, you may not be able to revoke the access token immediately and instead have to revoke the refresh token instead.
I see a lot of people asking how he created these amazing animations, I can give a guess it's Adobe After Effects 1- The industry standard for creating motion graphics and animations; 2- Allows for complex animations, transitions, and effects; 3- Often used in combination with other Adobe tools like Illustrator or Photoshop for asset creation.
00:04 OAuth 2 simplifies secure access to resources. 00:37 OAuth 2 is like giving someone a special key for accessing specific information in another application. 01:12 Using OAuth2 to grant permission to access Snap Store photos. 01:39 OAuth 2 facilitates secure access to resources 02:16 OAuth2 process flow explained 02:50 Authorization code is exchanged for access token by the client. 03:24 OAuth 2 protects login credentials and allows controlled access to authorized resources. 03:58 OAuth 2 is essential for web security Crafted by Merlin AI.
1. At 2:10 third lifeline title is wrong. Should be OAuth2 server (e.g. Snapstore OAuth2 server or 3rd party [keycloak] server) instead of "Print Magic". Cut'n paste leftover probably. 2. At 2:49 The request dialog that submits the parroval is the one that receives the authorization code in return. So the authorization code is in the browser and acquired by print magic via the redirect_uri initially specified by PrintMagic in the request for dialog. This is why we need the authorization code indirection (otherwise either there is no client auth or the browser would know the client secret).
Thanks for the concise explanation. Appreciate it. A small correction -- the sequence diagram at 03:52 shows "PrintMagic" within the blue rectangle. It should have been "Snap Store Auth". Thanks again.
Of course there's tons more to know, but this probably the best description under five minutes. In about one hour Nate Barbettini covers this, along with OIDC and PKCE. After that learn about JWT and related formats and you'll have all the fundamentals.
great vid. minor remark : 1st collab/msg diagram - full one - puts printmagic on 2nd n 3rd lane from left. 2nd diagram has 3rd lane being snap’s auth which makes more sense
*OAuth 2.0* is an authorization framework that allows third-party applications to access user data from a service (e.g., Google, Facebook) without exposing the user’s credentials. It works by issuing **access tokens** to the application after the user grants permission. The process typically involves four roles: the **resource owner** (user), the **client** (application), the **resource server** (API hosting the data), and the **authorization server** (issues tokens). OAuth 2.0 supports multiple **grant types**, such as **authorization code** for web apps, **implicit** for mobile apps, and **client credentials** for server-to-server communication. By delegating authorization, OAuth 2.0 enhances security and simplifies integration with third-party services.
I was about to implement google login from scratch and had a lot of problems implementing it without relying on external libraries. This video helped me a lot sir, thank you for your content ❤
Great explanation, BUT on 3:51 the "Snap Store Auth" changes into "PrintMagic" on your sequence diagram. This makes it look like the refresh token is given to the same "PrintMagic" to get updated Access Token
Thanks for the great video. One question though...at 3:20 when PrintMagic fetches photos with the access token, does the SnapStore Resource still need to validate the access token? If so, does it need to call SnapStore Auth api to validate?
It seems to me that diagrams on 2:20 and on 3:58 have a mistake: the green "PrintMagic" actor should be labeled as "SnapStore Auth", as it actually is on 3:17. Am I right?
Not sure I heard it right at 2:55. So, #authorizationcode IS #clientId and #clientsecret?? Or #authorizationcode WITH #clientId and #clientsecret (and are presented to authorization server?)
@3:22 That feels a tad redundant. Anyone know why SnapStore Auth doesn't immediately give the access token (in green) after the request is approved (in blue)? Why is the "Get Access Token" (in yellow) step needed?
It would be super awesome to give an example of a barebones OAuth2 that everybody uses (like a draw webapp asking for access to your google drive with frw other assets) then we could literally watch the OAuth2 in the Chome debug window under the network tab.
Thank you for the great lecture! It was very helpful. I was successful in getting the device access code, but is there a way to expire the access code or log out? We want to develop a service that allows multiple people to use one device. We need to process when the user logs out the device token.
an authorization code is a temporary credential that serves as proof of the user's consent to access their protected resources. It plays a crucial role in the OAuth flow and is used to obtain an access token, which is then used to make authenticated API requests on behalf of the user. The authorization code flow adds an extra layer of security to the OAuth process. Instead of directly exchanging user credentials (e.g., username and password) for an access token, the authorization code flow separates the authorization and token exchange steps. This way, the access token is not exposed to the client application, reducing the risk of unauthorized access or token leakage. OAuth: Authorization Code Importance In OAuth, an authorization code is a temporary credential that serves as proof of the user's consent to access their protected resources. It plays a crucial role in the OAuth flow and is used to obtain an access token, which is then used to make authenticated API requests on behalf of the user. Here's an overview of why an authorization code is needed in OAuth: User Consent: OAuth is designed to protect user data and privacy. Before an application can access a user's protected resources (such as their profile or data), the user must explicitly grant consent. The authorization code serves as evidence that the user has granted permission for the application to access their resources. Security: The authorization code flow adds an extra layer of security to the OAuth process. Instead of directly exchanging user credentials (e.g., username and password) for an access token, the authorization code flow separates the authorization and token exchange steps. This way, the access token is not exposed to the client application, reducing the risk of unauthorized access or token leakage. Limited Lifetime: Authorization codes have a limited lifetime, typically short-lived, making them less susceptible to misuse. Once an authorization code is issued, it has a short validity period, usually a few minutes. This helps mitigate security risks and reduces the window of opportunity for attackers to intercept and abuse the code. Authorization Code Exchange: After obtaining the authorization code, the client application sends it to the authorization server, along with its client credentials, to exchange it for an access token. This token can then be used to make authenticated API requests on behalf of the user. By using an authorization code, OAuth ensures that the user's consent is obtained, enhances security by separating authorization and token exchange steps, and provides a limited and controlled means of obtaining access tokens. In Authorisation code flow this happens. There are various authentication / authorisation flow available. In the above video authorisation code flow is explained. In which authorisation code is returned after successful authentication. Then authorisation code + client id + secret key is sent to the server which validates that the user is the same as authorization key is the same and it is not tempered. And then the server returns 3 tokens. (1.Access tokens which contain scopes/ permission used for sending requests to get resources. 2.Id token which contain user information/ claims. 3. Refresh token - this is optional.)
Mainly two security benefits: 1. we can avoid sending the access token, which is sensitive information, in the front channel and send it in the back channel instead. 2. we can authenticate the client as well by requiring the client to send client_id and client_secret (along with authorization code) to request the access token. Here's a video that directly answers your question: th-cam.com/video/996OiexHze0/w-d-xo.html And here's a good illustration of the whole flow: th-cam.com/video/PfvSD6MmEmQ/w-d-xo.html
This prevents the client from knowing the token. The services may not trust the client or want to charge money for operations without the risk of spoofing.
I love your content and really easy to understand.I HAVE REQUEST THAT YOUR DIAGRAM/ ANNIMATION HAS MOTION/ZOOM OUT-IN/ which makes me keep eye and It is difficult to focus. Just advice, if you can stop using the motion/zoom out-in , just show still annimation. Thanks
Explain of PermissionGranted in as a senario: After Request Approved in the SnapStroe Auth dialog, SnapStore Auth redirects the user back to PrintMagid with an authorization code.
when oAuth is enabled, the client software first requests for authorisation from the auth server & auth server asks the user for approval and when approved, auth server gives an access token to the client software and client can make requests and get responses
Hello, thank you for the video About this subject I would also to like to know a bit more about Auth2.0 servers Are they third party servers : which ones exist, or which ones do you recommend, are they secure ? If private, how would that be implemented ? Thank you
@ByteByteGo what is the use of state variable in OAuth2 and how to handle its storage in a stateless multi machine UI server because the callback can go to any of the servers if stored at server side.
Another great video! Thank you for your time and effort! Could you please share or make a video about what tool and how you made those animated diagrams? Appreciated so much!
Very good video, I have a question if I am developing an app, my server would do authentication service based on what I implement and authorization server, right? In the latter I should implement the access by roles, within the same token as information I would get the scope to compare whether or not you have access to the resource? Thank you very much
I think this is the only video on TH-cam, in which OAuth is explained in a very simple way.. thanks.
That's right! Excellent explanation
Totally agree, superbly explained!
Great explanation! Two minor clarifications: the authorization code is sent to printMagic service via the user with a HTTP redirect rather than the auth server directly sending the authorization code to PrintMagic. Also depending on OAuth server implementation, you may not be able to revoke the access token immediately and instead have to revoke the refresh token instead.
This is very true, but if you try to draw arrows for all the redirects and HTTP requests, OAuth flow diagrams tend to become really convoluted.
Whats the difference between oauth 1.0 and oauth 2.0
There is also the server-sided flow that doesn't require a browser redirect though, where the providers can coordinate directly.
Very easy to understand, clearly spoken with good graphics and solved the mystery in my mind within 4 minutes and 30 seconds. Thank you so much.
I see a lot of people asking how he created these amazing animations, I can give a guess it's
Adobe After Effects
1- The industry standard for creating motion graphics and animations;
2- Allows for complex animations, transitions, and effects;
3- Often used in combination with other Adobe tools like Illustrator or Photoshop for asset creation.
0:40 "To scrape information from crusty old banks" I did not expect a roast this hard
00:04 OAuth 2 simplifies secure access to resources.
00:37 OAuth 2 is like giving someone a special key for accessing specific information in another application.
01:12 Using OAuth2 to grant permission to access Snap Store photos.
01:39 OAuth 2 facilitates secure access to resources
02:16 OAuth2 process flow explained
02:50 Authorization code is exchanged for access token by the client.
03:24 OAuth 2 protects login credentials and allows controlled access to authorized resources.
03:58 OAuth 2 is essential for web security
Crafted by Merlin AI.
The explanation is straight to the point and the graphics makes it easier to understand
thank you
Oh man, you explained this so well, I was struggling with this topic for years now, never actually understanding what is going on there! Thank you!
you solved my confusion in just 10 min which I was struggling after studying so many articles from medium
1. At 2:10 third lifeline title is wrong. Should be OAuth2 server (e.g. Snapstore OAuth2 server or 3rd party [keycloak] server) instead of "Print Magic". Cut'n paste leftover probably.
2. At 2:49 The request dialog that submits the parroval is the one that receives the authorization code in return. So the authorization code is in the browser and acquired by print magic via the redirect_uri initially specified by PrintMagic in the request for dialog. This is why we need the authorization code indirection (otherwise either there is no client auth or the browser would know the client secret).
2:21 rather than 2:10? I came to the comments to point out the same thing
@@msreedaran89 Same here
Thanks! That is correct and helped me!
Thanks for the concise explanation. Appreciate it. A small correction -- the sequence diagram at 03:52 shows "PrintMagic" within the blue rectangle. It should have been "Snap Store Auth". Thanks again.
Yes your correct, but green rectangle. Thanks for pointing that out.
At last!!! This is by far the best explanation I've seen. Thanks a lot.
Of course there's tons more to know, but this probably the best description under five minutes. In about one hour Nate Barbettini covers this, along with OIDC and PKCE. After that learn about JWT and related formats and you'll have all the fundamentals.
great vid. minor remark : 1st collab/msg diagram - full one - puts printmagic on 2nd n 3rd lane from left. 2nd diagram has 3rd lane being snap’s auth which makes more sense
I noticed this too. Great video overall though!
This was incredibly refreshing and so easy to understand. This is the first video I have watched from you, I can't wait to see more, and other topics
You did it, you finally explained the WHY part . . . ."so you don't have to share credentials with other sties"
I always get irritated by this complex and "seemingly" pointless process. Now it is very clear why we need it. Thanks to your explanation :)
Wao, I was struggling with the basic concepts of oauth2 for a long time. This video explains it really well.
Thanks for explaining everything in such simple terms!
best explanation so far. thank you
Great explanation! and your animation is top notch. Thanks
Up to the point explanation. Very Straight forward way with good graphics. Thanks....
Can you cover Kerberos authentication please
Very nice explanation with the perfect animation. It's slick because it doesn't need lot of implementation details here.
Explained in a very simple way but also excellent!
Beautiful visuals and amazing explanation.
Thanks!
Super explanation. Thanks a lot for sharing
*OAuth 2.0* is an authorization framework that allows third-party applications to access user data from a service (e.g., Google, Facebook) without exposing the user’s credentials. It works by issuing **access tokens** to the application after the user grants permission. The process typically involves four roles: the **resource owner** (user), the **client** (application), the **resource server** (API hosting the data), and the **authorization server** (issues tokens). OAuth 2.0 supports multiple **grant types**, such as **authorization code** for web apps, **implicit** for mobile apps, and **client credentials** for server-to-server communication. By delegating authorization, OAuth 2.0 enhances security and simplifies integration with third-party services.
Thanks this was so easy to understand
it's always the short videos that explain these kind of things with ease and understanding
Clearest video I've seen on this
Perfect explanation! Thank you so much!
great conceptual vid, thanks
Thank you for the explanation. Simple and straight forward and btw great graphics.
explanation is great. At 3:59, the "SnapStore Auth" box is missing
There is a small mistake. When you first animate the flow at 2:19 , you have 2x PrintMagic, missing the (later fixed) SnapStore Auth
3:59 also
Animation in this video is awesome
Superb Explanation... Now, no need to go with "What is OAuth Question" anywhere....!!!
Perfectly explained!
you head nail on the head.... simple and to the point
This channel is invaluable. Thank you for your knowledge!
Thanks for this tutorial !
I was about to implement google login from scratch and had a lot of problems implementing it without relying on external libraries. This video helped me a lot sir, thank you for your content ❤
Breakdown of complex concepts in to digestable explanations --> Quite Appropriate wording😍
Great explanation, BUT on 3:51 the "Snap Store Auth" changes into "PrintMagic" on your sequence diagram. This makes it look like the refresh token is given to the same "PrintMagic" to get updated Access Token
Nice presentation. Thank you.
nicely explained!!
3:57 diagram shows the wrong components. but great explanations mate. always love your video
Thanks for the great video. One question though...at 3:20 when PrintMagic fetches photos with the access token, does the SnapStore Resource still need to validate the access token? If so, does it need to call SnapStore Auth api to validate?
Great explanation! Thanks!
Great explanation 😊
Will implement in my upcoming project
Could u explain why do we need Get Access Token step 3:20? Why server can’t just return Access Token after Request Approved?
wow! great explanation
Thank you very much! Very helpful!
@2:20 the 3rd column need to be renamed 'SnapStore ' instead of 'PrintMagic'?
At 02:29 whose client id is being referred to - PrintMagic or SnapStore ?
Another kickass video!
Your explanation is Aws0me👍
Thanks for the video! Finally I know what this OAuth 2 is.
It seems to me that diagrams on 2:20 and on 3:58 have a mistake: the green "PrintMagic" actor should be labeled as "SnapStore Auth", as it actually is on 3:17. Am I right?
Very well explained.
Great video. It's Zero Auth by the way
This is just awesome.
What tool do you use for the animations? they are great!!
curious to know this too
Not sure I heard it right at 2:55. So, #authorizationcode IS #clientId and #clientsecret?? Or #authorizationcode WITH #clientId and #clientsecret (and are presented to authorization server?)
Very clear presentation. Keep up the great work!
excellent explanation
@3:22 That feels a tad redundant. Anyone know why SnapStore Auth doesn't immediately give the access token (in green) after the request is approved (in blue)? Why is the "Get Access Token" (in yellow) step needed?
Thank you so much for the clear and simple explanation!
It would be super awesome to give an example of a barebones OAuth2 that everybody uses (like a draw webapp asking for access to your google drive with frw other assets) then we could literally watch the OAuth2 in the Chome debug window under the network tab.
Thank you so much, lifesaver!
Love your explanation!
Awesome video!
3:53 both the heading is written as PrintMagic is that correct
the graphics are amazing.. how do you create them??
Thanks for this! Great video :)
Thank you for the great lecture! It was very helpful. I was successful in getting the device access code, but is there a way to expire the access code or log out? We want to develop a service that allows multiple people to use one device. We need to process when the user logs out the device token.
Why we need 2 different codes ? Authorization codes and access tokens, why was it designed this way?
an authorization code is a temporary credential that serves as proof of the user's consent to access their protected resources. It plays a crucial role in the OAuth flow and is used to obtain an access token, which is then used to make authenticated API requests on behalf of the user.
The authorization code flow adds an extra layer of security to the OAuth process. Instead of directly exchanging user credentials (e.g., username and password) for an access token, the authorization code flow separates the authorization and token exchange steps. This way, the access token is not exposed to the client application, reducing the risk of unauthorized access or token leakage.
OAuth: Authorization Code Importance
In OAuth, an authorization code is a temporary credential that serves as proof of the user's consent to access their protected resources. It plays a crucial role in the OAuth flow and is used to obtain an access token, which is then used to make authenticated API requests on behalf of the user.
Here's an overview of why an authorization code is needed in OAuth:
User Consent: OAuth is designed to protect user data and privacy. Before an application can access a user's protected resources (such as their profile or data), the user must explicitly grant consent. The authorization code serves as evidence that the user has granted permission for the application to access their resources.
Security: The authorization code flow adds an extra layer of security to the OAuth process. Instead of directly exchanging user credentials (e.g., username and password) for an access token, the authorization code flow separates the authorization and token exchange steps. This way, the access token is not exposed to the client application, reducing the risk of unauthorized access or token leakage.
Limited Lifetime: Authorization codes have a limited lifetime, typically short-lived, making them less susceptible to misuse. Once an authorization code is issued, it has a short validity period, usually a few minutes. This helps mitigate security risks and reduces the window of opportunity for attackers to intercept and abuse the code.
Authorization Code Exchange: After obtaining the authorization code, the client application sends it to the authorization server, along with its client credentials, to exchange it for an access token. This token can then be used to make authenticated API requests on behalf of the user.
By using an authorization code, OAuth ensures that the user's consent is obtained, enhances security by separating authorization and token exchange steps, and provides a limited and controlled means of obtaining access tokens.
In Authorisation code flow this happens. There are various authentication / authorisation flow available.
In the above video authorisation code flow is explained.
In which authorisation code is returned after successful authentication. Then authorisation code + client id + secret key is sent to the server which validates that the user is the same as authorization key is the same and it is not tempered. And then the server returns 3 tokens. (1.Access tokens which contain scopes/ permission used for sending requests to get resources. 2.Id token which contain user information/ claims. 3. Refresh token - this is optional.)
Mainly two security benefits:
1. we can avoid sending the access token, which is sensitive information, in the front channel and send it in the back channel instead.
2. we can authenticate the client as well by requiring the client to send client_id and client_secret (along with authorization code) to request the access token.
Here's a video that directly answers your question:
th-cam.com/video/996OiexHze0/w-d-xo.html
And here's a good illustration of the whole flow:
th-cam.com/video/PfvSD6MmEmQ/w-d-xo.html
This prevents the client from knowing the token. The services may not trust the client or want to charge money for operations without the risk of spoofing.
very nice explanation
There is problem in the image at 3:54 second. Third Entity should be SnapStore Auth Server. NOT PrintMagic.
simple and crisp explanation
Perfect, thank you.
I love your content and really easy to understand.I HAVE REQUEST THAT YOUR DIAGRAM/ ANNIMATION HAS MOTION/ZOOM OUT-IN/ which makes me keep eye and It is difficult to focus. Just advice, if you can stop using the motion/zoom out-in , just show still annimation. Thanks
Thanks for the video.
Can I know what is the software you have used to create the presentation and animations?
is there a mistake in the diagram @ 2:19 ?
Explain of PermissionGranted in as a senario: After Request Approved in the SnapStroe Auth dialog, SnapStore Auth redirects the user back to PrintMagid with an authorization code.
I liked the animations
when oAuth is enabled, the client software first requests for authorisation from the auth server & auth server asks the user for approval and when approved, auth server gives an access token to the client software and client can make requests and get responses
That was awesome
Hello, thank you for the video
About this subject I would also to like to know a bit more about Auth2.0 servers
Are they third party servers : which ones exist, or which ones do you recommend, are they secure ? If private, how would that be implemented ?
Thank you
easy to understand
@ByteByteGo what is the use of state variable in OAuth2 and how to handle its storage in a stateless multi machine UI server because the callback can go to any of the servers if stored at server side.
The video looks great. would you mind telling me which tool does you use to create the video ?
Great Explanation👏. One question what happens if refresh token expires, will the user have to go through oauth process again.I'm just curious.
Another great video! Thank you for your time and effort! Could you please share or make a video about what tool and how you made those animated diagrams? Appreciated so much!
Hi @ByteByteGo ... @3.51 the 3rd tower's name is incorrect. It should be "SnapStore Auth" instead of "PrintMagic". It becomes confusing at this point.
Very good video, I have a question if I am developing an app, my server would do authentication service based on what I implement and authorization server, right? In the latter I should implement the access by roles, within the same token as information I would get the scope to compare whether or not you have access to the resource?
Thank you very much
please make a video on access token and refresh token :)