OAuth 2.0 & 2.1 Explained

11:35 perfectly sums up a big part of my confusion on OAuth. awesome video

Best coding channel by far.

Clearly explained. Well done and of course thank you for your effort

You're awesome. You rap and teach so nicely.

love the bit of humour dispersed throughout this complex spec
😀

🔥 18:47

Very cool videos! Thanks for the detailed explanation of all this mess, in my head.

With the advent of "cookiepocalypse" breaking frontend communication with AzureAD I would love to see you do a video with a SPA and API (e.g. React ASP) using Backend for Frontend pattern to mange AuthN/Z using AzureAD. I just discovered your work recently and it is such a big help. I have a lot of videos to watch :) Thanks

This video was really cool. Easy to follow and understood very well oauth2. Can you do the same (if not already done) with saml, openId connect and pretty much any other popular auth protocol? I'd love to watch that.

Hey man! Nice video like always and... nice new hair :)

great explanation with details 🚀

thank you for your effort.

Thanks for such a didactic explanation.
FWIW, on slide "Flow - PKCE (1)", see around 24:10, your exposition won't get any better if you fix that typo in: "[code_challange + method]". But you might want to fix it anyway 😉

the best oauth explain

I know u already have series on auth. But would love to see how to integrate aspnetcore api with Azure app registrations things including diff scopes and things.

18:56 LOL
Very informative video, though, thanks a lot

This video is so helpful! Thank you

Oh shit u got that fresh cut? 😊😝 thanks for this lecture! liked 👍

russians can travel only to belorussia. That was the most amazing moment in the video!!!

Great content, very detailed as I wasn't aware of the 2.1 changes.
How does Authentication fit in with OAuth?
Can software use OAuth like this safely for controlling access to applications/apis without first authenticating a user / user request?
Is this where OpenId Connect comes in to sit on top / to be used in conjunction with OAuth to provide the authentication part of the puzzle?
I guess I'm wondering how we can Authorise a request without first knowing who is making the request i.e. without the authentication part?
edit: I'm currently thinking that we can use OAuth when we want the authorisation part irrespective of any particular user, and need authentication first when we want to allow different claims/roles/permissions depending upon a specific user.......I maybe wrong though \o/

Hi
One question during video you mentioned that RPOC can be used if client + authorization server + resource server are one application. Please note by single application i don't necessarily mean are built in same technology say AspNetCore or Java. Fronend could be angular, react and backend could be dotnet. But all entites are under same company or team and can be trusted. But later in video you mentioned that RPOC is deprecated.
So can we use RPOC if all three entities can be trusted or it should be avoided.
Great video.
Cheers

Thank you. Good job.

f*cking best video on youtube !

31:42 I think these poor souls are SPAs with only static files. like no backend operation.

Nice Video, Can anybody suggest the best flow for Desktop Application, based on this video i feel it is implicit flow but saving credentials in desktop application that is deployed on client machine doesn't feel to be secure.

I'd love to know how to see this flow happen slowly in debugger, espeically since this back channel stuff can't be seen on browser

What if you are doing oAuth 2 with a WPF client? Does WPF client has to do all the things that are built into the browser?

Resource Owner Password Credential should be ROPC, not RPOC...?

i like the picture at the end of the wall, plus dude too many ads! come on it's exaggerating !

I still don't really understand what the 'code' is, you said a collection of strings, ok, but what is it.

woohooo super great!

What does "opt" in the diagram mean in this context? Options?

I procrastinated for 6 years

Now make a video on Azure ad b2c authenticating and authorizing a .net6 api

18:57 If you in Russia, with international passport and some visas you can travel anywhere, and you don't even need a passport to travel to Ukraine for a nice vacation there.

Can you Please make one video on salting and hasing password to store in db?

антон... волосы куда...

Nice -haircut- video.
1)What the point of exchage of authcode to code? Why don't instantly return token like in implicit flow? What secure advantages it provides?
2)Client Secret it the thing, what user input in password textbox or it is single secret for client aplication(like javascript client)?
3)What the secure place for storing acses token in Vue js application?Vuex?
4)What the good auth flow for service-to-service communication, like between microservices?
Thanks

Fine, you can have a like for the Khabib reference 😜

Thanks for the video and content. I am trying to make a fetch request to the API endpoint and then set the response location header to the google auth server but I get the Cors Error.
Access to fetch at 'accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?response_type=code&client_id=&redirect_uri=localhost:5279/weatherforecast&scope=openid%20profile%20email&state=CfDJ8IJqa1zOV1dOvnKTY_TMWjX1NvVUBThwVVYECnjxe4diq7xwtCmzJROXuQWLGhCMr2cSUpjVecB4Pl8LYpsF4wHZ0fu_ehXsJf9NDnDelzlN8YsEqKjUL_fVI02c-rHBD4FxM743ByQfH8uttr7kA-gbFybFfxctgjz7W_0PCVIRz9AFMUu_AQccsP1m2c0snJogwpJZcedeFKpVZjgWEfAhJethY-ouIEJZiKCF9BkZs5WeRKMjlFLVefW5RGCVk6fAgCL3BKLOWT-Qsfcjk3JU9XoFztWhI2u6XDzQL2dD&service=lso&o2v=2&flowName=GeneralOAuthFlow' (redirected from 'localhost:5279/LoginToGoogle') from origin 'localhost:5279' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.