Thank you for this explanation, it is exactly what i needed to understand this flow better, although i need to implement this via Azure app registration, the philosophy is the same
Man, I am a backend dev with 4 yrs of exp. but believe me man I always get lost in this Oauth Grants. I always need to re do all R&D again. But here you explained very well mate, I must say perfectly explained. Kepp it up
Hey, I really love this video especially because it show visually whats going on instead of just tossing jargon around. What wasnt entirely clear though is WHY the code / token exchange is happening. Like, I dont understand how that extra steps adds additional security compared to the implicit flow for example. Any chance you could give me a hint here?
This was an awesome explanation of grant type authorization code flow. Thank you so much! One question I have is how does this flow work when you have one API that needs authorization to access another API where there is no "user" login involved? For example, I have a Spring REST web service that a vendor cloud app (Dell Boomi app) needs to access. In the past, I've used password grant type, which I know is not best practice. Sorry if this is a basic question.... I'm new to auth code grant type flow.
Hi Therese, the authorization code grant is only used with a user together (someone clicks approve on a screen). For server to server communication OAuth2 offers the client credentials flow. Ultimately it is a judgement call. Basic Auth is way simpler to implement because it is just username / password. With OAuth you need an authorization server. So unless you don't already support OAuth, I would rather go with Basic Auth. You might also want to take a look at using JWTs for server to server communication (I have a video series about this). This is probably better in terms of security, but more work to implement. You need to decide if it would be worth doing.
Thanks for your effort, it’s a great explanation! Just got a question regarding OAuth2.0 Authorization code, is it a good practice to use this method with Cisco ISE & Azure AD integration for endusers authentication?
The auth code flow explanation was really great. However the part where you explained about client secret is not very clear. perhaps little more detailed explanation would have helped me
Think of client id as a username and client secret as a password. OAuth 2.0 also supports stronger means of authentication against the token endpoint such as mTLS or JWT assertions
@@jgoebel Absolutely awesome series of videos!! Thank you Jan! -- One question regarding this: Why is important to keep the client_secret as a pw? After all, even if an attacker gets it, it will still need the user to authenticate.
@@marcus-vg8ft if you have the client secret, then you can impersonate an app. I.e. an attacker could pretend that he is the app for which he has obtained the client secret and get access to the user's data
Thanks Jan! If it is for what Google calls "A desktop app" where the user will store the secret on his own computer, is this still risky? I thought with PKCE it should be safe no matter what. @@jgoebel
Thank you for a detailed explanation. My question is how the resource server validates the access token? We need a call from resource server to auth server in order to validate right? Do we have a standart for this communication?
I explained it here: ruclips.net/video/q3FiuTZlroE/видео.htmlsi=Vp_lWURCU0-HbG2Q&t=404 Either via a call to the authorization server or - if the token is structured (e.g. a JWT), then by validating the token's signature with a public key
hey i get that oauth2 is required by third party to access api, example when i say continue with google for the first time it will get my email name profile photo and all, this will help in getting those data and creating user but how login happens with "login with google" button.
Thanks for the video this has been very helpful for me. I've one question I hope you can answer for me. Once I've passed authentication and have received the token back on the client, and then the client makes a request to the RESOURCE server. Does the resource server need to check the token against the auth server with every request?
Most servies use structured tokens, i.e. JWTs, so you can validate the token without making a REST call to the authorization server. There are a few edge cases you could run into however, .e.g if a token is revoked you might accept it on your service. Therefore, for critical actions like purchasing sth. you can use token introspection endpoint of the authorization server where you can have a token validated
So server side rendered apps don't use a state parameter because using a client secret makes it secure enough already? Also, if anyone has any resources explained how to decide what the redirect URL should be, please link (I am new to this and I suspect it may be obvious to many)
Thanks for this! Right now I need implement an app that create some google-calendar events but for a ServiceAccount. I saw many examples in docs that creates/uses AuthorizationCodeInstalledApp (or similar) to create a 'credential' instance (com.google.api.client.auth.oauth2.Credential) but it works for regular user accounts and not for ServiceAccount (I already have the JSON file with key info from my ServiceAccount) . Do you know where I can find some examples for what i'm looking for? Something like this: final NetHttpTransport HTTP_TRANSPORT = GoogleNetHttpTransport.newTrustedTransport(); JsonFactory jsonFactory = GsonFactory.getDefaultInstance(); GoogleCredentials credential = GoogleCredentials.fromStream(new FileInputStream(jsonPath)) .createScoped(Collections.singleton(CalendarScopes.CALENDAR)); Calendar calendar = new Calendar.Builder(HTTP_TRANSPORT, jsonFactory, credential) .setApplicationName(APPLICATION_NAME) .build(); (this example isn't working because Calendar.Builder needs some Credential obj as a third param)
What do you think about this?
Please let me know in the comments below.
amazing bro!
@@nicktacora thx
The explanation is clear. Thank you!
Bro very nice explanation in detail. Keep it up
Thank you for this explanation, it is exactly what i needed to understand this flow better, although i need to implement this via Azure app registration, the philosophy is the same
The details were superb.. you clearly explained the flow. Great job ProductionCoder!
Man, I am a backend dev with 4 yrs of exp. but believe me man I always get lost in this Oauth Grants. I always need to re do all R&D again. But here you explained very well mate, I must say perfectly explained. Kepp it up
thx Umair, I'm glad it helped
Your approach to explaining this is excellent. Thank you!
Glad you enjoyed it!
Greatly appreciate this. Explanation of this flow brought it home for me on understanding
One of the greatest content on oauth i ever found on RUclips,
Thanks bud, for this wonderful content
thx, I'm glad you found it useful
best explanation on youtube, thank you!
Glad it was helpful!
Can you share a read-only link to that drawio doc? Would be very helpful.
Agree, this would be very helpful.
Finally explanation I was looking for, thanks!
This video was incredible!! Thank you for share so much knowledge!
thx André, I'm glad you found it useful 👍
Great explanation
Glad you liked it
thanks! well prepared and informative, made my life much easier :)
You're welcome!
Very understandable, thanks for your efforts!
you're welcome Konstantin 👍
Explained so clear!!!
thx
Great video, thanks for explaining that way!
thx
I came here to put like! Everything clear I have no questions Thanks for video
Thx Віталік, I'm glad it helped!
Thanks for this great content.
Thx Mohamed
very helpful thanks
Amazing explanation!. Thank you for your effort.
Glad you liked it
Amazing explanation.
Glad you liked it
awesome explanation, thank you, you've got another subscriber!
great, thx Yegor
Hey, I really love this video especially because it show visually whats going on instead of just tossing jargon around. What wasnt entirely clear though is WHY the code / token exchange is happening. Like, I dont understand how that extra steps adds additional security compared to the implicit flow for example. Any chance you could give me a hint here?
very nicely explained. great work !!
thx Satwik
So far, its seems excellent tutorial to me. I bet, these video should have more like and subs...
Glad it was helpful!
amazing explaination
thx
Great video.
Great video. Would love to watch a follow up with a react app creating or updating a Google Doc.
This was an awesome explanation of grant type authorization code flow. Thank you so much! One question I have is how does this flow work when you have one API that needs authorization to access another API where there is no "user" login involved? For example, I have a Spring REST web service that a vendor cloud app (Dell Boomi app) needs to access. In the past, I've used password grant type, which I know is not best practice. Sorry if this is a basic question.... I'm new to auth code grant type flow.
Hi Therese, the authorization code grant is only used with a user together (someone clicks approve on a screen). For server to server communication OAuth2 offers the client credentials flow.
Ultimately it is a judgement call. Basic Auth is way simpler to implement because it is just username / password. With OAuth you need an authorization server. So unless you don't already support OAuth, I would rather go with Basic Auth. You might also want to take a look at using JWTs for server to server communication (I have a video series about this). This is probably better in terms of security, but more work to implement. You need to decide if it would be worth doing.
our approach to explaining this is excellent❤ and plzz can you give me your explaination sheet
The details are well explained , thank you. Would be helpful if you share the diagram which is referenced in this tutorial.
Thanks for your effort, it’s a great explanation! Just got a question regarding OAuth2.0 Authorization code, is it a good practice to use this method with Cisco ISE & Azure AD integration for endusers authentication?
The auth code flow explanation was really great. However the part where you explained about client secret is not very clear. perhaps little more detailed explanation would have helped me
Think of client id as a username and client secret as a password. OAuth 2.0 also supports stronger means of authentication against the token endpoint such as mTLS or JWT assertions
@@jgoebel Absolutely awesome series of videos!! Thank you Jan! -- One question regarding this: Why is important to keep the client_secret as a pw? After all, even if an attacker gets it, it will still need the user to authenticate.
@@marcus-vg8ft if you have the client secret, then you can impersonate an app. I.e. an attacker could pretend that he is the app for which he has obtained the client secret and get access to the user's data
Thanks Jan! If it is for what Google calls "A desktop app" where the user will store the secret on his own computer, is this still risky? I thought with PKCE it should be safe no matter what.
@@jgoebel
@@marcus-vg8ft an attacker could impersonate the app and get access to the user's data on the resource server
Good work, thanx a lot!
You are welcome!
We get "redirect uri " two times within your UC diagram .. which is the one actually registered with the server initially ?
Thank you for a detailed explanation. My question is how the resource server validates the access token? We need a call from resource server to auth server in order to validate right? Do we have a standart for this communication?
I explained it here: ruclips.net/video/q3FiuTZlroE/видео.htmlsi=Vp_lWURCU0-HbG2Q&t=404
Either via a call to the authorization server or - if the token is structured (e.g. a JWT), then by validating the token's signature with a public key
hey i get that oauth2 is required by third party to access api, example when i say continue with google for the first time it will get my email name profile photo and all, this will help in getting those data and creating user but how login happens with "login with google" button.
is the diagram shown in the video available anywhere?
what should be the redirect_url be like. how it was determined ? can you give me the example
All clear)thanks)!
Glad it helped!
Please help. Is there a sample angular application that implements this? I need to learn it. Thanks!
Thanks for the video this has been very helpful for me.
I've one question I hope you can answer for me.
Once I've passed authentication and have received the token back on the client, and then the client makes a request to the RESOURCE server. Does the resource server need to check the token against the auth server with every request?
Most servies use structured tokens, i.e. JWTs, so you can validate the token without making a REST call to the authorization server. There are a few edge cases you could run into however, .e.g if a token is revoked you might accept it on your service.
Therefore, for critical actions like purchasing sth. you can use token introspection endpoint of the authorization server where you can have a token validated
@@jgoebel thanks for the explanation 👍
did you said, authorization code flow clients does not need a secret? Dont we need the secret to exchange the code for access token?
sorry commented too early before watching the whole video
thannk youu
You're welcome!
Can you please share the drawing? It would be really helpful.
how can you get the code from the authorization? automatically, noy by copying it from the browser?
you can access the browser's URL and get the code from the query parameters
how do i take code and state parameter to the backend in python
you would make a REST call to your backend
I love fight club too XD
best movie ever
It has given me an authorization code, but where do I paste the code in?
the authoriztion code is sent to the token endpoint of the authorization server to obtain an access and / or refresh token.
wow...
So server side rendered apps don't use a state parameter because using a client secret makes it secure enough already?
Also, if anyone has any resources explained how to decide what the redirect URL should be, please link (I am new to this and I suspect it may be obvious to many)
Thanks for this! Right now I need implement an app that create some google-calendar events but for a ServiceAccount. I saw many examples in docs that creates/uses AuthorizationCodeInstalledApp (or similar) to create a 'credential' instance (com.google.api.client.auth.oauth2.Credential) but it works for regular user accounts and not for ServiceAccount (I already have the JSON file with key info from my ServiceAccount) . Do you know where I can find some examples for what i'm looking for? Something like this:
final NetHttpTransport HTTP_TRANSPORT = GoogleNetHttpTransport.newTrustedTransport();
JsonFactory jsonFactory = GsonFactory.getDefaultInstance();
GoogleCredentials credential = GoogleCredentials.fromStream(new FileInputStream(jsonPath))
.createScoped(Collections.singleton(CalendarScopes.CALENDAR));
Calendar calendar = new Calendar.Builder(HTTP_TRANSPORT, jsonFactory, credential)
.setApplicationName(APPLICATION_NAME)
.build();
(this example isn't working because Calendar.Builder needs some Credential obj as a third param)