Hey guys, when making free content without any monetization, a comment and a like go a huge way. It’s truly encouraging to see that it’s been useful to many of you. Thank you for taking the time to leave a comment and a like. I appreciate it.
IT really needs more teachers like you, that thought things through and make an effort to explain something as simple as possible and only as complicated as needed.
This video was exactly what I needed. I’m sad to say I’ve been a software engineer for a few years and have never really understood this until your video. Thanks!
WOW thank you for the video! This is hands down the best explanation I've ever seen for OAuth2 flows and I've been a programmer for 30 years and it's never made sense on how it works until now.
This is a great video. I came across this video after watching few other videos on oAuth, but the way you explained was really brilliant. Other videos just touched the basic concept, but did not cover in-depth the way you've done in this video.
Great explanation! You helped answer our question on the purpose of the authorization code + access token requirement. The Front and Back channel and client secret is an important aspect that we didn’t pick up on from the docs. Thanks!
Best explanation I've seen so far. I was expecting a far less detailed explanation, but I am very pleasantly surprised. It made me realize I don't even need to implement oauth for my API, because it won't even handle user specific data, only global.
Oh my, this really explained alot to me. This is so brilliant. I was struggling understanding oauth, and where to store my keys, now you gave me ALOT of ideas. ALOT. I know nothing *yet* about this oauth and you made me feel like a pro now. Thanks
Its been awhile since I had to understand really what was going on with Oauth and this 15 minutes was superb in reconnecting what I knew but didn't remember. Thanks!!!
Not yet, I’ve been meaning to resume but work has been absolutely impossible. After we launch some high priority deliverable I’ll have more time to come back to RUclips
Great video explaining for beginners. I had to explain Oauth2 and OpenID Connect to my students, and this guide was very helpful for me to be more visual. Keep the content going ;)
Amazing video. One question though: How is the "client secret" verified by the authorization server? As I understand, the server never received the client secret through the front channel so it has nothing to reference when checking the validity of the secret on the back channel. 🤔
Thanks for the comment. So the client id and secret were provided by them. For instance if you want to use oauth with google, you first need to go to google and creat an application, they will then give your application and id and secret, so when you send the secret they compare to what they had in their db.
Web authentication seems like a large topic. I spent a lot of the day learning about authorizing via JSON Web Tokens so kind of burnt out for the day, but your explanation of OAUTH2 was digestible nonetheless. Thanks!
Nicely explained. But I think you should consider using colors that are more contrasted. The red text was difficult to see against the grey background. Maybe use a lighter red or a black background next time.
Thanks for the feedback, you’re right, I feel it was hard to read at times but my editing skills are quite terrible 😅 I’ll figure something out, thank you!
Hey appreciate the encouraging comment. I’ve been super busy lately and it’s been hard to overcome my struggle with recording myself. I’ll try to catch up in the upcoming 2 weeks
Great explanation. I just have a question. If using token as the response_type, why can't the access_token just be sent along with the client_id and client_secret to make requests and so making them more secure? Is it because you don't want to send your client_id and client_secret all the time or is there another reason?
so once you have the token, you no longer need to provide the secret (the client id is ok because it's public), and I guess the reason for that is precisely that you should send that over a secure channel and no more often than strictly necessary. You never want to expose the secret in your client or have it leave your server unless it goes directly to the identity provider (google in the example) because they already know the secret.
But in front channel you provide to browser the client_id and client_secret when you first provide resource owner with URL. (the url which leads to google and links the request with client) What I am trying to say is: if someone extracts the client_id and client_secret at first and then captures the "code" then they can still request token. Am I wrong?
Yes, you are partially wrong. you do not provide the client secret. Only the client id, the client secret remains in the backend to exchange the code for a token
Hey guys, when making free content without any monetization, a comment and a like go a huge way. It’s truly encouraging to see that it’s been useful to many of you. Thank you for taking the time to leave a comment and a like. I appreciate it.
IT really needs more teachers like you, that thought things through and make an effort to explain something as simple as possible and only as complicated as needed.
Really appreciate you taking the time to leave an encouraging message
Hallelujah. Finally someone that is really good at explaining complex technical topics in a simple, clear manner.
this is the exact explanation that im looking for, and you're doing it perfectly. keep this "explain A like im 5" series going!
Finally someone who can explain Oauth that I understand, great video.
My grandmother just understood this! Thanks.
This video was exactly what I needed. I’m sad to say I’ve been a software engineer for a few years and have never really understood this until your video. Thanks!
Finally someone makes a clear explanation about Oauth 2.0! thanks!! I love this video
This was truly a description of the OAuth flow that can be understood by everyone. Thank you!
I've been hearing the words OAuth for so long without knowing what it is. This video explains it really well in simple terms. Thank you
The best explanation for oauth available on internet!
I like it especially when you are trying to explain the why not front channel part
Super easy to follow. Stating the problem/context before going into explanation helps so much. Thanks!
Damn dude, This is The best and simplest explanation ever . Goodjob!
Never saw anyone explaining this worth.. ur title claim stands mate !! Subscribed for more such contents
Well done! This is the first video I have found that explains the purpose before going into all the technical details.
This was a great introduction to OAuth, thank you Gabriel and keep up the great work.
Great explanation! I appreciate you breaking down the parameters of the request, so helpful.
wow, the best explanation ever, and the title did not disappoint me. But, now i really feel like a 5 yo, coz no other video cleared it for me!
greatest explanation available in youtube. thanks
Best video I've seen on this. Great stuff. Thank you
WOW thank you for the video! This is hands down the best explanation I've ever seen for OAuth2 flows and I've been a programmer for 30 years and it's never made sense on how it works until now.
I’m really glad this was helpful! Thanks for taking the time to leave a comment
Best explanation so far. Thanks for sharing the knowledge!
Thanks for the kind words! Have a great weekend
This is the best explanation that I have ever found. Thanks a lot
This is a great video. I came across this video after watching few other videos on oAuth, but the way you explained was really brilliant. Other videos just touched the basic concept, but did not cover in-depth the way you've done in this video.
The same here; not because the other videos aren't good, but because this video has great content and excellent presentation.
I don't feel dumb anymore! ;O) Thanks for great, easy to follow explantions. I like the way you break the information down.
Best 15 minute investment ! Wish I had done it a week ago.
Great explanation! You helped answer our question on the purpose of the authorization code + access token requirement. The Front and Back channel and client secret is an important aspect that we didn’t pick up on from the docs. Thanks!
Glad it was useful! I’m working on part 2. I haven’t covered PKCE yet.
Best explanation I've seen so far. I was expecting a far less detailed explanation, but I am very pleasantly surprised. It made me realize I don't even need to implement oauth for my API, because it won't even handle user specific data, only global.
This is very comprehensive explanation.
Thank you very much
Finally I got the answer for "Why google does not send access token directly instead of sending code first ?"
Thank you.
Hi Gabriel, this is an amazing rundown. Thanks for your time and effort.
I think you've really got something with the "Explain It Like I'm 5" series. It's a fantastic idea. Good luck.
Thanks, I need more ideas, anything you’d like to see?
Hit my head against the keyboard for hours until this made things clearer. Thank you!!
Great explanation! This is what I needed . Thank you!
Great content! Answered some of the questions I've been scouring the net for.
Nice description and overview, just subscribed bra.
Ohh, where are the vids you mentioned about PKCE?
I haven’t made it yet, it’s a very simple concept so the video explaining it should be pretty short
Indeed impeccable explanation... This deserves a standing ovation
Oh my, this really explained alot to me. This is so brilliant. I was struggling understanding oauth, and where to store my keys, now you gave me ALOT of ideas. ALOT. I know nothing *yet* about this oauth and you made me feel like a pro now. Thanks
I’m really glad this was useful to you. I need to do part 2.
great video gabe! the front channel and back channel were wow moments!
Best explanation ever. Awesome!
WOW great explanation! Thank you Gabriel
Great video, He explained everything step by step
I learnt so much in such a little time.
Amazing stuff - really appreciate you explaining this in a simple way.
Its been awhile since I had to understand really what was going on with Oauth and this 15 minutes was superb in reconnecting what I knew but didn't remember. Thanks!!!
Excellent tutorial Gabriel. You're the best. Have you made any video on open id connect as well ?
Not yet, I’ve been meaning to resume but work has been absolutely impossible. After we launch some high priority deliverable I’ll have more time to come back to RUclips
I appreciate the kind words and that you took the time to leave a comment! Take care and hopefully see you soon in new videos
very clear and easy to understand video, thanks Gabriel!
Great video. You're the first one I've found that explains the 3 identities. The Resource Owner, The Client and Auth Server. Great job!
Thank you for this video, definitely gave me a better picture of OAuth 2.0
this was so helpful, thanks. Gabriel!
good approach and explanation. Thanks a lot!
Thats great explanation ... Loved it
Great video explaining for beginners. I had to explain Oauth2 and OpenID Connect to my students, and this guide was very helpful for me to be more visual. Keep the content going ;)
Tanks for the exlanation and quality drawing ! Really makes everything much clearer !!
This is very clear explanation! Great job!
Very well explained. Thanks for this!!
Great explanation, Gabriel!
As others have said. Fantastically clear video. Thank you!
This is a great explanation. I feel a little dumb it took a ELI5 for me to get it.
It takes me a eli5 too so that’s why I made it.
This was so well explained, thank you, Gabriel.
Best explanation ever. Well done, thank you!
Really cool explanation, thanks! Keep on posting good videos.
Awesome video. Thank you! Subscribed
Very informative Video Gabriel..Thank you so much
Best explanation!! Thanks.
Thank you for the explanation!.
thankyou for explaining in such a clear way
Thanks for taking the time to leave a comment!
I appreciate it
Very useful! Great job!
Thanks Gabriel, that was amazing
Superb explanation!
Good job mate! Thanks for this video!
Phenomenal explanation!
Very well explained. Thank you.
Amazing video. One question though: How is the "client secret" verified by the authorization server? As I understand, the server never received the client secret through the front channel so it has nothing to reference when checking the validity of the secret on the back channel. 🤔
Thanks for the comment. So the client id and secret were provided by them. For instance if you want to use oauth with google, you first need to go to google and creat an application, they will then give your application and id and secret, so when you send the secret they compare to what they had in their db.
@@Gabzim Makes sense! thank you for the answer!
thank you very much, you saved me a lot of time.
wow... i can now confidently answer in interview about oauth
Thanks for the great video, Gabriel
Thanks for the support!
Web authentication seems like a large topic. I spent a lot of the day learning about authorizing via JSON Web Tokens so kind of burnt out for the day, but your explanation of OAUTH2 was digestible nonetheless. Thanks!
awesome explanation. thanks for this
Thanks for explaining in an understandable way.
Nicely explained. But I think you should consider using colors that are more contrasted. The red text was difficult to see against the grey background. Maybe use a lighter red or a black background next time.
Thanks for the feedback, you’re right, I feel it was hard to read at times but my editing skills are quite terrible 😅 I’ll figure something out, thank you!
thank you for the demonstration sir it was great! keep this up
Awesome video - thanks for making this!
really well done. Kudos!
Hey Gabriel , Great Video.. when are you uploading part 2 of this ?
Hey appreciate the encouraging comment. I’ve been super busy lately and it’s been hard to overcome my struggle with recording myself. I’ll try to catch up in the upcoming 2 weeks
Great explanation. I just have a question. If using token as the response_type, why can't the access_token just be sent along with the client_id and client_secret to make requests and so making them more secure?
Is it because you don't want to send your client_id and client_secret all the time or is there another reason?
so once you have the token, you no longer need to provide the secret (the client id is ok because it's public), and I guess the reason for that is precisely that you should send that over a secure channel and no more often than strictly necessary. You never want to expose the secret in your client or have it leave your server unless it goes directly to the identity provider (google in the example) because they already know the secret.
Good video, nicely explained :)
Best explanation
Amazing explanation. Thank you!
Thanks for your effort ! Really helps a lot !
Nice explanation! I'd reword the title tho to more like "explain like I'm a junior dev" lol
Crystal clear.. thank you 🙂
I really enjoyed your explanation!
Thank you.
Glad you enjoyed it! Let me know what else you'd want to see
Great explanation!
Hey Man! you explained it very clearly. Thanks.
Glad you liked it! Will try to work on part 2 soon.
loved the video, thank you
Man this helped a lot, thanks a bunch.
But in front channel you provide to browser the client_id and client_secret when you first provide resource owner with URL. (the url which leads to google and links the request with client)
What I am trying to say is: if someone extracts the client_id and client_secret at first and then captures the "code" then they can still request token.
Am I wrong?
Yes, you are partially wrong. you do not provide the client secret. Only the client id, the client secret remains in the backend to exchange the code for a token
Front end never sees the client secret
Great explanation