Thank you for making this video! I have a lot more clarity now. One comment: According to the OAuth2 terminology, I think that technically the "Resource Owner" you mention at 1:58 is actually the user, and not Discord, as it is the user who owns the resources (information in that discord account) that we are looking to access. And that would mean that steps 1 and 2 are interacting with the same Authorization Server that steps 3 and 4 are interacting with. Let me know if I'm wrong here. Thanks again for making this!
How would you get this to work with SMTP? It seems sensible for standard HTTP requests, but i cant seem to figure out how to get it to work to make SMTP email sends. More specifically with Yandex email servers
Yes, how CLIENT_ID & CLIENT_SECRET are generated - that's the only thing missing in the video. I thing it would be worth it to add it at least to the video's description.
Thanks for sharing so neat explanation. Just wondering, where do you suggest to store the secret key, environment variables in a file that only the user running the app is access to?
im a bit confused.. isnt a user suppose to put in there username and password first.. then once authorized then they will go ahead and get access to data such as email username etc from auth2 server?
It Crisp and clear keep the good work up, I have a doubt , how can we configure with passport-oauth2 client if there is no pre-existing client available for our oauth2 provider?
holy.... I cannot believe how much I was overthinking this. :facepalm: Thank you so much for explaining this so succinctly. Since the refresh token is typically provided with each access token, that means you could do something like store the two tokens in the local dataStore and use the refresh token every n hours to update your access token?
Theoretically yes but practically no. The reason is that you need the secret to actually be able to use the refresh token, and the secret should never appear on a "local" system. The only time that this tradeoff changes is when the application is run entirely locally, and each user registers their own app with the authentication provider, and thus can use their own secret for refreshing their access.
I learned more about what Oath2 is all about by EM going over the code. I am still trying to figure out why an API call or OAuth2 would need a redirect URL. Why can't it create its own?
None that I know of. All that comes back is the code which needs to be combined with a person's client secret to do anything useful with it. That said, best practice in 2019 is to https everything regardless.
@@Mrstealurgrill Ok, but i dont require data from Discord, i only need that the api give me the token, using like a Oauth Server and nothing else to my app. It is that possible?
@@GonzaloOviedoLambert you can install postman right now and request a token from discord API using your username and password (you must have Discord Account).
This is only intelligible because I had a senior engineer walk me through every step of this as I had to perform this using Wordpress(wp_remote_request, which I didn't know existed) and a cron job (NOT wp-cron, don't ever use wp-cron). But the first time I watched this, it made no sense whatsoever.
You present the best variety of topics. And you address those topics with simple and direct explanations and examples. Thank you.
All programmatic concepts make much more sense when illustrated with the code. This is one of those few videos that accomplishes that. Kudos!
Thanks for making this video, it is by far the best OAuth2 explanation I’ve seen.
Thank you for making this video! I have a lot more clarity now. One comment: According to the OAuth2 terminology, I think that technically the "Resource Owner" you mention at 1:58 is actually the user, and not Discord, as it is the user who owns the resources (information in that discord account) that we are looking to access. And that would mean that steps 1 and 2 are interacting with the same Authorization Server that steps 3 and 4 are interacting with. Let me know if I'm wrong here. Thanks again for making this!
Finally a video that explains OAUTH2 with a code example. Just seeing cartoon drawnings doesnt help. Thiis is pure gold. Thank you.
yeah, most youtubers use passport for oauth2 in NodeJS and it abstracts everything explained in this video. Now I understand what's actually going on.
This is the best OAuth2 explanation ever! The explanations with the code snippets are super useful (for me at least). Thanks!
Most easy explanation , I found yet. Though there is one layer of authentication required by discord before we get the code
Its so frustrating! Every body just talks about libraries. Thanks! for showing some inner workings
Hands down, best explanation to Oauth2 on RUclips
Glad it helped.
Finally found a video that explains oauth2 with some code examples. So It's a simple as 3 http requests done one after the other.
Thanks man! Just started as a junior and this vid helped me explain a lot about my first project!
As always you've been helpful EM. i've been looking into this for hours. thanks.
Wonderful explanation. Super understandable. Thank you very much!
Interesting video. You also have the discovery service, to get the endpoints and JWS / JWE encryption to further secure these things.
Oof only 600 views this deserves more.
I guess you were right. 22k views right now
How would you get this to work with SMTP? It seems sensible for standard HTTP requests, but i cant seem to figure out how to get it to work to make SMTP email sends. More specifically with Yandex email servers
This chanel is UNDERRATED!
Hi. Thanks for the video, can you explain how the parameters are generated? CLIENT_SECRET , etc. can this be tested from our local host?
They'll be generated for you by the service that you want to integrate with. In this case, Discord generates both of them.
Yes, how CLIENT_ID & CLIENT_SECRET are generated - that's the only thing missing in the video.
I thing it would be worth it to add it at least to the video's description.
Hey, with the user data in your video, how would pass that to a react component? thanks
Thanks for sharing so neat explanation. Just wondering, where do you suggest to store the secret key, environment variables in a file that only the user running the app is access to?
im a bit confused.. isnt a user suppose to put in there username and password first.. then once authorized then they will go ahead and get access to data such as email username etc from auth2 server?
Clear and concise explanation. Thank you.
well explained with practical approch
Thank you sir! Very good plain explanation
As always Great content. Explains it so simply. Thank you
Awesomeness 👌 love the new tagline too :)
It Crisp and clear keep the good work up, I have a doubt , how can we configure with passport-oauth2 client if there is no pre-existing client available for our oauth2 provider?
Awesome! Explained every step very clearly. Thank you!
That was great! Next up, please explain what OpenID Connect brings to the table :)
Thx for making this video, this is very helpful. Do you also have or can make a recording with sso example.
nice explanation broski
Great explanation! thanks
holy.... I cannot believe how much I was overthinking this. :facepalm: Thank you so much for explaining this so succinctly. Since the refresh token is typically provided with each access token, that means you could do something like store the two tokens in the local dataStore and use the refresh token every n hours to update your access token?
Theoretically yes but practically no. The reason is that you need the secret to actually be able to use the refresh token, and the secret should never appear on a "local" system. The only time that this tradeoff changes is when the application is run entirely locally, and each user registers their own app with the authentication provider, and thus can use their own secret for refreshing their access.
Good clear explanation. Well done.
This helps a lot. Thank you for the clarity. 👍
I learned more about what Oath2 is all about by EM going over the code. I am still trying to figure out why an API call or OAuth2 would need a redirect URL. Why can't it create its own?
The redirect URL is necessary because it needs to go back to your own site's address. The oauth provider would have no way to know what that is.
Great video! Explained it so well
Are there any security implications of not using https in your redirect_uri?
None that I know of. All that comes back is the code which needs to be combined with a person's client secret to do anything useful with it.
That said, best practice in 2019 is to https everything regardless.
Awesome explanation 👌👏. Any tutorial on how can we get access token from refresh tokens?
Simple and direct!
👑
is it possible to do this in django, i.e., without any added libraries.
Of course.
Super simple, Thanks for this.
nice video bro
Thank you! You got a subscriber.
Well Good n Bookmarked !
I enjoyed this, thanks!
Thanks for this!
Does 3 legged oauth always require a login challenge
60 lins of code if you use passport for node its 3lines of code. Haha. Anyway sir you really good teacher.
I dont understand, this oauth service that discord offer , CAn i use it with any app of my own?
Gonzalo Oviedo Lambert yes that’s why it’s openAuth. Anyone can Auth via Discord and request data from discord API and
@@Mrstealurgrill Ok, but i dont require data from Discord, i only need that the api give me the token, using like a Oauth Server and nothing else to my app. It is that possible?
@@GonzaloOviedoLambert That's what the 4th step is. It's upto you whether you want to access data or not.
@@GonzaloOviedoLambert you can install postman right now and request a token from discord API using your username and password (you must have Discord Account).
@@Mrstealurgrill Thanks Matthew, i understand.
Very effective.
Thanks
awesome, thanks
What is name of the font in "Engineer Man"
I uploaded it on an online recognizer tool and it says "aclonica"
Oauth is beautiful
This is with grant_type equal to Authorization_code.
Thank you some docs are confusing haha
This is only intelligible because I had a senior engineer walk me through every step of this as I had to perform this using Wordpress(wp_remote_request, which I didn't know existed) and a cron job (NOT wp-cron, don't ever use wp-cron). But the first time I watched this, it made no sense whatsoever.
why did I find you so late?
Only smart pepole go for here to search
First
Nobody cares
@@Zooiest You do.
Denis Onder yeah right
The question is... did you watch it first?