Hi Michael, thanks for great videos about grant flows. I think you should have specified that the auth service grants tokens which you use to consume resources from an API. It's alot better than using API keys. Still learning, so please correct me if im wrong here (anyone, not just Michael).
It depends a lot on the system's requirements. For instance, if you need to make this query on the front end, you leave the client ID and secret on the backend. After receiving the token, you can then use it securely on the front end. However, it's essential to restrict the token's lifespan; otherwise, it won't be effective.
Hi, Great Explanation. I was really clear and was on point! It would be great if you could make a similar one for implicit grant and resource owner credentials grant. Thank you.
Hi Michael, thanks for great videos about grant flows. I think you should have specified that the auth service grants tokens which you use to consume resources from an API. It's alot better than using API keys. Still learning, so please correct me if im wrong here (anyone, not just Michael).
It depends a lot on the system's requirements. For instance, if you need to make this query on the front end, you leave the client ID and secret on the backend. After receiving the token, you can then use it securely on the front end. However, it's essential to restrict the token's lifespan; otherwise, it won't be effective.
What should be done instead? How would you handle an automated request from another backend service?
so this flow is good for backend to backend since there's no exposure
Hi, Great Explanation. I was really clear and was on point! It would be great if you could make a similar one for implicit grant and resource owner credentials grant. Thank you.
I little simplistic to just say client credentials bad
They're simply unsecure.
what to use instead then@@bissellator
@@bissellator I kind of agree with the comment. Bad for what? What is the better approach? And in what situation?