OAuth 2.0 - a dead simple explanation

preview_player
Показать описание

00:00 What is OAuth 2.0?
00:13 What problem does OAuth 2.0 solve?
02:04 OAuth 2.0 Client Registration
03:06 OAuth 2.0 Confidential vs. public clients
04:21 OAuth 2.0 Authorization Code Grant
06:43 OAuth 2.0 Access and Refresh Tokens and JWTs
08:03 OAuth 2.0 Grant types: client credentials grant, implicit grant, resource owner password grant, device grant
09:03 Outro

OAuth 2.0 is an "authorization framework [that] allows third party applications to get limited access to an HTTP service" (RFC 6749).

OAuth 2.0 is all about giving third party applications limited access to APIs. Prior to OAuth 2.0, the third party would have asked for the user's credentials and would have used these credentials on the respective API. OAuth 2.0 eliminates the need for password sharing by introducing a new entity called the OAuth 2.0 authorization server.

The OAuth 2.0 authorization server issues access and refresh tokens to third party applications thereby eliminating the need of credential sharing. The third party application is called the client in OAuth terminology. The API the third party wants to get access to is called the resource server or the protected resource.

Before a third party can get limited access to an API, it first needs to register itself with the OAuth 2.0 Authorization server. The third party application, the so called client, gets a client id upon registration with the OAuth 2.0 authorization server. If the client can keep data secret, then it will also obtain client credentials. The simplest form of a client credential would be a shared secret called the client secret. OAuth 2.0 also supports more sophisticated means auf authenticating against the OAuth 2.0 authorization server such as mutual TLS (mTLS).

Once the client is registered, the client performs one of the OAuth flows that are also known as grant types. The most popular grant types are the OAuth 2.0 authorization code grant which orchestrates an approval flow between the resource owner, the OAuth 2.0 authorization server and the protected resource.

Contrast this with the client credentials grant which is made for machine-to-machine communication. The resource owner password grant and the implicit grant are insecure according to the OAuth 2.0 Security best current practices and must not be used. Then there is also the OAuth 2.0 device grant which is built for devices that do not have a browser or where entering credentials is cumbersome such as Smart TVs.

While the OAuth 2.0 RFC does not mandate the access and refresh tokens to be structured, in most deployments they are actually JSON Web Tokens (JWTs). This has the advantage that the protected resource can validate the signature of the token locally without having to make a REST call to the authorization server to check for the validity of the token.

  1. Jan Goebel
  2. oauth
  3. oauth 2.0
  4. oauth2
  5. oauth tutorial
  6. oauth2 explained
Рекомендации по теме
OAuth 2 Explained 0:04:32

OAuth 2 Explained In Simple Terms

OAuth 2.0 - 0:09:16

OAuth 2.0 - a dead simple explanation

OAuth 2.0 explained 0:10:03

OAuth 2.0 explained with examples

OAuth 2.0 and 1:02:17

OAuth 2.0 and OpenID Connect (in plain English)

OAuth 2 0 0:36:53

OAuth 2 0 and OpenID Connect for Single Page Applications Philippe De Ryck

[2023] OAuth 2 0:14:37

[2023] OAuth 2 tutorial in 15 Minutes

What is OAuth2? 0:19:56

What is OAuth2? How does OAuth2 work? | Naveen AutomationLabs

What is OAuth2.0 0:09:21

What is OAuth2.0 (in plain English)

Introduction to OAuth 2:43:46

Introduction to OAuth 2.0 and OpenID Connect By Philippe De Ryck

OAuth and OpenID 0:10:18

OAuth and OpenID Connect - Know the Difference

The insecurity of 0:57:18

The insecurity of OAuth 2.0 in frontends - Philippe de Ryck - NDC Security 2023

Forget about OAuth 0:54:27

Forget about OAuth 2.0. Here comes OAuth 2.1 - Philippe De Ryck - NDC Oslo 2022

OAuth 2.0 Explained 0:09:52

OAuth 2.0 Explained - Authentication Example using OpenID, JWT and Opaque Tokens

OAuth2 Part 2: 0:03:04

OAuth2 Part 2: Adding in Scopes

Authorization with OAuth 1:34:24

Authorization with OAuth 2.0 - Stijn Van den Enden & Jan Van den Bergh

Mr. Robot Sucks 0:00:55

Mr. Robot Sucks

What's going on 0:17:18

What's going on with the OAuth 2.0 Implicit flow?

OAuth explained | 0:08:47

OAuth explained | OAuth 2.0

OAuth 2 Token 0:08:07

OAuth 2 Token Introspection

What are OAuth 0:17:13

What are OAuth Security Vulnerabilities | CybersecurityTv

OAuth Authorization code 0:11:49

OAuth Authorization code flow

OAuth 2.0 & 0:22:30

OAuth 2.0 & Google

What is redirect 0:02:16

What is redirect URL for OAuth?

OAuth 2.0 Master 1:02:48

OAuth 2.0 Master Class - Part 1 - June 25 | Identiverse 2019

Комментарии
Автор

What do you think about this video?
Let me know in the comments below.

FYI: I had to re-upload this video because the old one had an audio issue. Sry for that.

jgoebel
Автор

Great slow and clear explanation without cutting any corners, thank you

alastairtheduke
Автор

Great video! Short and simple explanation to share with colleagues and not look like an alien trying to explain it.

Mr.Dyz
Автор

One of the best explanations about OAuth, thanks a lot!

alexpato
Автор

Thank you a lot ! I have to implement an authorization code grant for my personal project and the service doc was really confusing. Great explanation, you saved me 🤗

carolineroy
Автор

Excellent video! Not verbose and tedious like many others, and very informative. The only small nit I have: at 4:45 you say "we will learn about the response type in a minute" but then I don't think you ever talk about it. You do talk about Grant Types which are related (I think?) but not response type.

jrblackify
Автор

You are creating amazing content! Please keep doing it!

psylo
Автор

It is really really good explanation. Thank you....

talatkuyuk
Автор

Thank you very much. Your video is amazing <3.

thongtranlequoc
Автор

Welcome back! May I ask what tool you used to illustrate this video?

GigGigJigolo
Автор

amazing video.. are you planning to redo the other grant types similar to your old playlist or this is a one off update

SandeepJan
Автор

Great content, as always!
Could you please share the name of the software you used to create these animations?

k.deepak
Автор

Good video but really bad EQ, I had to really crank down 125HZ cut to keep the floor from shaking :/

pierspad
Автор

9:10 the client may get refresh token but did you miss access taken part ? When is access token granted by the authorization server ?

haidersyed
Автор

Nice video and I think of using Oauth for the project am working on now but I want to ask a question. Did I need to pay or add my credit card before I can use it?

nwaformicah
Автор

Question: what is the difference between a framework and a protocol?

johanneskingma
Автор

How does Google know that the client has a backend ? What if Google issued client secret when there is no backend ? I got confused I think client credentials part needs more elaboration

haidersyed
Автор

Dumb question not directly related to OAuth... if you can extract anything out of a mobile application for example, how would such an application communicate with its backend securely? Surely you could also just extract those authentication secrets?

jano.
Автор

2:37 "if the 3rd party application can keep data secret" what is that supposed to mean?? if it its trustworthy? if it stores data at all?? All the effort to make a video and then you throw things like that in there ... I don't understand video makers anyway

ME-bwrl