Client Credentials Grant Flow is REALLY BAD

preview_player
Показать описание
The simplest way to get an access_token in a RESTful API is to use the client_credentials grant... it's also the least secure, and really shouldn't be used in modern apps...
  1. Michael Bissell
  2. api development
  3. OAuth
  4. OIDC
  5. API Security
  6. app development
Рекомендации по теме
Client Credentials Grant 0:02:16

Client Credentials Grant Flow is REALLY BAD

OAuth 2.0 Client 0:05:34

OAuth 2.0 Client Credentials Flow (in plain English)

OAuth client credentials 0:03:25

OAuth client credentials flow

Authorization Code Grant 0:04:25

Authorization Code Grant Flow Overview

OAuth 2.0 Client 0:00:26

OAuth 2.0 Client Credentials Grant Flow

POSTMAN API OAUTH2 0:01:00

POSTMAN API OAUTH2 CLIENTCREDENTIALS

Implement the OAuth 0:05:01

Implement the OAuth 2.0 client credentials grant type flow in Apigee

How to configure 0:21:17

How to configure OAuth 2.0 client credentials flow in Azure Active Directory B2C?

OAuth 2.0 - 0:03:34

OAuth 2.0 - Client Credentials

How to Use 0:13:45

How to Use Client Credentials Flow with Spring Security

OAuth 2 Explained 0:04:32

OAuth 2 Explained In Simple Terms

OAuth Grant Types 0:13:16

OAuth Grant Types simplified for decision makers

OAuth 2.0 Client 0:09:09

OAuth 2.0 Client Credentials Flow in Salesforce

24 Client Credentials 0:01:12

24 Client Credentials Grant Type Flow

OAuth 2.0 Client 0:10:32

OAuth 2.0 Client Credential Grant Type

Oauth 2.0 Client 0:10:37

Oauth 2.0 Client Credential Flow | Microsoft Graph

OAuth 2.0 - 0:09:16

OAuth 2.0 - a dead simple explanation

Spring Boot+ OAuth 0:14:34

Spring Boot+ OAuth 2 Client Credentials Grant Simple Example

Salesforce Inbound - 0:06:11

Salesforce Inbound - OAuth 2.0 Client Credentials Flow for Server-to-Server Integration

SiteMinder as OAuth 0:03:19

SiteMinder as OAuth Provider - OAuth Client Credentials Grant Flow

Oauth Client Credentials 0:06:59

Oauth Client Credentials Flow for Service Apps

OAuth 2.0 client 0:19:11

OAuth 2.0 client credentials and JWT explained along with keycloak demo

OAuth Grant Types 0:06:37

OAuth Grant Types

Controlling External API 0:06:06

Controlling External API Usage with the Client Credentials Grant

Комментарии
Автор

Hi Michael, thanks for great videos about grant flows. I think you should have specified that the auth service grants tokens which you use to consume resources from an API. It's alot better than using API keys. Still learning, so please correct me if im wrong here (anyone, not just Michael).

MortenHolje
Автор

It depends a lot on the system's requirements. For instance, if you need to make this query on the front end, you leave the client ID and secret on the backend. After receiving the token, you can then use it securely on the front end. However, it's essential to restrict the token's lifespan; otherwise, it won't be effective.

ygorcosta
Автор

What should be done instead? How would you handle an automated request from another backend service?

benpracht
Автор

Hi, Great Explanation. I was really clear and was on point! It would be great if you could make a similar one for implicit grant and resource owner credentials grant. Thank you.

kaustubh
Автор

I little simplistic to just say client credentials bad

ScrotoTBaggins