Why do we moved to this kind of big tech thrid party fucking payed login system? Just keep your user in your database and every time one user log-in it ask for a token (that has an expiration time) than can now be use by the frontend to fetch the fuck it need. All those layer of fake security introduce only more complexity and more layer of possible failure or human error. Keep in mind that we are not running bank (and not even bank use those fucking systems)but 99% of us are running fucking website and note apps. and dont use the fucking PaaS or cloud or fucking shit overpriced that the industry convince coding monkey to use, just use a fucking VPS and if you need use also a CDN. Fuck this programming industry and fucking garbage language and framework like react ecosystem. Just program dont spent your time learning fucking slave instrument and mental masturbation system deseigned as gucci clothing to create a urge of need and run tech buisneeses with the money you give them and train fucking AI with the data you give them. I hate programmers so dumb and they feels so smart with their ununderstandable documentation and their fear to re-write the weel. Frankly said you are a waste of oxygen and mass producer of carbon-dioxide to maintain fucking inefficient and useless systems not to mention that 50% of all apps probably don’t even need to use https over http, wtf an hacker will do with the agar.io information of one user? Ridiculous
on my wordpress website -chrome on my phone says not secure, safari on laptop also says not secure but my SSL certificate is good i checked. also chrome on my laptop doesn't say not secure. I went to inspect >console on website and this error was there but I don't know what it means or where the error is located. The Source Location is blank - "Content Security Policy of your site blocks the use of 'eval' in JavaScript` The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site. To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings. If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive. ⚠ Allowing string evaluation comes at the risk of inline script injection. 1 directive Source location Directive Status script-src blocked
So if im understanding this correctly, this just prevents loading scripts, from sources not allowed by the CSP. But an attacker could still use an inline script tag to run any javascript they could fit everything they need within the comment box (assuming stored and in a comment input)?
Great video. I would also mention that the structured token has an expiration date. So if a token is revoked at the auth server but the resource server doesn't introspect, at least the resource server will only accept the token until it expires anyway.
I have a question, while redirecting at very first time to Athorization server, we pass code challenge and the method with which it is hashed, if anyone steals that information then it can easily decrypt the original Code verifier and next time it can steal the Authorization Code and send the same code verifier string.
great explanation, it took a while to find one. You put it in a visual way and your explaination skills are like a teacher. ... you deserve a good old massaging of the balls.
hey i get that oauth2 is required by third party to access api, example when i say continue with google for the first time it will get my email name profile photo and all, this will help in getting those data and creating user but how login happens with "login with google" button.
Yes, I noticed times and again that whoever wrote the specification did not really go over them logically and make sure there was no overlap. The explanation here was good. The reality though is staggering as developers who never read the spec "REST-ful", or should I say REST-like code. Of course, I can't blame them - they are constantly assigned 2.5 their possible workload ALL the time. So who has time to read the spec!? The managers just wants them to close the tickets, so the report looks good.
So you're saying it's just for displaying something immediately on the callback UI to reduce API calls? seems pretty pointless unless it's does something else.
Wenn ich doch nur wüsste, wie man diese blöden Konfigurationsprofile (p12) mit Zertifikat & Key für iOS/iPadOS erstellen könnte. Bei macOS klapppt der Import in die Keychain über das Terminal. Doch wie macht man das bei iOS, wenn man mTLS in Safari zum Login nutzen möchte? Jemand eine Idee? Hab schon verschiedene Ansätze ausprobiert, alle sind gescheitert. 😞
Excellent video! Not verbose and tedious like many others, and very informative. The only small nit I have: at 4:45 you say "we will learn about the response type in a minute" but then I don't think you ever talk about it. You do talk about Grant Types which are related (I think?) but not response type.
Nice video and I think of using Oauth for the project am working on now but I want to ask a question. Did I need to pay or add my credit card before I can use it?