OAuth 2 Explained In Simple Terms

Подписаться 853 тыс.

Просмотров 336 тыс.

50% 1

Get a Free System Design PDF with 158 pages by subscribing to our weekly newsletter: bytebytego.ck.page/subscribe
Animation tools: Adobe Illustrator and After Effects.
Checkout our bestselling System Design Interview books:
Volume 1: amzn.to/3Ou7gkd
Volume 2: amzn.to/3HqGozy
The digital version of System Design Interview books: bit.ly/3mlDSk9
ABOUT US:
Covering topics and trends in large-scale system design, from the authors of the best-selling System Design Interview series.

Опубликовано:

28 июн 2023

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 146

@user-uk5kq3nr4r 3 месяца назад

I think this is the only video on RU-vid, in which OAuth is explained in a very simple way.. thanks.

@balajik8561 3 месяца назад

That's right! Excellent explanation

@nick_merchant 9 месяцев назад

Very easy to understand, clearly spoken with good graphics and solved the mystery in my mind within 4 minutes and 30 seconds. Thank you so much.

@djplt1240 Год назад

Great explanation! Two minor clarifications: the authorization code is sent to printMagic service via the user with a HTTP redirect rather than the auth server directly sending the authorization code to PrintMagic. Also depending on OAuth server implementation, you may not be able to revoke the access token immediately and instead have to revoke the refresh token instead.

@sampathsris Год назад

This is very true, but if you try to draw arrows for all the redirects and HTTP requests, OAuth flow diagrams tend to become really convoluted.

@karthiksuryadevara2546 Год назад

Whats the difference between oauth 1.0 and oauth 2.0

@henryzhang7873 11 месяцев назад

There is also the server-sided flow that doesn't require a browser redirect though, where the providers can coordinate directly.

@boredhuman9289 7 месяцев назад

Oh man, you explained this so well, I was struggling with this topic for years now, never actually understanding what is going on there! Thank you!

@charlymarchiaro 6 месяцев назад

At last!!! This is by far the best explanation I've seen. Thanks a lot.

@ElvisANgoh 8 месяцев назад

This was incredibly refreshing and so easy to understand. This is the first video I have watched from you, I can't wait to see more, and other topics

@gsenthilkumar8139 2 месяца назад

00:04 OAuth 2 simplifies secure access to resources. 00:37 OAuth 2 is like giving someone a special key for accessing specific information in another application. 01:12 Using OAuth2 to grant permission to access Snap Store photos. 01:39 OAuth 2 facilitates secure access to resources 02:16 OAuth2 process flow explained 02:50 Authorization code is exchanged for access token by the client. 03:24 OAuth 2 protects login credentials and allows controlled access to authorized resources. 03:58 OAuth 2 is essential for web security Crafted by Merlin AI.

@SoupTubeTV 6 месяцев назад

This channel is invaluable. Thank you for your knowledge!

@ayoolaoladipe8105 2 месяца назад

The explanation is straight to the point and the graphics makes it easier to understand thank you

@sungjuyea4627 Год назад

I always get irritated by this complex and "seemingly" pointless process. Now it is very clear why we need it. Thanks to your explanation :)

@pallavkan Месяц назад

you solved my confusion in just 10 min which I was struggling after studying so many articles from medium

@ayaabdelmagied6696 9 месяцев назад

you head nail on the head.... simple and to the point

@meghnamanjunatha4707 9 месяцев назад

Thank you so much for the clear and simple explanation!

@saravanansomu8296 4 месяца назад

Very nice explanation with the perfect animation. It's slick because it doesn't need lot of implementation details here.

@vintagewander Год назад

I was about to implement google login from scratch and had a lot of problems implementing it without relying on external libraries. This video helped me a lot sir, thank you for your content ❤

@alainpannetier2543 Год назад

1. At 2:10 third lifeline title is wrong. Should be OAuth2 server (e.g. Snapstore OAuth2 server or 3rd party [keycloak] server) instead of "Print Magic". Cut'n paste leftover probably. 2. At 2:49 The request dialog that submits the parroval is the one that receives the authorization code in return. So the authorization code is in the browser and acquired by print magic via the redirect_uri initially specified by PrintMagic in the request for dialog. This is why we need the authorization code indirection (otherwise either there is no client auth or the browser would know the client secret).

@msreedaran89 11 месяцев назад

2:21 rather than 2:10? I came to the comments to point out the same thing

@padalaraveendra 11 месяцев назад

Breakdown of complex concepts in to digestable explanations --> Quite Appropriate wording😍

@wirelessnerd7131 5 месяцев назад

Thank you for the explanation. Simple and straight forward and btw great graphics.

@edydon 9 месяцев назад

Very clear presentation. Keep up the great work!

@AkshayHendre2010 11 месяцев назад

Thanks for the video! Finally I know what this OAuth 2 is.

@jubiaj2672 6 месяцев назад

best explanation so far. thank you

@locotx215 9 месяцев назад

You did it, you finally explained the WHY part . . . ."so you don't have to share credentials with other sties"

@hakkoktay7597 29 дней назад

Explained in a very simple way but also excellent!

@PhillipKerman 17 дней назад

Of course there's tons more to know, but this probably the best description under five minutes. In about one hour Nate Barbettini covers this, along with OIDC and PKCE. After that learn about JWT and related formats and you'll have all the fundamentals.

@madhavareddy580 Месяц назад

Beautiful visuals and amazing explanation. Thanks!

@fong555 11 месяцев назад

Another great video! Thank you for your time and effort! Could you please share or make a video about what tool and how you made those animated diagrams? Appreciated so much!

@tayyabmunir6228 25 дней назад

Wao, I was struggling with the basic concepts of oauth2 for a long time. This video explains it really well.

@etshbadr 9 месяцев назад

Love your explanation!

@basseygodwin7384 8 месяцев назад

Clearest video I've seen on this

@videogamesare1 2 месяца назад

Outstanding video! Thank you!

@thomashsu5252 23 дня назад

Super explanation. Thanks a lot for sharing

@muhammadumarsotvoldiev8768 5 месяцев назад

Thank you very much! Very helpful!

@sheykenasababy 10 месяцев назад

0:40 "To scrape information from crusty old banks" I did not expect a roast this hard

@sumanthvarma9999 Год назад

Can you cover Kerberos authentication please

@hasan_shans 2 месяца назад

Great explanation! Thanks!

@jamaicanstillbapin 28 дней назад

Excellent video, many thanks!

@jaiyden9888 10 месяцев назад

Thanks for this! Great video :)

@vicenterendo 5 месяцев назад

Thank you so much, lifesaver!

@somnathgolui2912 Год назад

Thanks for the video.

@himanshujain5670 10 месяцев назад

simple and crisp explanation

@canhlinh 3 месяца назад

Nice presentation. Thank you.

@tahiraziz193 11 месяцев назад

Your explanation is Aws0me👍

@cuybueno 7 месяцев назад

Another kickass video!

@mahamadoutogola4001 5 месяцев назад

Great explanation 😊

@willpringle 10 месяцев назад

Awesome video!

@axis0401 7 месяцев назад

Animation in this video is awesome

@musaddiqueansari7695 5 месяцев назад

wow! great explanation

@7tsh 10 месяцев назад

The video looks great. would you mind telling me which tool does you use to create the video ?

@bhaveshmuleva2352 7 месяцев назад

Will implement in my upcoming project

@sLiv256 11 месяцев назад

perfectly explained

@zehrairkicatal2156 4 месяца назад

excellent explanation

@jlp2011 9 месяцев назад

great vid. minor remark : 1st collab/msg diagram - full one - puts printmagic on 2nd n 3rd lane from left. 2nd diagram has 3rd lane being snap’s auth which makes more sense

@am_0x2a 6 месяцев назад

I noticed this too. Great video overall though!

@sridharneelakanta 8 месяцев назад

Thanks for the concise explanation. Appreciate it. A small correction -- the sequence diagram at 03:52 shows "PrintMagic" within the blue rectangle. It should have been "Snap Store Auth". Thanks again.

@devrj1679 Месяц назад

Yes your correct, but green rectangle. Thanks for pointing that out.

@ml-rj5pt 8 месяцев назад

Thanks for the great video. One question though...at 3:20 when PrintMagic fetches photos with the access token, does the SnapStore Resource still need to validate the access token? If so, does it need to call SnapStore Auth api to validate?

@robot67799 11 месяцев назад

Awesome!

@trickytricktwo 4 месяца назад

very nice explanation

@user-td1nr8hc7x 10 месяцев назад

Great Explanation👏. One question what happens if refresh token expires, will the user have to go through oauth process again.I'm just curious.

@user-rd4oo1jg5g 9 месяцев назад

Very good video, I have a question if I am developing an app, my server would do authentication service based on what I implement and authorization server, right? In the latter I should implement the access by roles, within the same token as information I would get the scope to compare whether or not you have access to the resource? Thank you very much

@systemBuilder Месяц назад

It would be super awesome to give an example of a barebones OAuth2 that everybody uses (like a draw webapp asking for access to your google drive with frw other assets) then we could literally watch the OAuth2 in the Chome debug window under the network tab.

@foadkh8210 7 месяцев назад

Thanks !!

@michelledigdecarvalhoperei144 10 месяцев назад

caralho mt bom explicou o que to tentando entender faz 1hora pesquisando na net valeu

@ronitdhingra4395 11 месяцев назад

What tool do you use for the animations? they are great!!

@laserz23 10 месяцев назад

curious to know this too

@BehniaFB 6 месяцев назад

I liked the animations

@yashwanthbedre8220 Год назад

simplest explanation ever!

@oskarspozdnakovs6441 11 месяцев назад

Great video. It's Zero Auth by the way

@codewriter3000 9 месяцев назад

What do you use for animations?

@XJacksonvilleX Месяц назад

the graphics are amazing.. how do you create them??

@jasoncampbell1464 3 месяца назад

In a nutshell, you ask app 1 to invoke app 2. App 2 comes to you and asks if the request is legit. If you say yes, the apps create a secure communication channel and start collaborating to offer you the service

@Shitbull4Azlakssss 9 месяцев назад

what a good video

@haykkarapetyan867 2 месяца назад

Great explanation, BUT on 3:51 the "Snap Store Auth" changes into "PrintMagic" on your sequence diagram. This makes it look like the refresh token is given to the same "PrintMagic" to get updated Access Token

@ngamlenmangtouthang4507 9 месяцев назад

please make a video on access token and refresh token :)

@vatsalshah8680 11 месяцев назад

Question - How does the SnapStore resource server verify the OAuth token? Does it call the OAuth service to do this?

@brianliang3010 11 месяцев назад

why can't access token be sent along in permission granted response and requires another request?

@user-ol8uu1kh6o 5 месяцев назад

when oAuth is enabled, the client software first requests for authorisation from the auth server & auth server asks the user for approval and when approved, auth server gives an access token to the client software and client can make requests and get responses

@annetak693 4 месяца назад

Not sure I heard it right at 2:55. So, #authorizationcode IS #clientId and #clientsecret?? Or #authorizationcode WITH #clientId and #clientsecret (and are presented to authorization server?)

@user-rd4oo1jg5g 10 месяцев назад

Hello, how are you, there are applications that request a token, request that the client id and seceret key be sent, others an api token and a secret key, how is this different from, for example, sending user and pass?

@twinkleverma2945 7 месяцев назад

Hi @ByteByteGo ... @3.51 the 3rd tower's name is incorrect. It should be "SnapStore Auth" instead of "PrintMagic". It becomes confusing at this point.

@uttambasak100 10 месяцев назад

3:53 both the heading is written as PrintMagic is that correct

@tadtab2 Месяц назад

@2:20 the 3rd column need to be renamed 'SnapStore ' instead of 'PrintMagic'?

@juozasjuozas 4 месяца назад

That was great! But how about registering? Eg. using a google Account to log in. Considering i can revoke the token. How can I log in despite never having given my password to the external side?

@ikbo 8 месяцев назад

Why the extra http request of getting authorization code then access token?

@mightylb4543 Год назад

Why we need 2 different codes ? Authorization codes and access tokens, why was it designed this way?

@avidtechie9734 Год назад

an authorization code is a temporary credential that serves as proof of the user's consent to access their protected resources. It plays a crucial role in the OAuth flow and is used to obtain an access token, which is then used to make authenticated API requests on behalf of the user. The authorization code flow adds an extra layer of security to the OAuth process. Instead of directly exchanging user credentials (e.g., username and password) for an access token, the authorization code flow separates the authorization and token exchange steps. This way, the access token is not exposed to the client application, reducing the risk of unauthorized access or token leakage. OAuth: Authorization Code Importance In OAuth, an authorization code is a temporary credential that serves as proof of the user's consent to access their protected resources. It plays a crucial role in the OAuth flow and is used to obtain an access token, which is then used to make authenticated API requests on behalf of the user. Here's an overview of why an authorization code is needed in OAuth: User Consent: OAuth is designed to protect user data and privacy. Before an application can access a user's protected resources (such as their profile or data), the user must explicitly grant consent. The authorization code serves as evidence that the user has granted permission for the application to access their resources. Security: The authorization code flow adds an extra layer of security to the OAuth process. Instead of directly exchanging user credentials (e.g., username and password) for an access token, the authorization code flow separates the authorization and token exchange steps. This way, the access token is not exposed to the client application, reducing the risk of unauthorized access or token leakage. Limited Lifetime: Authorization codes have a limited lifetime, typically short-lived, making them less susceptible to misuse. Once an authorization code is issued, it has a short validity period, usually a few minutes. This helps mitigate security risks and reduces the window of opportunity for attackers to intercept and abuse the code. Authorization Code Exchange: After obtaining the authorization code, the client application sends it to the authorization server, along with its client credentials, to exchange it for an access token. This token can then be used to make authenticated API requests on behalf of the user. By using an authorization code, OAuth ensures that the user's consent is obtained, enhances security by separating authorization and token exchange steps, and provides a limited and controlled means of obtaining access tokens. In Authorisation code flow this happens. There are various authentication / authorisation flow available. In the above video authorisation code flow is explained. In which authorisation code is returned after successful authentication. Then authorisation code + client id + secret key is sent to the server which validates that the user is the same as authorization key is the same and it is not tempered. And then the server returns 3 tokens. (1.Access tokens which contain scopes/ permission used for sending requests to get resources. 2.Id token which contain user information/ claims. 3. Refresh token - this is optional.)

@azvyae Год назад

@@avidtechie9734from my perspective as user who will access the resource, the auth code simply like 2FA codes eh? Given from the auth server to the user, then user itself "approve" the permission that the resource should be consumed by the client app right? So then after the user "give the code" to the client app, the client app then can have the access token. Am I right? Or i'm missing something?

@tsunghan_yu Год назад

Mainly two security benefits: 1. we can avoid sending the access token, which is sensitive information, in the front channel and send it in the back channel instead. 2. we can authenticate the client as well by requiring the client to send client_id and client_secret (along with authorization code) to request the access token. Here's a video that directly answers your question: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-996OiexHze0.html And here's a good illustration of the whole flow: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-PfvSD6MmEmQ.html

@henryzhang7873 11 месяцев назад

This prevents the client from knowing the token. The services may not trust the client or want to charge money for operations without the risk of spoofing.

@pwn2424 Год назад

what is a permission dialogue?

@sergiomora1209 Месяц назад

Can Google App Passwords still be used to access Gmail through Outlook 2019 using POP3 after LSA’s is disabled?

@nitinkumar28 11 месяцев назад

How SnapStore Auth server authenticate [#authorizationcode #clientid #clientsecret] ? Are #clientid #clientsecret and scope are provided to PrintMagic by User and stored at SnapStore Auth server as well ?

@davideanguianomelendez628 Месяц назад

It seems to me that diagrams on 2:20 and on 3:58 have a mistake: the green "PrintMagic" actor should be labeled as "SnapStore Auth", as it actually is on 3:17. Am I right?

@deemon710 4 месяца назад

@3:22 That feels a tad redundant. Anyone know why SnapStore Auth doesn't immediately give the access token (in green) after the request is approved (in blue)? Why is the "Get Access Token" (in yellow) step needed?

@JinTsen 6 месяцев назад

There is a small mistake. When you first animate the flow at 2:19 , you have 2x PrintMagic, missing the (later fixed) SnapStore Auth

@MrNeuroMind 6 месяцев назад

3:59 also

@800pieds Месяц назад

Clear, but how does Snapstore know that the token is valid?

@sampathsris Год назад

What if we used OAuth2 in our web apps as a way to authenticate with a Resource Server? Because, the authentication with the resource server is implicit in this flow, isn't it? /s Nice video. Would love to see an OpenID Connect video as well. :)

@snk-js Год назад

that's the whole point u need a server to manage access keys

@marcelocardoso1979 Год назад

This is actually called federated login. You have a single point of authentication that is trusted and well secured to access all your resources. It wouldn't make much sense to implement an authentication/authorization server into every app, otherwise we would need to trust all apps and single sign-on flows wouldn't be possible anymore. This kind of authentication/authorization also allows zero-trust networks to exist.

@ryankan1 Год назад

does anyone know the app used to make these animated process flow diagrams?

@YuruCampSupermacy Год назад

Most probably Adobe after effects

@tsunghan_yu Год назад

it's in the video descriptions

@user-pm3wp2sd3u 11 месяцев назад

how to make a video like this

@abdoyones1983 4 месяца назад

is there a mistake in the diagram @ 2:19 ?

@royd-w 10 месяцев назад

Out of curiosity, why can't the snapstore auth immediately give printmagic an access token once resource permission has been granted? What is the purpose of the "get access token" step?

@runilmotwani9549 10 месяцев назад

Printmagic has to use its own client ID and secret to authenticate itself to snapstore before it gets the real access token. It's an additional layer of security

@royd-w 10 месяцев назад

@@runilmotwani9549 Thank you

@StanleySathler 6 месяцев назад

Why after receiving the authorization code, we still need to request the access token? Couldn't we just retrieve the access token directly?

@StanleySathler 6 месяцев назад

After a long convo with ChatGPT, that's what I came with: There's always some UI involved, as the user needs to consent permissions. As UI's are less secure environments, it'd be risky to give them the access token. That's why we often do the "authorization code access token" exchange in a server environment. Still, would love extra thoughts on this.