Man, I am a backend dev with 4 yrs of exp. but believe me man I always get lost in this Oauth Grants. I always need to re do all R&D again. But here you explained very well mate, I must say perfectly explained. Kepp it up
The auth code flow explanation was really great. However the part where you explained about client secret is not very clear. perhaps little more detailed explanation would have helped me
Think of client id as a username and client secret as a password. OAuth 2.0 also supports stronger means of authentication against the token endpoint such as mTLS or JWT assertions
@@jgoebel Absolutely awesome series of videos!! Thank you Jan! -- One question regarding this: Why is important to keep the client_secret as a pw? After all, even if an attacker gets it, it will still need the user to authenticate.
@@marcus-vg8ft if you have the client secret, then you can impersonate an app. I.e. an attacker could pretend that he is the app for which he has obtained the client secret and get access to the user's data
Thanks Jan! If it is for what Google calls "A desktop app" where the user will store the secret on his own computer, is this still risky? I thought with PKCE it should be safe no matter what. @@jgoebel
Hey, I really love this video especially because it show visually whats going on instead of just tossing jargon around. What wasnt entirely clear though is WHY the code / token exchange is happening. Like, I dont understand how that extra steps adds additional security compared to the implicit flow for example. Any chance you could give me a hint here?
hey i get that oauth2 is required by third party to access api, example when i say continue with google for the first time it will get my email name profile photo and all, this will help in getting those data and creating user but how login happens with "login with google" button.
This was an awesome explanation of grant type authorization code flow. Thank you so much! One question I have is how does this flow work when you have one API that needs authorization to access another API where there is no "user" login involved? For example, I have a Spring REST web service that a vendor cloud app (Dell Boomi app) needs to access. In the past, I've used password grant type, which I know is not best practice. Sorry if this is a basic question.... I'm new to auth code grant type flow.
Hi Therese, the authorization code grant is only used with a user together (someone clicks approve on a screen). For server to server communication OAuth2 offers the client credentials flow. Ultimately it is a judgement call. Basic Auth is way simpler to implement because it is just username / password. With OAuth you need an authorization server. So unless you don't already support OAuth, I would rather go with Basic Auth. You might also want to take a look at using JWTs for server to server communication (I have a video series about this). This is probably better in terms of security, but more work to implement. You need to decide if it would be worth doing.
Thank you for a detailed explanation. My question is how the resource server validates the access token? We need a call from resource server to auth server in order to validate right? Do we have a standart for this communication?
I explained it here: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-q3FiuTZlroE.htmlsi=Vp_lWURCU0-HbG2Q&t=404 Either via a call to the authorization server or - if the token is structured (e.g. a JWT), then by validating the token's signature with a public key
Thanks for the video this has been very helpful for me. I've one question I hope you can answer for me. Once I've passed authentication and have received the token back on the client, and then the client makes a request to the RESOURCE server. Does the resource server need to check the token against the auth server with every request?
Most servies use structured tokens, i.e. JWTs, so you can validate the token without making a REST call to the authorization server. There are a few edge cases you could run into however, .e.g if a token is revoked you might accept it on your service. Therefore, for critical actions like purchasing sth. you can use token introspection endpoint of the authorization server where you can have a token validated
So server side rendered apps don't use a state parameter because using a client secret makes it secure enough already? Also, if anyone has any resources explained how to decide what the redirect URL should be, please link (I am new to this and I suspect it may be obvious to many)
Thanks for this! Right now I need implement an app that create some google-calendar events but for a ServiceAccount. I saw many examples in docs that creates/uses AuthorizationCodeInstalledApp (or similar) to create a 'credential' instance (com.google.api.client.auth.oauth2.Credential) but it works for regular user accounts and not for ServiceAccount (I already have the JSON file with key info from my ServiceAccount) . Do you know where I can find some examples for what i'm looking for? Something like this: final NetHttpTransport HTTP_TRANSPORT = GoogleNetHttpTransport.newTrustedTransport(); JsonFactory jsonFactory = GsonFactory.getDefaultInstance(); GoogleCredentials credential = GoogleCredentials.fromStream(new FileInputStream(jsonPath)) .createScoped(Collections.singleton(CalendarScopes.CALENDAR)); Calendar calendar = new Calendar.Builder(HTTP_TRANSPORT, jsonFactory, credential) .setApplicationName(APPLICATION_NAME) .build(); (this example isn't working because Calendar.Builder needs some Credential obj as a third param)