Securing Your APIs with OAuth 2.0 - API Days

Подписаться 57 тыс.

Просмотров 70 тыс.

50% 1

SLIDES: speakerdeck.com/aaronpk/secur...
In this talk, you’ll learn how to use OAuth 2.0 to secure access to your APIs. OAuth is an authorization protocol which enables applications to access data on behalf of users without needing to know their username and password. This enables many use cases such as easily enabling multi-factor authorization for your users, and better separation of concerns of all your backend services.
We’ll look at how to use JWT access tokens, as well as the tradeoffs that come with them. We’ll look at how to design scopes that allow granular access to various parts of your backend services. We’ll also look at how to design a microservices architecture protected by OAuth at a gateway.
Aaron's book, OAuth 2.0 Simplified: amzn.to/2S6Uj4e
Follow Aaron at / aaronpk
---
Okta is a developer API service that stores user accounts for your web apps, mobile apps, and APIs.
* Sign up for Okta for free at developer.okta.com/signup/
* For more info visit us at developer.okta.com/
* Developer Blog: developer.okta.com/blog/
* Follow us on Twitter: / oktadev
* Follow us on FB: / oktadevelopers
* Follow us on LinkedIn: / oktadev

Наука

Опубликовано:

25 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 29

@Chris.Plunkett 2 года назад

This is a golden example of how a technical presentation should be. Great job!

@starman9000 9 месяцев назад

Presenter was clear in mind what he is talking! I am able to understand which I failed to uderstand from many other similar content. Thank you.

@mingzus 3 года назад

not shortest one in RU-vid, but one of the BEST to explain Oauth ! Thanks you !

@parthsalat 3 года назад

That's coz he made Oauth 2.0

@AnonyoX Год назад

One of the best presentations on this topic. Lucid, on-point, and yet moderately detailed. Thank you, Aaron.

@ThePersepolis32 4 года назад

I already read some articles, but this was a perfect explanation.

@FictionsAndIllusions 3 года назад

Thanks for this video. I was curious about how to secure Web APIs using OAuth2.0 and the second half of this talk answered it perfectly.

@joeyjoejoo Год назад

that was an absolutely brilliant tutorial. thanks very much.

@OktaDev Год назад

You're very welcome! Glad that you enjoyed it.

@randyhockin2437 4 года назад

Excellent presentation Aaron.

@sergiocamacho730 3 года назад

Excellent presentation. It wasn't hard at all to watch for a half-hour talk.

@pradeeprao6733 4 года назад

comprehensive presentation, thanks

@sumitkumarb4u 2 года назад

Very nice presentation. Really helped!

@JanithKalhara 2 года назад

Simple and clean.

@pepsiholix 10 месяцев назад

Now that was an exzellent talk!

@beatagozdziaszek8157 4 года назад

6:28 Start of the OAuth 2.0 flow

@bdoesbjj 3 года назад

tintuu Why are you laughing? Your comment in not helpful at all.

@santiagocavanna 2 года назад

Thanks for sharing this information. I found it very clear and useful. I am doing some work as IAM Arch and not always it is clear the path.

@green10701 4 года назад

Perfect explanation 10:28

@smritisharan-sfdcamplified 3 месяца назад

Nice

@alirezaamedeo Год назад

PKCE is not the replacement of client authentication. It's simply to prove whoever is exchanging code for token is the same guy who requested the code.

@mansimen 3 года назад

Hi, great presentation, the hotel card analogy is quite good. But IMHO, really poor choice of colors for the slides. I'm colorblind and don't see any difference between those arrows that you mentioned in slide at minute 10:39.

@alittleextra2832 2 года назад

The world does not revolve around you.

@HenryPan 4 года назад

Is OAuth 2.0 itself secure enough?

@oko2708 4 года назад

4:15

@davidharris3391 4 года назад

Empirical data, i.e. the past several years of billions (or trillions ?) of transactions using Oauth2 would say 'if used properly, yes'.

@domaincontroller 3 года назад

Specs are not good tutorials, 20 specs 00:57 the password anti-pattern 02:23 OAuth spec, Sign in with 02:46 OAuth was designed to give access to data, accessing APIs not about identifying the user 04:15 OpenID connect 04:36 OAuth originally created for that third-party app access, first party app as well, gmail actually redirects you to the google OAuth server 06:24 we gonna take a look how OAuth works, from an application point of view 06:39 access token, hotel key 07:57 five roles 08:51 starting with the simplest flow 10:45

@alirezaamedeo Год назад

You may not want to expose scopes of a JWT to the world so reference token will be the only option.