Michael Bissell

Пікірлер

@ron_berlinski 18 күн бұрын

Looks great. Looking forward to it

@bissellator 11 күн бұрын

Dragging my feet a little on the next video because of the holiday season, but it's on it's way soon!

@disaabrgr 19 күн бұрын

great video

@whenthecamerasareoff_ 20 күн бұрын

Watching your video on my YT feed after a long time, hope you are doing good. And yes, an effective CDN strategy would really help along with other modern SRE tactics :)

@JuanGGZ Ай бұрын

Thanks for this, easiest and most practical way to remember how to do a call when you didn't for years! 🙏

@Just_Clair 2 ай бұрын

It's so cool! I've been trying to use jwt-decode npm package, and it's been giving me errors, unable to even recognise it's own .decode() function. Can you recommend a way out?

@dennesmagayanes127 2 ай бұрын

my issue with this now is that for our automation scripts, which obviously uses service accounts they will not work because it's not an actual user/person that has access to a UI/Browser, how to go about this? Seems like it defeats our automation purpose if everything we have to execute them we have to first get the Auth Code via browser.

@roy_c 27 күн бұрын

You should use client credentials Flow

@rajeshm6703 5 ай бұрын

Very clear. Thanks.

@rahulkanna1047 8 ай бұрын

link not working

@ederjimenez8 8 ай бұрын

can I decode a JWT token with MS Power Automate?

@bissellator 4 ай бұрын

So far as I know, not directly because Power Automate doesn't support base64 decoding. You can split the JWT into the three components, but you would need to do an HTTP callout to a service that can base64 decode it for you at that point. If you have any local compute you could, in theory, run a node app that could take the string and return the JSON, but at that point you might as well write a full jwt decoder...

@ygorcosta6893 11 ай бұрын

It depends a lot on the system's requirements. For instance, if you need to make this query on the front end, you leave the client ID and secret on the backend. After receiving the token, you can then use it securely on the front end. However, it's essential to restrict the token's lifespan; otherwise, it won't be effective.

@saikrishnapuli6591 11 ай бұрын

can you confirm, token call is happening at backend or frontend via browser?

@ScrotoTBaggins Жыл бұрын

I little simplistic to just say client credentials bad

@bissellator Жыл бұрын

They're simply unsecure.

@longb1913 Жыл бұрын

what to use instead then@@bissellator

@rhysevancampbell 3 ай бұрын

@@bissellator I kind of agree with the comment. Bad for what? What is the better approach? And in what situation?

@zoltanhorvath2952 Жыл бұрын

very helpful ❤ thank you for your effort! helped me a lot

@cloudsatish Жыл бұрын

Fantastic explanation, Michael! Absolutely right in this age.

@LudwigTayona-d6c Жыл бұрын

these videos are awesome! big potential to blow up on youtube shorts

@sterkcode Жыл бұрын

Thanks Mr Michael

@MortenHolje Жыл бұрын

Hi Michael, thanks for great videos about grant flows. I think you should have specified that the auth service grants tokens which you use to consume resources from an API. It's alot better than using API keys. Still learning, so please correct me if im wrong here (anyone, not just Michael).

@benpracht2655 Жыл бұрын

What should be done instead? How would you handle an automated request from another backend service?

@Renanfg 10 ай бұрын

so this flow is good for backend to backend since there's no exposure

@faruzzy Жыл бұрын

Thank you

@KawsarAli-s2r Жыл бұрын

tuuutft

@svenmeier651 Жыл бұрын

Your beard is truly majestic. Perfectly fits the calming voice.

@ericb8142 Жыл бұрын

Thank you Sir!

@libahenson Жыл бұрын

I had to watch three ads (one that was four minutes long) to view this 2 minute short that gave me barely any useful information about SLAs. To save you the hassle the gist is “SLAs are necessary commitments to build Trust with the customer “.

@bissellator Жыл бұрын

I get nothing from KZbin -- I'm surprised they ran so many ads. Which reminds me that I have a video I think I'm going to make called "Yes, tech really is getting worse" in part because monetization gets in the way of actually providing a service...

@ffsaurio Жыл бұрын

Thank for this video !

@autumnchills2317 Жыл бұрын

I am still fairly new to OAuth so I'm still wrapping my head around the concept of oauth clients. In your diagram, would the App be considered the oauth client or would it be the API server? I'm confused because the App would be the one consuming the token and making requests to access protected resources for the user, but the API server here is the one exchanging the auth code for tokens.

@norunners_ Жыл бұрын

Yes, the client is sometimes called app. For example, a user (resource owner) can authorize a third party app (client) to access their data via a API server (resource service). The authorization services powers the flow by knowing the relationships (scopes) between clients and resource owners.

@gowsalyanatraj786 Жыл бұрын

thanks for the video

@sathiyanarayananagaraj4438 Жыл бұрын

Excellent explanation

@iambhanu7 Жыл бұрын

I am confused. What is the API here ? Is it part of the Identity/Authorization setup? Or is it the server counterpart of the App.

@norunners_ Жыл бұрын

The API is the resource server. No, it uses the authorization services to verify access tokens against scopes protecting their endpoints/resources. No, the app (client) is an untrusted party that the user (resource owner) can grant access to their data via API (resource server).

@kaustubh1871 Жыл бұрын

Hi, Great Explanation. I was really clear and was on point! It would be great if you could make a similar one for implicit grant and resource owner credentials grant. Thank you.

@whenthecamerasareoff_ 2 жыл бұрын

Hi Michael, this is great. Though I believe, looking at fast ui building requirements nowadays, it's beneficial in creating skeletons. As to create complex hierarchical json schema would also require effort. It's easy to imagine/draw ui widgets in 2D plane than writing a tree. But this would certainly set the track to begin with a nice skeleton though. 👏

@bissellator 2 жыл бұрын

On my side project I have a tool that builds an OpenAPI contract and then deploys it to an API gateway. In order to let people then explore the data in their brand-new API, I use the model I describe in this video -- it's spiffy because I really don't have any idea what data people are creating, but they can *immediately* start interacting with it. So it makes a great admin/inspection tool, but I agree that if you're building a website or app, you're going to want to put more control on how you present the data than simply relying on the details of the contract.

@lacvietanh 2 жыл бұрын

thank you so much!!!!!!

@alexsandromartins 2 жыл бұрын

MUITO BOM!

@aa-el8yr 2 жыл бұрын

So happy you are uploading new video again! Love your content, really help in my work

@dmytro_glory_ukraine 2 жыл бұрын

About a purpose of IdP: as I understand in a minimal schema it should only verify the entity identity (authentication) and authorization can be on the service provider side. But in the video IdP does both: authentication and authorization, which looks strange: imagine that we have 10 applications and they have different roles, in such case IdP needs to manage that all, then more, what if I decide to add a new role to one of my applications? Please comment, thanks in advance!

@bissellator 2 жыл бұрын

Actually the IDP does not do authorization. I know the video makes it look like it does but what happens is the Gateway or the application itself asks the IDP for the information that it needs to make that assertion. You can't do authorization without Authentication, and authentication provides the information, the actual details required for authorization

@phemystevens63 2 жыл бұрын

Got it!! Thanks

@vishwanthkandibanda4711 2 жыл бұрын

short and simple

@igobivo 2 жыл бұрын

05:33 and every single time that web application makes a call to that API the API will verify that key against the IDP against the keystore and see if it's still valid and it should get scopes back with that... the whole point of a token is that you don't have to communicate with 3rd party each time API call is made.

@bissellator 2 жыл бұрын

In OIDC you can validate the JWT locally, but in traditional OAuth the bearer token is just a key that needs to be verified by the API gateway.