Thanks for pointing that out! You're absolutely right-there are two types of bearer tokens. I focused on the self-contained token in this tutorial since it’s easier to scale in distributed systems due to the lack of dependency on the authorization server for validation. Identifier-based tokens, while secure, do introduce additional latency because they require the resource server to call the authorization server for validation. It’s a trade-off between ease of scalability and real-time validation. Appreciate you adding that clarification!

Same here...I needed the visuals for clarity.

Thank you so much for this lovely comment and your support 🙏

+100

@@ByteMonk You are really good most of my doubts got cleared .

why are you sorry for a compliment 😀

​@@rpvaghasiyais it not a criminal offence to compliment? 😅

Maybe one day!

Thanks for the tips!

Would love to connect with you sometime to ensure my audio processing is correct

Yup. Now I don't know if I should keep watching.

Hmm, maybe it does not. AI gave me this response: "The Resource Server can validate the JWT independently, without contacting the Authorization Server, by: a. Verifying the signature using the public key of the Authorization Server. b. Checking the expiration time (exp claim) of the token. c. Validating other claims in the token (e.g., issuer, audience, scope)."

The ressources server validate by either a public key or forwarding to authorization server but mostly by public key

Thank you so much 😁

Appreciate the support, thank you :)

Great question! How the resource server checks the token depends on the type of token. If it’s a JWT, the resource server doesn’t need to talk to the authorization server again. The JWT has everything it needs, like user info and expiration time, and it’s signed, so the resource server can verify the signature and ensure it hasn’t been tampered with. However, if it’s an identifier-based token, then yes, the resource server typically has to reach out to the authorization server's introspection endpoint to confirm that the token is still valid. This adds a bit of latency but ensures the token is actively verified. So, for JWTs, no extra server call; for identifier-based tokens, the resource server usually needs to check with the auth server.

Ok, thank you so much for the response. Nevertheless it is still not 100% clear how the resource validates the JWT. I could just pass it a valid JWT from another random application, together with the client Id and Secret, maybe the resource server has to have some private key or some tool to check that the signature is actually one made by its auth server ?

This error typically occurs when the OAuth 2.0 protocol is being used incorrectly, particularly with how parameters are being handled in requests. In OAuth 2.0, certain parameters, like scope, are expected to have only a single value or a single list of values. This error usually happens if you have Multiple Values for Single-Value Parameter So, ensure that your request is formatted correctly. For scope, you should provide a single string with space-separated values (e.g., scope="read write"). Avoid sending scope multiple times or in conflicting formats.Verify the OAuth 2.0 API documentation for the correct parameter usage. And If you have control over the server-side implementation, make sure the server correctly parses and handles OAuth 2.0 parameters. The server should be able to process a single scope parameter with a space-separated list of values.

@@ByteMonk Thanks for answer, I finally solved it

this is my confusion as well

@@abimanoharan2378 i got it. Token provided by authorization server has the information that resource server needs to contact authrization server. So when resource server receives token, it parses it and then uses that info to connect to auth server and validates the authenticity of token.

Don't have to

FCP, Adobe, Photoshop, Ppro. Takes about 10 hours for a 5-10 minutes video :)

@@ByteMonk I'd say it's worth it.

Thank you 🙏

Here :) kzbin.info/www/bejne/eILafI1sr8usoZI You may also checkout relevant videos in the playlist in description.

Thank you 🙏

Thank you! Its primarily based on my previous experience with OAuth and SSO in general. Unfortunately I did not maintain the list of papers and articles I went thru to make this video.

thank you, I will look into this

Whenever you grant it access it shows what information the app wants to access. It doesn't get everything

Better late than never!

SAML video just released!

@@ByteMonk awesome.

I understand what you were expecting. The video focused on Google OAuth 2.0 as an example to illustrate the overall OAuth 2.0 flow. That said, I can see how a deeper dive into custom OAuth 2.0 implementation would be more helpful for some viewers. The main difference between Google OAuth 2.0 and custom OAuth 2.0 comes down to the provider and how the flow is implemented: In case of Google OAuth 2.0: Google is the authorization provider. It handles user authentication and issues access tokens.This is Often used for allowing users to log into third-party applications (like a website or mobile app) using their Google account. In Custom OAuth 2.0 you build and maintain your own authorization server or use a third-party provider tailored to your application’s specific needs.So you have more control over the entire flow and can define your own scopes, tokens, and permissions Hope this helps

Thanks for your feedback. Please let me know what to be improved and if you have any reference animated videos.

if someone has access to your laptop then it's not safe they can read the access token but usually the token is stored in httponly cokie which cannot be directly read and we're using https so the requests in encrypted in transit