exactly

Agreed, that detail is very important. I spent hours to understand it.

Nice, I actually got the same question when I watched the video and now it makes sense to me. Thanks!

Thanks, I had this same question too

He explained at 4:29 mark with having already registered with Memorial bank API before hand.

If I understand correctly it's an extra technical detail. Of which there are probably even more, which are relevant when you're actually there trying to implement the thing. Which may not be the scope of this video, so this higher abstractional level might not be by chance. When your granny asks what you do for work you don't go into all the details do you.

In a very superficial way. If you would have been requested to implement an App authentication with this knowledge - Would you know how to? For me it's insufficient.

True but 50% of the burden is on the listener to be interested. A disinterested or just plain stupid one may claim an explanation isn't clear as well. That's the trouble with maxims.

This is overview, implementing is details. If you read only documentation for details, it is surprising hard to understand and get whole picture, because such documentations assumes that reader already understands whole picture.

decatechlabs.com/oauth2-explained-and-how-oauth2-works-oauth-in-action

Glad you liked it

Yes Sarah need to be authenticated. OAUTH 2.0 flow does not include authentication. Authentication can be done in any of the ways like SAML. Yes, for sure Sarah need to authenticate to memorial bank.

Glad you liked it

I think he means that after initially setting up the individual logins of all of her bank accounts on MyBucks, she will be able to access the information she wants by only logging into MyBucks instead of having to login to all of her banks individually. But yes, she will have to login for each bank during the initialization.

Thank you!!

It appears to me that this video is about both

To watch multiple movies, we need ticket for each movie. Same goes here i.e. Sarah need to share Name, Web Site and Call back URL to the other banks that have her accounts.

Pls some one., I need an answer for the same

Same

exactly my thoughts too.. it said Sarah needs to login JUST ONCE to access all of her account information across various banks.. is it really a valid statement? having been a user of acorns, i think the practical approach would be once per bank account? more of a one time setup per bank till Sarah changes her creds with the bank.. did you ever happen to receive a reply on this one from the content creator?

The application would have client Id and Client Secret. Using client Id and client secret, response would be decoded, and access token would be retrieved. This access taken would later be used to get resource.

sending back access token directly to client is another authorization grant type mentioned in oauth 2.0 framework of ietf, named "implicit". "The implicit grant is a simplified authorization code flow optimized for clients implemented in a browser using a scripting language such as JavaScript. In the implicit flow, instead of issuing the client an authorization code, the client is issued an access token directly (as the result of the resource owner authorization). The grant type is implicit as no intermediate credentials (such as an authorization code) are issued (and later used to obtain an access token). When issuing an access token during the implicit grant flow, the authorization server does not authenticate the client. In some cases, the client identity can be verified via the redirection URI used to deliver the access token to the client. The access token may be exposed to the resource owner or other applications with access to the resource owner's user-agent." The implicit way ( send back access token to client/resource owner directly ) will expose access token to resource owner, which is simplified but not reasonable.

This video is very basic if you are asking this type of question.. but let me answer: access_token is not passed directly because we don't want the user to get to see the access_token, why? because user level is never trusted, or he may deplete our API quota by doing calls by himself or If a hacker is sitting in the user code or the application, he can grab the access_token which is bad, he now sees the "code" but this code is nothing without client_id and secret which are perfectly safe (at least under your control) You may say if a hacker is sittin on client side, he can also grab directly the facebook password, this is not always true depending on the hacker type.. if there is an xss vulnerability on your website he can grab the "code" but cannot intervene to facebook login.

This video (and the series) probably answers your question. kzbin.info/www/bejne/rpS3Z4J5l65qbc0

but in the authorization code grant whats the benefit of having an auth grant pass

Sarah has to put in her username and password in memorial bank if she hasn't logged into that yet in the auth request phase. I'm betting the access token identifies Sarah which MyBucks application uses the grant to get it. The resource server will deserialize (decode) the access token and figure out its Sarah. If there is any modifications in the token, I'm guessing it will become an invalid token. The Auth server has a key to encode the token and the resource server has a key to decode the token. These are known as private and public keys. I don't remember which one encodes and which one decodes xD