OAuth 2 Explained In Simple Terms
Рет қаралды 417,230
Күн бұрынGet a Free System Design PDF with 158 pages by subscribing to our weekly newsletter: bytebytego.ck....
Animation tools: Adobe Illustrator and After Effects.
Checkout our bestselling System Design Interview books:
Volume 1: amzn.to/3Ou7gkd
Volume 2: amzn.to/3HqGozy
The digital version of System Design Interview books: bit.ly/3mlDSk9
ABOUT US:
Covering topics and trends in large-scale system design, from the authors of the best-selling System Design Interview series.
@anilkumar-p6d3w 6 ай бұрын
I think this is the only video on KZbin, in which OAuth is explained in a very simple way.. thanks.
@balajik8561 6 ай бұрын
That's right! Excellent explanation
@itsZavier_1 2 ай бұрын
it's always the short videos that explain these kind of things with ease and understanding
@sollenism 13 күн бұрын
Great explanation! and your animation is top notch. Thanks
@locotx215 Жыл бұрын
You did it, you finally explained the WHY part . . . ."so you don't have to share credentials with other sties"
@nishithvyas Ай бұрын
Superb Explanation... Now, no need to go with "What is OAuth Question" anywhere....!!!
@thomashsu5252 3 ай бұрын
Super explanation. Thanks a lot for sharing
@ayaabdelmagied6696 Жыл бұрын
you head nail on the head.... simple and to the point
@hasan_shans 5 ай бұрын
Great explanation! Thanks!
@NallapuSrinivas-k1p 8 ай бұрын
when oAuth is enabled, the client software first requests for authorisation from the auth server & auth server asks the user for approval and when approved, auth server gives an access token to the client software and client can make requests and get responses
@ronitdhingra4395 Жыл бұрын
What tool do you use for the animations? they are great!!
@laserz23 Жыл бұрын
curious to know this too
@canhlinh 6 ай бұрын
Nice presentation. Thank you.
@muhammadumarsotvoldiev8768 8 ай бұрын
Thank you very much! Very helpful!
@vicenterendo 8 ай бұрын
Thank you so much, lifesaver!
@oskarspozdnakovs6441 Жыл бұрын
Great video. It's Zero Auth by the way
@zehrairkicatal2156 7 ай бұрын
excellent explanation
@babhijit 2 ай бұрын
At 02:29 whose client id is being referred to - PrintMagic or SnapStore ?
@ngamlenmangtouthang4507 Жыл бұрын
please make a video on access token and refresh token :)
@foadkh8210 10 ай бұрын
Thanks !!
@robot67799 Жыл бұрын
Awesome!
@deemon710 7 ай бұрын
@3:22 That feels a tad redundant. Anyone know why SnapStore Auth doesn't immediately give the access token (in green) after the request is approved (in blue)? Why is the "Get Access Token" (in yellow) step needed?
@abdoyones1983 7 ай бұрын
is there a mistake in the diagram @ 2:19 ?
@yashwanthbedre8220 Жыл бұрын
simplest explanation ever!
@TommieDahmen-y8p 21 күн бұрын
McKenzie Court
@testtest-c4z Жыл бұрын
Hello, how are you, there are applications that request a token, request that the client id and seceret key be sent, others an api token and a secret key, how is this different from, for example, sending user and pass?
@HenriettaPaul-c8n 5 күн бұрын
04905 Wilson Port
@StanleySathler 9 ай бұрын
Why after receiving the authorization code, we still need to request the access token? Couldn't we just retrieve the access token directly?
@StanleySathler 9 ай бұрын
After a long convo with ChatGPT, that's what I came with: There's always some UI involved, as the user needs to consent permissions. As UI's are less secure environments, it'd be risky to give them the access token. That's why we often do the "authorization code access token" exchange in a server environment. Still, would love extra thoughts on this.
@MalachiJoy-w2c 18 күн бұрын
0492 Sebastian Causeway
@ReubenTrenholme-m6r 21 күн бұрын
Dare Corner
@EugeneGrover-e9l 22 күн бұрын
Stephany Course
@patrykforyszewski4655 6 ай бұрын
Isn't there a mistake on diagram at kzbin.info/www/bejne/kIeYqoejadWHbsk with doubled Print Magic on top?
@ryankan1 Жыл бұрын
does anyone know the app used to make these animated process flow diagrams?
@YuruCampSupermacy Жыл бұрын
Most probably Adobe after effects
@tsunghan_yu Жыл бұрын
it's in the video descriptions
@LindaBourn-h6d 27 күн бұрын
Hernandez John Lee Joseph White Donald
@ariannaflannagan9820 14 күн бұрын
Hernandez Elizabeth Robinson Matthew Moore Maria
@PerryBaty-x2o 27 күн бұрын
Young Daniel Walker John Lopez Kevin
@PerkinHardy-z3i 20 күн бұрын
White Sarah Robinson Shirley Johnson Linda
@this-is-bioman Жыл бұрын
Nope, too confusing.
@Pluto102 5 ай бұрын
very poor explanation.Just use existing photo app names rather imganiary...
@marrlo121 6 ай бұрын
this was confusing im sorry. maybe im too new.
@Shitbull4Azlakssss Жыл бұрын
what a good video
@alainpannetier2543 Жыл бұрын
1. At 2:10 third lifeline title is wrong. Should be OAuth2 server (e.g. Snapstore OAuth2 server or 3rd party [keycloak] server) instead of "Print Magic". Cut'n paste leftover probably. 2. At 2:49 The request dialog that submits the parroval is the one that receives the authorization code in return. So the authorization code is in the browser and acquired by print magic via the redirect_uri initially specified by PrintMagic in the request for dialog. This is why we need the authorization code indirection (otherwise either there is no client auth or the browser would know the client secret).
@msreedaran89 Жыл бұрын
2:21 rather than 2:10? I came to the comments to point out the same thing
@OpenDeepLearning 2 ай бұрын
@@msreedaran89 Same here
@dwarslopers Ай бұрын
Thanks! That is correct and helped me!
@nick_merchant Жыл бұрын
Very easy to understand, clearly spoken with good graphics and solved the mystery in my mind within 4 minutes and 30 seconds. Thank you so much.
@djplt1240 Жыл бұрын
Great explanation! Two minor clarifications: the authorization code is sent to printMagic service via the user with a HTTP redirect rather than the auth server directly sending the authorization code to PrintMagic. Also depending on OAuth server implementation, you may not be able to revoke the access token immediately and instead have to revoke the refresh token instead.
@sampathsris Жыл бұрын
This is very true, but if you try to draw arrows for all the redirects and HTTP requests, OAuth flow diagrams tend to become really convoluted.
@karthiksuryadevara2546 Жыл бұрын
Whats the difference between oauth 1.0 and oauth 2.0
@henryzhang7873 Жыл бұрын
There is also the server-sided flow that doesn't require a browser redirect though, where the providers can coordinate directly.
@sumanthvarma9999 Жыл бұрын
Can you cover Kerberos authentication please
@sridharneelakanta 11 ай бұрын
Thanks for the concise explanation. Appreciate it. A small correction -- the sequence diagram at 03:52 shows "PrintMagic" within the blue rectangle. It should have been "Snap Store Auth". Thanks again.
@devrj1679 4 ай бұрын
Yes your correct, but green rectangle. Thanks for pointing that out.
@sheykenasababy Жыл бұрын
0:40 "To scrape information from crusty old banks" I did not expect a roast this hard
@pallavkan 4 ай бұрын
you solved my confusion in just 10 min which I was struggling after studying so many articles from medium
@sungjuyea4627 Жыл бұрын
I always get irritated by this complex and "seemingly" pointless process. Now it is very clear why we need it. Thanks to your explanation :)
@mightylb4543 Жыл бұрын
Why we need 2 different codes ? Authorization codes and access tokens, why was it designed this way?
@avidtechie9734 Жыл бұрын
an authorization code is a temporary credential that serves as proof of the user's consent to access their protected resources. It plays a crucial role in the OAuth flow and is used to obtain an access token, which is then used to make authenticated API requests on behalf of the user. The authorization code flow adds an extra layer of security to the OAuth process. Instead of directly exchanging user credentials (e.g., username and password) for an access token, the authorization code flow separates the authorization and token exchange steps. This way, the access token is not exposed to the client application, reducing the risk of unauthorized access or token leakage. OAuth: Authorization Code Importance In OAuth, an authorization code is a temporary credential that serves as proof of the user's consent to access their protected resources. It plays a crucial role in the OAuth flow and is used to obtain an access token, which is then used to make authenticated API requests on behalf of the user. Here's an overview of why an authorization code is needed in OAuth: User Consent: OAuth is designed to protect user data and privacy. Before an application can access a user's protected resources (such as their profile or data), the user must explicitly grant consent. The authorization code serves as evidence that the user has granted permission for the application to access their resources. Security: The authorization code flow adds an extra layer of security to the OAuth process. Instead of directly exchanging user credentials (e.g., username and password) for an access token, the authorization code flow separates the authorization and token exchange steps. This way, the access token is not exposed to the client application, reducing the risk of unauthorized access or token leakage. Limited Lifetime: Authorization codes have a limited lifetime, typically short-lived, making them less susceptible to misuse. Once an authorization code is issued, it has a short validity period, usually a few minutes. This helps mitigate security risks and reduces the window of opportunity for attackers to intercept and abuse the code. Authorization Code Exchange: After obtaining the authorization code, the client application sends it to the authorization server, along with its client credentials, to exchange it for an access token. This token can then be used to make authenticated API requests on behalf of the user. By using an authorization code, OAuth ensures that the user's consent is obtained, enhances security by separating authorization and token exchange steps, and provides a limited and controlled means of obtaining access tokens. In Authorisation code flow this happens. There are various authentication / authorisation flow available. In the above video authorisation code flow is explained. In which authorisation code is returned after successful authentication. Then authorisation code + client id + secret key is sent to the server which validates that the user is the same as authorization key is the same and it is not tempered. And then the server returns 3 tokens. (1.Access tokens which contain scopes/ permission used for sending requests to get resources. 2.Id token which contain user information/ claims. 3. Refresh token - this is optional.)
@tsunghan_yu Жыл бұрын
Mainly two security benefits: 1. we can avoid sending the access token, which is sensitive information, in the front channel and send it in the back channel instead. 2. we can authenticate the client as well by requiring the client to send client_id and client_secret (along with authorization code) to request the access token. Here's a video that directly answers your question: kzbin.info/www/bejne/b2qZgJybra2tm5I And here's a good illustration of the whole flow: kzbin.info/www/bejne/hpfZhHdsgtJ4o7M
@henryzhang7873 Жыл бұрын
This prevents the client from knowing the token. The services may not trust the client or want to charge money for operations without the risk of spoofing.
@PhillipKerman 3 ай бұрын
Of course there's tons more to know, but this probably the best description under five minutes. In about one hour Nate Barbettini covers this, along with OIDC and PKCE. After that learn about JWT and related formats and you'll have all the fundamentals.
@gsenthilkumar8139 6 ай бұрын
00:04 OAuth 2 simplifies secure access to resources. 00:37 OAuth 2 is like giving someone a special key for accessing specific information in another application. 01:12 Using OAuth2 to grant permission to access Snap Store photos. 01:39 OAuth 2 facilitates secure access to resources 02:16 OAuth2 process flow explained 02:50 Authorization code is exchanged for access token by the client. 03:24 OAuth 2 protects login credentials and allows controlled access to authorized resources. 03:58 OAuth 2 is essential for web security Crafted by Merlin AI.
@bhagyeshpatel18 Ай бұрын
I love your content and really easy to understand.I HAVE REQUEST THAT YOUR DIAGRAM/ ANNIMATION HAS MOTION/ZOOM OUT-IN/ which makes me keep eye and It is difficult to focus. Just advice, if you can stop using the motion/zoom out-in , just show still annimation. Thanks
@dwarslopers Ай бұрын
And still mistakes! See 02:22, the 3rd green bubble is calles SnapStore Auth! (Not PrintMagic later!) Important to understand: The "clientid" and "clientsecret" exists only between PrintMagic and SnapStore Auth Server. It grants that the PrintMagic Server Owner is a friend of the SnapStore Auth Server Owner. Otherwise the SnapStoreAuth Server Owner would not share this secret. The SnapStore Auth Server could authenticate much more Servers like the PrintMagic, for every different Server application only one clientsecret. (Not per User) So "client"does not mean user, it means different service/server/application connection to SnapStore Auth Service.
@bhagyeshpatel18 Ай бұрын
There is problem in the image at 3:54 second. Third Entity should be SnapStore Auth Server. NOT PrintMagic.
@TahminaakhterLili 19 күн бұрын
Garcia Frank Rodriguez Deborah Lewis Steven
@sergiomora1209 4 ай бұрын
Can Google App Passwords still be used to access Gmail through Outlook 2019 using POP3 after LSA’s is disabled?
@umarsaid6340 2 ай бұрын
If I want to make a mobile app, what authentication scheme should I use? Oauth 2.0 authorization code, client credentials, or just basic username password?
@sandovalvaz6093 23 күн бұрын
Hi, do you know why this error occur? "OAuth 2 parameters can only have a single value: scope"
@bluehornet6752 4 ай бұрын
Great video, but you seem to have a couple of errors in your graphics, at 2:19 and 3:51 in the timeline. Your third header there should not be "PrintMagic" but rather "SnapStore Auth," like you have at 2:23 in the timeline. If this is *not* a mistake, then it's confusing at those first two points in the timeline...because it seems to make perfect sense with the version of the graphics at between 2:23 and 3:24 in the video. The way you show the summary at 2:21, why would we ever want PrintMagic to be able to generate its own request from the user for access to the resource server? That doesn't make sense to me--so it seems to me anyway, that what you have (and describe) from 2:23 - 3:24 in the video is accurate, correct and (dare I say) understandable. The graphics on either side of that (ie; at 2:19 and 3:51) don't make sense.
@ElvisANgoh 11 ай бұрын
This was incredibly refreshing and so easy to understand. This is the first video I have watched from you, I can't wait to see more, and other topics
@ccdanro 2 ай бұрын
Stupid andi illogical mess, with a lot of lying in between! All those "authorization codes" si simply credentials in the for of longer passwords!
@yogavedfood 19 күн бұрын
@ByteByteGo what is the use of state variable in OAuth2 and how to handle its storage in a stateless multi machine UI server because the callback can go to any of the servers if stored at server side.
@yashsolanki069 4 ай бұрын
I would like to know if this (OAuth 2.0)service is free to use or has some charges after some requests. If anyone has any idea, please let me know.
@ml-rj5pt 11 ай бұрын
Thanks for the great video. One question though...at 3:20 when PrintMagic fetches photos with the access token, does the SnapStore Resource still need to validate the access token? If so, does it need to call SnapStore Auth api to validate?
@tadtab2 4 ай бұрын
@2:20 the 3rd column need to be renamed 'SnapStore ' instead of 'PrintMagic'?
@davideanguianomelendez628 5 ай бұрын
It seems to me that diagrams on 2:20 and on 3:58 have a mistake: the green "PrintMagic" actor should be labeled as "SnapStore Auth", as it actually is on 3:17. Am I right?
@tayyabmunir6228 4 ай бұрын
Wao, I was struggling with the basic concepts of oauth2 for a long time. This video explains it really well.
@suha2072 2 ай бұрын
Thank you for the great lecture! It was very helpful. I was successful in getting the device access code, but is there a way to expire the access code or log out? We want to develop a service that allows multiple people to use one device. We need to process when the user logs out the device token.
@avrakadavra1552 7 күн бұрын
If I understand it right, OAuth 2 is only good at third-party access features
@jlp2011 Жыл бұрын
great vid. minor remark : 1st collab/msg diagram - full one - puts printmagic on 2nd n 3rd lane from left. 2nd diagram has 3rd lane being snap’s auth which makes more sense
@am_0x2a 10 ай бұрын
I noticed this too. Great video overall though!
@ikbo Жыл бұрын
Why the extra http request of getting authorization code then access token?
@SylviaFerguson-u8g 9 күн бұрын
Hernandez Michael Lopez Barbara Robinson Lisa
@profindia 14 күн бұрын
explanation is great. At 3:59, the "SnapStore Auth" box is missing
@brianliang3010 Жыл бұрын
why can't access token be sent along in permission granted response and requires another request?
@zoefinafisher3973 17 күн бұрын
Harris Christopher Robinson Betty Gonzalez Anna
@leticiadavis-pq6lm 13 күн бұрын
Clark Michelle Gonzalez Linda Anderson Margaret
@JinTsen 9 ай бұрын
There is a small mistake. When you first animate the flow at 2:19 , you have 2x PrintMagic, missing the (later fixed) SnapStore Auth
@MrNeuroMind 9 ай бұрын
3:59 also
@TimDaviesjje-gl1ru 27 күн бұрын
Lewis Mary Robinson Scott Gonzalez Jose
@dennisbrooks1697 14 күн бұрын
Hall Kevin Jackson Kimberly Harris Charles
@MorphSligo 19 күн бұрын
Martinez Larry Lewis Patricia Anderson Ronald
@800pieds 4 ай бұрын
Clear, but how does Snapstore know that the token is valid?
@STEESEkring 17 күн бұрын
Davis Edward Taylor Kevin Garcia Margaret
@GajshAksjb-y3l Ай бұрын
Walker Charles Thomas Jessica Thompson Deborah
@XJacksonvilleX 4 ай бұрын
the graphics are amazing.. how do you create them??
@boredhuman9289 10 ай бұрын
Oh man, you explained this so well, I was struggling with this topic for years now, never actually understanding what is going on there! Thank you!
@AntonioHowland 24 күн бұрын
Johnson David Lewis Gary Clark Linda
@teddymisyoung407 13 күн бұрын
Jackson Sharon Lopez John Thompson Daniel
@EstimateStudents 9 күн бұрын
Williams Carol Anderson Joseph Harris Brian
@jamesesgustman4377 21 күн бұрын
Thompson Charles Harris Sandra Johnson Jennifer
@autumnfjeld Жыл бұрын
Who is "us" and "we"? Are you speaking about the end user when you say "us" and "we"?
@StockDC2 Жыл бұрын
Yes, the end user (i.e client).
@BroadNorma-x4l 12 күн бұрын
Lopez Anthony Jones Jose White Christopher
@haykkarapetyan867 5 ай бұрын
Great explanation, BUT on 3:51 the "Snap Store Auth" changes into "PrintMagic" on your sequence diagram. This makes it look like the refresh token is given to the same "PrintMagic" to get updated Access Token
@somnathchaudhuri8698 8 ай бұрын
Here who generate the client secret key at the time of get access token.
@JimRiley-d1r Ай бұрын
Thompson Brian Robinson Brian Moore Donald
@jocelynmercer9967 13 күн бұрын
Clark Robert Lee Eric Gonzalez Carol
@systemBuilder 4 ай бұрын
It would be super awesome to give an example of a barebones OAuth2 that everybody uses (like a draw webapp asking for access to your google drive with frw other assets) then we could literally watch the OAuth2 in the Chome debug window under the network tab.
@juozasjuozas 7 ай бұрын
That was great! But how about registering? Eg. using a google Account to log in. Considering i can revoke the token. How can I log in despite never having given my password to the external side?
@twinkleverma2945 10 ай бұрын
Hi @ByteByteGo ... @3.51 the 3rd tower's name is incorrect. It should be "SnapStore Auth" instead of "PrintMagic". It becomes confusing at this point.
@jubiaj2672 10 ай бұрын
best explanation so far. thank you
@null3706 Жыл бұрын
02:21 and 03:52 The diagram is wrong. The third should be "SnapStore Auth" instead of "PrintMagic".
@anilsonone6067 2 ай бұрын
Up to the point explanation. Very Straight forward way with good graphics. Thanks....