I watched a lot of videos about the context and this is the most clear and satifying explanation of them all. thank you very very much.

The best explained video I've seen so far! I love the analogies and examples, makes it easier to digest these hard concepts 👍👍

This is by far the best explanation. Thank you so much!

Thanks a lot, Aaron. This is by far the best and comprehensive video I saw about these topics.

didn't think I'd enjoy learning about OAuth so much. Thanks a ton!

Give that person a Raise 🎉🎉 Just 6 min of the video and I feel more confident on Oauth vs OIDC 5:52

Wow!!! This is SPOT ON. Thanks for the excellent presentation Aaron.

Really great explanation. Thank you!

Thanks Aaron! This is the clearest explanation about oauth that I have seen

WOW truly excellent tutorial. good examples and description. surprising that it’s from a company who don’t always do so well on tutorial. thanks okta guys!!

By far the best explanation! 🙌 Thank you! You rock!

Great high level overview of these protocols. Thank you a lot

Fantastic video, thank you. In fact the only explanation of these concepts I could find that made sense.

Cross domain post requests or in general Cross origin requests (CORS) were not having much support in older browsers as you said. Particularly browsers older than Internet Explorer 10 do not support CORS requests.

Very clear and concise Thanks a bunch!

Thanks Aaron

Excellent! Thank you very much!

Great video, thank you for clearly explaining this topic!!! Also Where did you get that shirt it is awesome!

Excellently explained! Thanks!

So I should be using PKCE for my confidential OIDC client that's already checking state and nonce? I'd rather not rewrite it if those older DPOPs are sufficient.

Such a great presentation !!!!

Fantastic explanation! Thank you!

Great explanation! Thanks

One more question : As mentioned in the use case , if the Access Token has 8 hours validity and during the registration/login , user gave consent for some explicit scopes ( example vehicle data) , the access token has the claims information and if clients are checking the claims information and validity against IDP token introspection endpoint and based on the response are letting the user uses their api. What if in the meantime , user revoke some of the consent ? Access Token will still consist the previously given consent information and if the client is based on IDP token introspection response then critical service access will become accessible. Revoking the token and asking the user to log in again so correct consent based token can be generated can lead to very bad user experience if IDP has global logout & SSO . Any best practices here ? Please share some . Thanx

Hi , I have a question regarding Refresh Token Use case especially when we have a unreliable clients ( Native Apps) . The new best practice about Refresh Token mentions that it should be replaced with each new token exchange request . So basically with new token exchange request , client receives a new refresh Token along with Access & ID Token . How should we tackle a Logout scenario if client is mobile app . Mobile App can have very unreliable network and due to this User can be logout due to expired Token . Is there any best practices regarding this use case ? Thanks I’m advance . Ok

Amazing explanation.

Nice 👍 Please post some videos on OIDC Single Sign on.

this should be watched by more devs

Fantastic video!

that is soooo useful! ) great explanation, thanks!

It was nicely done, Aaron! Excellent presentation and effortless communication!

ftw

can't follow without setting the speed to 0.75. 🙂 Can't understand what the rush is.

Excellent content!