Everything You Ever Wanted to Know About OAuth and OIDC

Рет қаралды 33,526

Күн бұрын

In this session, Aaron Parecki, author of OAuth 2.0 Simplified and co-editor of the in-progress OAuth 2.1 spec, will cover the basics of the OAuth and OpenID Connect protocols. You’ll learn about when you’d want to use OAuth or OpenID Connect (or both!), when to use each of the grant types, and how to use OAuth and OpenID Connect securely from mobile applications. Aaron also covers the latest best practices around OAuth security currently in development by the group. You'll also learn about the upcoming OAuth 2.1 update and what it means for you and your applications. You'll learn how to use JWT access tokens and the tradeoffs that come with them, how to design scopes that allow granular access to various parts of your backend services, and how to design a microservices architecture protected by OAuth at a gateway.
Speakers:
Aaron Parecki, Okta
__
Don't forget to subscribe to our channel and hit the notification bell so you never miss an upload: bit.ly/OktaKZbin
__
Want more Okta? Check out our social media for updates:
bit.ly/OktaLinkedIn
bit.ly/OktaTwitter
bit.ly/OktaFacebook

Пікірлер: 29

@soumyagupta4910 9 күн бұрын

didn't think I'd enjoy learning about OAuth so much. Thanks a ton!

@yapayzeka 11 ай бұрын

I watched a lot of videos about the context and this is the most clear and satifying explanation of them all. thank you very very much.

@xdaniel3936 8 ай бұрын

This is by far the best explanation. Thank you so much!

@emiliocolombo142 2 ай бұрын

Great high level overview of these protocols. Thank you a lot

@marcom. Жыл бұрын

Thanks a lot, Aaron. This is by far the best and comprehensive video I saw about these topics.

@jagan4269 2 жыл бұрын

Wow!!! This is SPOT ON. Thanks for the excellent presentation Aaron.

@interdechile Жыл бұрын

Thanks Aaron! This is the clearest explanation about oauth that I have seen

@chrislegaxy6355 2 жыл бұрын

By far the best explanation! 🙌 Thank you! You rock!

@ledgentai1227 2 жыл бұрын

Fantastic video, thank you. In fact the only explanation of these concepts I could find that made sense.

@floid33556 9 ай бұрын

Really great explanation. Thank you!

@4ortson 2 ай бұрын

this should be watched by more devs

@debkr Жыл бұрын

Nice 👍 Please post some videos on OIDC Single Sign on.

@gitahinganga3136 Жыл бұрын

Very clear and concise Thanks a bunch!

@leminhdung1981 Жыл бұрын

Excellent! Thank you very much!

@cli2701 2 жыл бұрын

Excellently explained! Thanks!

@li.tan.activities 2 жыл бұрын

Fantastic explanation! Thank you!

@kevincornally8392 3 жыл бұрын

Such a great presentation !!!!

@drakezen 3 жыл бұрын

Amazing explanation.

@ftlight2362 3 жыл бұрын

that is soooo useful! ) great explanation, thanks!

@masteredd 2 жыл бұрын

Great explanation! Thanks

@jamesallen74 3 жыл бұрын

Fantastic video!

@nestorguemez4846 Жыл бұрын

Excellent content!

@shaunpx1 2 жыл бұрын

Great video, thank you for clearly explaining this topic!!! Also Where did you get that shirt it is awesome!

@clz230 3 жыл бұрын

It was nicely done, Aaron! Excellent presentation and effortless communication!

@gobindrawat3496 3 жыл бұрын

One more question : As mentioned in the use case , if the Access Token has 8 hours validity and during the registration/login , user gave consent for some explicit scopes ( example vehicle data) , the access token has the claims information and if clients are checking the claims information and validity against IDP token introspection endpoint and based on the response are letting the user uses their api. What if in the meantime , user revoke some of the consent ? Access Token will still consist the previously given consent information and if the client is based on IDP token introspection response then critical service access will become accessible. Revoking the token and asking the user to log in again so correct consent based token can be generated can lead to very bad user experience if IDP has global logout & SSO . Any best practices here ? Please share some . Thanx

@gobindrawat3496 3 жыл бұрын

Hi , I have a question regarding Refresh Token Use case especially when we have a unreliable clients ( Native Apps) . The new best practice about Refresh Token mentions that it should be replaced with each new token exchange request . So basically with new token exchange request , client receives a new refresh Token along with Access & ID Token . How should we tackle a Logout scenario if client is mobile app . Mobile App can have very unreliable network and due to this User can be logout due to expired Token . Is there any best practices regarding this use case ? Thanks I’m advance . Ok

@meepk633 10 ай бұрын

So I should be using PKCE for my confidential OIDC client that's already checking state and nonce? I'd rather not rewrite it if those older DPOPs are sufficient.

@aaronpk 10 ай бұрын

If you are checking the nonce, as well as checking the ath claim in the ID token to compare it to the access token, then you are protected from access token injection. However there is no protection from ID token leakage in the front channel if you are using the OIDC implicit flow. The other way to look at it is you can remove a bunch of code and replace it with a smaller amount of code that does PKCE, and removing code means less opportunity for bugs and errors.