Good stuff, helpful terminology and use case review.
@zacktzeng85694 ай бұрын
Hi you mentioned that client credential grant should only be used for trusted services and not internet facing services. If i have a public web app with frontend and backend and i want to only allow this public web backend to access my custom backend resources, should i pick a different method? If so, what wouls you recommend? Thanks!!
@cliffmathew3 ай бұрын
You completely skipped how the resource server validates an access token presented by the client, before allowing access.
@christopherkirkos17905 ай бұрын
I want to run automated tests in my staging environment, but I have to simulate a user to do so (need email address associated with token). How should I achieve this?
@mohanchennagiri80399 ай бұрын
@2:30, how does the resource-server ensure the access-token is authentic? Is there implicit trust, or does it call authorization server to validate the token?
@WillJohnsonio8 ай бұрын
Great question, the resource server verifies the token signature
@MichaelStein-ty5du4 ай бұрын
@@WillJohnsonio No it does not. The application will need to verify the JWT: From AuthO: Auth0 uses JSON Web Token (JWT) for secure data transmission, authentication, and authorization. Tokens should be parsed and validated in regular web, native, and single-page applications to make sure the token isn’t compromised and the signature is authentic. Tokens should be verified to decrease security risks if the token has been, for example, tampered with, misused, or has expired. JWT validation checks the structure, claims, and signature to assure the least amount of risk.
@ahsath6 ай бұрын
isn't IoT devices not a trusted client if they operate autonomously like a vending machine in a parking lot that make requests to a DB aka resource? I say this because they are susceptible to be stolen and reversed engineered to get the "secrets"