I know im asking randomly but does anybody know of a method to log back into an Instagram account? I somehow lost the password. I love any tricks you can give me.

@Magnus Payton instablaster :)

@Griffin Apollo Thanks so much for your reply. I found the site thru google and Im waiting for the hacking stuff now. Takes quite some time so I will get back to you later with my results.

@Griffin Apollo it worked and I finally got access to my account again. Im so happy! Thanks so much, you really help me out!

@Magnus Payton You are welcome xD

Thank you, glad to hear that!

Hello Benrouyne, thank you for you comment! Please check this section of the OpenID Connect Core spec: openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation, 3.1.3.7. ID Token Validation, bullet 6. I hope that answers your question.

Hi! SHA256 is only true for algorithms that use sha256. And base46url encoding is done on the output of generated hash. Do you think you identified something that should have been explained differently?

I didn't understand at all, sh-256 itself cant be reversed why to do base 64 on hash

@@manideepkumar959 Base64url encoding transforms the hash value into a regular string which can be transferred in an http message

Good catch. Actually the OP explained that part but it is missing. comparing the calculated hash value with signature hash in the token is not enough. There is an encryption and decryption process to verify the signature. It works like this: you have a data and a public/private pair. Data is hashed end encrypted with Private key and the result is a Signature. To verify that if signature is correct: Signature is decrypted with Public key and the result should be the hash value of the data. This is the validation. In the ID token scenario, Issuer creates the signature using its Private key. To validate the signature you have to use the Public key which you can get from the jwks_url. Creating the signature works like Encryption, validating the signature works like Decryption. This detail is missing in the video. (i.stack.imgur.com/B93DO.png)

@@sonyolcu23 Thank you for your comment. But please note that your comment contains a few wrong messages. Private keys are not used for encryption, public keys are not used for decryption as you mentioned it above. The id_token is not encrypted, only signed in this video. Private key -> create signature, public key -> verify signature. No encryption is used in this context. In this video only JWT, JWS (signature) are referenced, not JWE (encryption).

Thank you for watching! id_token are not send to resource servers and therefore that would not work. However, if your access_token is JWT based it may have claims inside of it that work for you. 'aud' could have multiple values but 'azp' may work for you. Have a look here and check of some of these claims are found in your access_token: openid.net/specs/openid-connect-core-1_0.html#IDToken I hope this helps!

@@saschazegerman The huge challenge for the resource server is, how to trust the Client/TenantId by accepting the notion, who they say they are

@@balaji3229 If your resource server does not trust the issuer of the access_token (which I assume includes the info about the client_id/tenant) then you may ignore any token received by that issuer. If is all a question of "which issuers do I accept, which ones do I not". A similar example: If you implement Sign In with Google and the google issued userinfo response says: email_verified=true. Do you believe that google verified the email or not? If you don't, you may not want to implement that feature.

Thank you!

Hi Mohammed! It is the same reason as for an expiration of a passport or personal ID card or driver license. The issuer either is uncomfortable saying "these values are valid forever" or the issuers verify that users are still "under its control". There are probably more reasons, too. I hope this helps.

Thank you!