From the course: Web Security: OAuth and OpenID Connect (2019)
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Security considerations
From the course: Web Security: OAuth and OpenID Connect (2019)
Security considerations
- [Instructor] Now let's dive into the security considerations around Resource Owner Password flow. And honestly there are a lot. Now just like all other OAuth flows the same rules apply, but those are only the start. First, remember that we're passing around even more credentials than before so we must only send and receive data via HTPS using SSL or TLS. Next, you must validate the access token before you use it. But the actual security challenge here is much bigger than any of those, and it's unique to this flow. In all other OAuth flows the application sent the user to the authorization server or the identity provider to authenticate and authorize the application. But instead, Resource Owner Password flow captures the user's credentials in the application itself and sends them to the server behind the scenes to get that access token. That means the application developer has your credentials. Which raises an…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.