Join Keith Casey for an in-depth discussion in this video OAuth tokens and their usage: Access, ID, and refresh, part of Web Security: OAuth and OpenID Connect.
- Now that we understand some of the endpoints…that we have available, we should understand…what we're retrieving from them, and that's usually tokens.…In the core OAuth specification, RFC 6749,…there are two types of tokens specified,…access token and refresh token.…The OpenID Connect specification has a third,…called the ID token.…The access token is what gives the client application…access to the protected resource, usually the API.…This is valuable because now we're not passing around…a user's username and password,…which could be compromised or cached.…
Further, we can validate it locally,…or if available via the introspect endpoint.…But here's the fun thing.…In the specification, it doesn't detail…how the token is structured, what's in it,…how to validate it, how to use it,…or basically anything else.…It sounds like we need another spec.…The refresh token is a little different.…It's not used to protect resources.…Instead, it's designed so that…when the access token expires,…you can use a refresh token to request a new access token.…
- How does OAuth 2.0 work, and what problems does it solve?
- What is OpenID Connect, and how is it different from OAuth?
- OAuth tokens and their usage
- Authorization in microservices
- Common security considerations
- Authorization for mobile apps and SPA
- Authorization in legacy applications
- Server-side implementations
Skill Level Advanced
1. What Is OAuth?
2. Core Terminology
3. Client Credential: Authorization for Microservices
4. Implicit or Hybrid: Authorization for Mobile Devices
5. Grant Type: Authorization Code
6. Grant Type: Resource Owner Password Flow
7. Server-Side Implementations
Next steps1m 40s
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.