An Illustrated Guide to OAuth and OpenID Connect

Al Saganich

Great video! Thanks for the clear and concise description!

Aritra Mukherjee

Amazing explanation and illustrations helped a lot. Thanks!

SĂ©rgio Azevedo

Thanks David Neal. Best explanation I’ve seen.

Asa Jayasiri

Dear David,

Thanks a lot for the very awesome work. You saved valuable time by simplifying the complexity of OAuth 2 and OIDC.

Great Job!!!

Hung Nguyen

Thanks, super easy to understand!

Hallvard Hvidsten

Great article that gave me more understanding of Oauth and Oidc. But, I thought the access-token was short lived?

Nat Krishnan

Very well done. One minor detail to avoid confusion to all
 “Redirection URI”, “Redirection URL”, “Redirect URI”, “Redirect URL”, “Callback URL” and “Callback URI” are all same. The official term (RFC 6749 - OAuth 2.0) is “Redirection Endpoint”

nitewulf

The only bit that I don’t see explained is this bit "the Access Token is just a string of gibberish to pass with any request to the Resource Server, and the Resource Server knows if the token is valid. "

How? What is the link between the Resource Server and the Authorization server, especially if they are in different domains?

Ravi Kumar

How does the Resource Server trust the Authorization server. Do they exchange a Client ID/secret as well. I, mean if they are different servers?
But first of all, easy explanation to a complex topic, Fantastic and thanks.

jain_vi

Nice explanation !!!

lakshmi

How to build single sign on application using okta jwt?
Please give me an example of how to build without spring boot


Øyvind Berg Ramsem

Thank you! Really helpful!

sasidhar samala

Simply Awesome explanation.
Hats Off Sir

é•·è°·ć·ăŸă‹ă—

did you draw all the pictures, you should become an artist.

Kishore Jagannath

Thanks for the article. Now If I want to implement authorization in Terrible pun of the day website and I want to implement roles say person with admin role can perform all actions, while person with READ role can only READ. How do I implement this with Open ID connect. How will I know what role should i give tio the person authenticated by facebook or twitter?

Rohanraj Mahendra Solanki

Nice one.

Zendul

While I type this comment, I am actually using OAuth to login with email.
Great article.

sky-high

Why is the authorization code required by the client? Can’t they get the ID/Access tokens directly bypassing that code. what are the benefits in using the authorization code? I understand it provides additional checks to secure the access between the client and auth server, but if I can trust the client, then do I still need this step?

Thinh Dinh

Not sure you get the answer or not. Anyway it is possible to issue ID/Access tokens to client app and it is called implicit flow. For more details: https://tools.ietf.org/html


Daud Fauzy W

Very nice and awesome explanation, i could understand it easily. Thank you very much!