@KulcsarRudolf 5 ай бұрын
Super clear, thank you for this awesome video! I feel smarter.
@jesterflint9404 9 ай бұрын
This video has enough information to tell you "refresh tokens are very powerful" and they also tell you "auth0 takes measures to secure it" (which satisfies their goal I guess). The main difference between access tokens and refresh tokens is that the refresh tokens are stored in the database and the server can invalidate them at will. So, if a user changes password or the refresh token is compromised, the refresh token can be revoked and the bad actor loses access as soon as the access token expires.
@twd2 Жыл бұрын
that's genius, you explained what I was working for it for three months,thanks bro❤!!!
@dashmasterful 10 күн бұрын
Honestly, great video!
@marvellstudio9355 2 ай бұрын
One of the best video I have watched 👌❤ loved the way you explained
@oktricio Жыл бұрын
Super clear and educational!
@SunnyHenry Жыл бұрын
Awesome and easy to understand! Thank You Very Much! I do have one question though, that I can't seem to find the answer to. For refresh token rotation, is it a sliding rotation? Meaning when I get a new refresh token is the expiration pushed back further than the initial expiration? Or is there a way to configure it to, regardless of how many refresh tokens I get, have a combined expiration of... let's say 30 days?
@OktaDev Жыл бұрын
Thanks for your question! Let us do some research and get back to you, please 🙏
@austinkloske3970 Ай бұрын
great explaination! Thank you
@rahulganga3274 Жыл бұрын
Sir, thanks you very much ,I have been searching for long for this😂 ... From India 🇮🇳 ♥️
@luisvillar8320 Жыл бұрын
Thank you sir for making this video informative and fun to watch.
@tuanleanh440 3 ай бұрын
Thank you, the video gives me the answer for how to secure refresh tokens.
@OktaDev 3 ай бұрын
Glad we could help!
@omphemetsemafoko830 Жыл бұрын
Good explanation. Thanks. God bless you
@OktaDev Жыл бұрын
You are very welcome :)
@juanbolanos5939 Жыл бұрын
Thank you! It helped me a lot
@OktaDev Жыл бұрын
Glad to hear that!
@pawelbrzosko 9 ай бұрын
Great vid, informative and very entertaining. Well done, Sir!
@urodsky_monday Жыл бұрын
Great video! thank you!
@techytipsnow Жыл бұрын
It was a great session, easy to understand comparing with others
@jimkk159 Жыл бұрын
Awesome viedo! However, I wonder if the token family break the server stateless?
@sabuein Жыл бұрын
Thank you.
@OktaDev Жыл бұрын
You're welcome!
@bobobobo-ki2fw Жыл бұрын
thank you for the content you are very knowledable. Mini tip that would help so much is to use tables charts eg for part about which auth flow ot use.
@SwiftDustStorm 26 күн бұрын
wouldn't the automatic resuse detection system require state? In that case why not use Oauth 2?
@tamashercz Жыл бұрын
Thought I was tripping when I saw the guy's beard starting to grow grey towards the end of the video lol.
@marcioalexandremarcondes557 9 ай бұрын
Thanks!
@user-rd4oo1jg5g Жыл бұрын
Hi, I'm trying to understand since I'm building an app in Php and I have to use a rest service, I have the service to request a token that also returns the refresh token, ¿Should I request the token, store it in a database and every time I request the token, before checking if I have a valid one in the database based on the expiration date? ¿What would the refresh token be used for? Thanks for all
@adelkedjour 4 ай бұрын
If both the access token and refresh token have expired at the same time (i.e., after 15 minutes), it presents a challenge because the client can no longer use the expired refresh token to obtain a new access token. In this case, the user would need to re-authenticate to obtain a new pair of tokens innit?
@OktaDev 4 ай бұрын
Yes, this is by design. You shouldn't configure your access token and refresh token lifetimes to be the same. If a 1-hour access token happens to coincide with a 30-day refresh token expiring, that is correct, and the intent is that the user has to log in again. Hope that helps!
@user-uz5iq6my2k 5 ай бұрын
What happens if a malicious person gets their hands on the refresh token, but the actual user doesn't make a request for quite some time? Wouldn't that let the malicious person misuse the long-lasting refresh token? While I do agree that rotating refresh tokens can enhance security, I'm curious about how this specific scenario would be managed.
@OktaDev 5 ай бұрын
Thanks for watching! If a refresh token issued to a public client is stolen, the attacker can impersonate the client and use the refresh token without being detected. It is also possible to bind refresh tokens to the public client instance using DPoP (oauth.net/2/dpop/) which can counter this attack. Confidential clients need to authenticate to the authorization server in order to use the refresh token, so the risk of stolen refresh tokens is lower for this type of client.
@techdiver6074 11 ай бұрын
Plain English. I understand now!!!
@maneshipocrates2264 Жыл бұрын
Clearly explained. Thanks. But, but how can a beginner get an example of using Okta and spring boot 3 microservices?
@OktaDev Жыл бұрын
Thanks for your feedback. We don't have content on Spring Boot 3 yet but we'll keep that in mind as a topic to tackle.
@maneshipocrates2264 Жыл бұрын
@@OktaDev Thanks. But you know if there any major changes I should be aware of, in case I want to use Okta with a spring boot 3 application?
@mraible Жыл бұрын
I created a microservices architecture with Spring Boot 3 and Auth0 last week using JHipster. You can check out the video at kzfaq.info/get/bejne/oddjZLWmuZqmqKs.html.
@maneshipocrates2264 Жыл бұрын
@@mraible Thanks.
@cn5703 8 ай бұрын
What happens in 12:07, if the malicious user authenticated with the stolen refresh token before the legitimate user does? Wouldn't the melicious user then have a legit access token to impersonate the legit user?
@batru2515 7 ай бұрын
I am wondering too
@alimertc 7 ай бұрын
he would, for a short while. If a refresh token is used twice, all subsequent refresh tokens will be invalid. So both attacker and the legimate users would had to relogin. (Which attacker cant). Correct me if I am wrong.
@zeffali 2 ай бұрын
How the heaven I generate.a new refrsh token ? Am noob
@sub-harmonik Жыл бұрын
the editing is a bit weird
@sridharyemparala4185 Жыл бұрын
What happens if refresh token was played by hacker before real user needs it? So the hacker gets the new 2nd access token. So silly 😂. The whole opened has a flaw! The persistence of the token should be on the SP side so not post them and stop. Not the IDP checking later. Which is pure useless
@mrj1997 Жыл бұрын
I see the whole flow bullshit, next years must be a much better way for doing this. current methods are so ridiculous
@abdulhaimohamed Жыл бұрын
i was just about to write the same comment, but think in it for 1 second, it does not depend on who uses it first it depends that it can be used once, otherwise, all is unauthenticated so if the hacker uses it first, when the real user tries ti use it again i=> all will be un authenticated and the real use can log in again with his credentials
@cn5703 8 ай бұрын
@@abdulhaimohamed ... but not before the malicious user steals all the legit user's data. It doesn't take long.
@whatsoever6863 9 ай бұрын
infromative, but it is visible that the man presenting the topic reads everything from behind camera, feels like he doesn't really know what he is talking about :)
@abdulhaimohamed Жыл бұрын
I JUST WANT TO SAY THAT I SPEND ABOUT 4-5 DAYS JUST SEARCHING WHY WE NEED REFRESH TOKEN, THANKS ALLAH FORR FIND THIS VIDEO AT THE END OF MY DAY AND THANKS YOU FOR THE PLAIN AND CLEAR UNDERSTANDABLE ANSWER , KINDLY THANK THIS GUY TOO MUCH AND PROVIDE ME BY HIS TWITTER IF HE HAS, THANK YOU
@OktaDev Жыл бұрын
Thanks for your kind feedback! We have shared it with Will :) You can find him on Twitter here: twitter.com/willjohnsonio
@abdulhaimohamed Жыл бұрын
@@OktaDev Thank you for your time and effort🌺
@WillJohnsonio Жыл бұрын
Thank you
learnprofi.online
Рет қаралды 2,6 М.
Amigoscode
Рет қаралды 593 М.