1
00:00:00,300 --> 00:00:06,410
Now, in this lecture, let's try to discuss about the implicit grant type, which is a less secure

2
00:00:06,420 --> 00:00:12,810
compared to Australian quarantine, as you can see, these are the flaws that will happen in between

3
00:00:12,810 --> 00:00:15,730
the different components involved inside the or to framework.

4
00:00:16,110 --> 00:00:23,340
The only difference between the Australian quarantine and implicit grant type is at step three, where

5
00:00:23,340 --> 00:00:25,410
we are making a request to attrition.

6
00:00:25,420 --> 00:00:34,100
So to generate a token, we have only a single step, whereas previously we made two steps.

7
00:00:34,110 --> 00:00:38,370
One is to get the attrition called next again to get access.

8
00:00:38,910 --> 00:00:46,440
But here you can see in the third step it once user proves his identity, we will get the access token

9
00:00:46,440 --> 00:00:48,320
immediately to the client.

10
00:00:48,660 --> 00:00:52,540
Let's try to discuss one more time in the same stack overflow scenario.

11
00:00:52,830 --> 00:01:01,470
Again, I just want to reiterate in today's wall to world, no enterprise whatsoever, especially like

12
00:01:01,470 --> 00:01:08,940
Google or Facebook or GitHub, Twitter, they are not allowing to use implicit grandpap due to the reason

13
00:01:08,940 --> 00:01:12,160
that it is less secure compared to attrition code granting.

14
00:01:12,300 --> 00:01:18,990
But just for understanding purpose, let's try to discuss the same scenario one more time at the very

15
00:01:18,990 --> 00:01:26,060
first as an user, as a resource winner, and go to the Stack Overflow website, which is a client and

16
00:01:26,060 --> 00:01:27,870
I tend to stack or floor.

17
00:01:27,990 --> 00:01:34,230
I want to sign up or log in inside your application so that I can use extra features that you are providing

18
00:01:34,230 --> 00:01:35,190
to me.

19
00:01:35,550 --> 00:01:42,870
Next in the Stepto client will ask to the user, OK, you prove your identity to the observer and you

20
00:01:42,870 --> 00:01:49,180
also tell the other world that you are fine to share the your basic resource details from its resource

21
00:01:49,200 --> 00:01:53,820
over post to identity proving to the ATO.

22
00:01:54,300 --> 00:02:01,560
Once a user brought his identity to the Google ad server by entering his Gmail credentials, the Observer

23
00:02:01,560 --> 00:02:10,050
will send a token which is like access token by redirecting to the you are all mentioned in that request

24
00:02:10,380 --> 00:02:11,170
by the client.

25
00:02:11,550 --> 00:02:18,120
Finally, in the step by the client will make a request to the resource over by sending a access token

26
00:02:18,120 --> 00:02:24,750
that it is received in the previous step and requested some basic resources that I have like my last

27
00:02:24,750 --> 00:02:27,780
name, first name, email details, etc..

28
00:02:27,990 --> 00:02:30,150
Once a token is validated by the resource.

29
00:02:30,150 --> 00:02:38,250
So by contacting Ottowa Resource over will share the particular resource details that client is requesting

30
00:02:38,520 --> 00:02:39,630
in the step six.

31
00:02:39,870 --> 00:02:46,020
With this, the entire floor will complete on the identification and alteration of the user will be

32
00:02:46,020 --> 00:02:46,800
successful.

33
00:02:47,160 --> 00:02:53,190
If we can observe in step three, client has to send the following details to the Observer in order

34
00:02:53,190 --> 00:02:54,090
to get access.

35
00:02:54,100 --> 00:03:01,770
Token one is the client ID, which he received from the Google during its registration initially.

36
00:03:02,310 --> 00:03:06,060
Second one is that redirect you worry that you are with.

37
00:03:06,060 --> 00:03:09,630
The redirection has to happen post successfully authentication.

38
00:03:10,020 --> 00:03:12,630
Tadamon one is a scope similar to our authorities.

39
00:03:12,840 --> 00:03:16,530
Four to one is a state which is used to avoid CSR attacks.

40
00:03:16,530 --> 00:03:23,460
And the fifth one, which is very important response where you have to tell with the value token instead

41
00:03:23,460 --> 00:03:26,580
of in the previous attrition or grant type.

42
00:03:26,760 --> 00:03:32,670
We mentioned these values call, but now we are saying Tolkan, which indicates that I don't want to

43
00:03:32,970 --> 00:03:34,560
have a code in between.

44
00:03:34,560 --> 00:03:42,480
I directly want to generate a token by using implicit guarantee once the user proses identity the alterations

45
00:03:42,480 --> 00:03:44,310
our will user to the.

46
00:03:44,760 --> 00:03:51,630
You are aware the client want to be along with the token inside the fragment part of that you are,

47
00:03:52,230 --> 00:03:57,900
for example, the user will be redirected back to the following kind of URL that you can imagine.

48
00:03:58,050 --> 00:04:04,740
The primary difference you can easily identify here is there is no client secret here in what that means.

49
00:04:05,070 --> 00:04:11,460
Anyone who identifies the client idea of the stack overflow in the browser address bar they can take

50
00:04:11,460 --> 00:04:13,910
and they can make a request to the alteration software.

51
00:04:14,100 --> 00:04:15,840
But of course they can't.

52
00:04:16,110 --> 00:04:22,280
How my email credentials because as a user, I only have it and I'll enter in the Gmail login page only,

53
00:04:22,290 --> 00:04:26,370
but not in the request that client is making to the attrition.

54
00:04:26,370 --> 00:04:33,900
So but still it is less secure that it chances like someone can impersonate like Stack Overflow or any

55
00:04:33,900 --> 00:04:35,430
other web application.

56
00:04:35,550 --> 00:04:43,200
But you can ask why do you have such implicit guarantee inside to flow if it is less secure?

57
00:04:43,620 --> 00:04:50,640
But this is a savior for the applications where they have only UI like they have only admin JavaScript

58
00:04:50,640 --> 00:04:57,390
code, but they do not have any backend like blocks where they can save the client secret on some back.

59
00:04:57,390 --> 00:04:59,550
And so everything, all of the.

60
00:04:59,860 --> 00:05:05,950
Is exposed inside the browser due to that reason, if someone want to leverage what, they can still

61
00:05:05,950 --> 00:05:07,760
use the implicit guarantee.

62
00:05:08,140 --> 00:05:13,080
But at the same time, the odds are what that they are going to communicate has to allow it.

63
00:05:13,090 --> 00:05:14,350
Otherwise they can't use it.

64
00:05:14,710 --> 00:05:20,650
But there are some applications where if they have only JavaScript and his Gmail UA code, they are

65
00:05:20,650 --> 00:05:26,420
using implicit grant type so that they can still be able to follow the auto framework.

66
00:05:26,680 --> 00:05:33,130
So with this, I'm hoping that you understand what the difference between implicit grant type and attraction

67
00:05:33,190 --> 00:05:34,030
court grant type.

68
00:05:34,300 --> 00:05:40,690
And at the same time, I'm assuming that you are now comfortable to choose which one based upon the

69
00:05:40,690 --> 00:05:42,470
scenario that you have.

70
00:05:42,890 --> 00:05:48,430
Let's try to discuss about the next to grant type, which is resource Warner credentials type grant

71
00:05:48,430 --> 00:05:49,750
type in the next review.

72
00:05:49,780 --> 00:05:50,250
Thank you.

73
00:05:50,260 --> 00:05:50,710
And by.