1
00:00:00,180 --> 00:00:06,150
So now we have a basic understanding what is tokens and what's the purpose of it during authentication

2
00:00:06,150 --> 00:00:08,189
and authorization flow in this video?

3
00:00:08,200 --> 00:00:13,830
Let's try to understand what the advantage of token based authentication compared to traditional ways

4
00:00:13,830 --> 00:00:15,330
of authenticating that use it.

5
00:00:15,480 --> 00:00:22,890
The very primary advantage of using tokens is it will save you from the security risk of sharing the

6
00:00:22,890 --> 00:00:28,800
credentials or the network again and again for each and every request that you're sending to the backend,

7
00:00:28,920 --> 00:00:36,570
because in the token based authentication, you only pass the credentials during the initial login and

8
00:00:36,570 --> 00:00:37,050
post.

9
00:00:37,410 --> 00:00:44,220
All the subsequent operations will carry on based upon the token that are generated by the back.

10
00:00:44,220 --> 00:00:51,000
And think of a scenario where you have booked a room inside a hotel and only during the initial conversation

11
00:00:51,000 --> 00:00:58,920
with the receptionist you will prove yourself by giving your I.D. proves later on that Egyptians will

12
00:00:58,920 --> 00:01:01,340
give you an access card to your room.

13
00:01:01,350 --> 00:01:08,730
So access card is like a token where you don't have to go to receptionist security each and every time

14
00:01:08,730 --> 00:01:09,740
to prove yourself.

15
00:01:09,930 --> 00:01:16,730
But instead you have a token temporary token which is given by the hotel staff itself.

16
00:01:16,740 --> 00:01:24,810
And the same token you can use whenever you want to access any hotel related facilities like gym, restaurant

17
00:01:24,810 --> 00:01:27,720
leave and your room in the same manner.

18
00:01:27,870 --> 00:01:29,250
Tokens also work.

19
00:01:29,280 --> 00:01:36,030
Once you prove your authentication to the system by passing your credentials, it will generate a token

20
00:01:36,180 --> 00:01:42,330
and give you as a response which you'll be used for all the for the subsequent request that you are

21
00:01:42,330 --> 00:01:43,830
going to make to that server.

22
00:01:43,980 --> 00:01:51,270
And at the same time, with the help of tokens, you can invalidate them if you see any suspicious activities

23
00:01:51,270 --> 00:01:54,570
instead of invalidating the credentials of the users.

24
00:01:54,570 --> 00:02:00,690
If you invalidate the credentials of the user, the user will be affected so that he again has to call

25
00:02:00,690 --> 00:02:04,740
the call center reset his password, which is a cumbersome process.

26
00:02:04,740 --> 00:02:10,889
Instead, you will see any suspicious activities or the network or any security breaches happening inside

27
00:02:10,889 --> 00:02:11,640
your system.

28
00:02:11,640 --> 00:02:18,360
You can simply invalidate these tokens, which will force the user again to login with his original

29
00:02:18,360 --> 00:02:20,010
credentials at the same time.

30
00:02:20,040 --> 00:02:23,190
You can also set the lifespan to these tokens.

31
00:02:23,310 --> 00:02:30,990
And suppose if I generate a token and set the lifespan as 24 hours, the token will be valid for one

32
00:02:30,990 --> 00:02:32,410
day after one day.

33
00:02:32,620 --> 00:02:36,160
Again, the user has to validate with his original credential.

34
00:02:36,200 --> 00:02:43,560
Similarly, using tokens, not only we can maintain the authentication and authorization of the user,

35
00:02:43,770 --> 00:02:46,560
we can also share some extra information.

36
00:02:46,560 --> 00:02:47,580
Like what?

37
00:02:47,670 --> 00:02:55,830
User details, like e-mail, his mobile number, his rules authorities, which you can pass inside the

38
00:02:55,830 --> 00:03:03,000
token in an encrypted are encoded format to the claim so that they can also leverage that information.

39
00:03:03,030 --> 00:03:07,540
On the client side are any consuming site where they need this information.

40
00:03:07,560 --> 00:03:14,250
Next token will give you the reusability, like if you how many separate servers, especially in micro

41
00:03:14,250 --> 00:03:20,550
services scenarios, you can use the same token that got generated from the single authorization server

42
00:03:20,820 --> 00:03:24,720
and all the subsequent other servers that are staying inside.

43
00:03:24,720 --> 00:03:30,400
My micro services can use the same token to validate the user details.

44
00:03:30,420 --> 00:03:36,720
The next primary advantage of token based authentication is we don't maintain cookies on the browser

45
00:03:36,720 --> 00:03:41,460
side, which will save us from security attacks like CSIRO attacks.

46
00:03:41,490 --> 00:03:46,890
Next, with the help of tokens, we can maintain our application as a stateless.

47
00:03:47,070 --> 00:03:55,260
And it's very easy to scale in micro services in scenarios where I want to scale my application horizontally.

48
00:03:55,440 --> 00:04:02,700
In all such scenarios, we don't have to worry because we are not tying up our user authentication details

49
00:04:02,700 --> 00:04:07,050
to a single server by maintaining a on the server instead.

50
00:04:07,230 --> 00:04:14,460
Since we are using token based authentication mechanism, even if we to load balancers that redirect

51
00:04:14,460 --> 00:04:21,660
or load to multiple servers inside or Microsoft's architecture, still, the token based authentication

52
00:04:21,660 --> 00:04:28,860
will work because the tokens can be available to all the servers inside your application through a common

53
00:04:28,860 --> 00:04:30,410
point call authorisation.

54
00:04:30,420 --> 00:04:36,690
So in the previous videos we have built an easy bank application in that application.

55
00:04:36,840 --> 00:04:44,130
Without our knowledge, we are using two tokens which helped us, not providing the credentials again

56
00:04:44,130 --> 00:04:44,790
and again.

57
00:04:45,000 --> 00:04:53,340
One is the CSR token, which protect us from CSR attacks and the other one is educationally which is

58
00:04:53,340 --> 00:04:59,910
maintained the larvacide history to position and this generally token help.

59
00:04:59,980 --> 00:05:07,000
As invalidating the request again and again without credentials on that back, and let's try to explore

60
00:05:07,000 --> 00:05:13,440
that in the next video about these two tokens that we generated so that it will make more clear to us.

61
00:05:13,510 --> 00:05:13,990
Thank you.

62
00:05:13,990 --> 00:05:15,400
And see you in the next video by.