Calling an API
How to obtain and use access and refresh tokens for delegated authorization in a traditional web application.
Was this video helpful?
Related Identity Lab
Jump to Section
Jump to a section in the video for explanation on a specific topic.
- Code grant definition
- Scopes and the true meaning of delegated authorization
- Code grant needs secrets
- Offline_access scope
- Code grant diagram
- Authorization request message
- Audience parameter (mistake in the slide, ? instead of &)
- Authorization response
- Redeeming the authorization code
- Expires_in and why clients should never write code to look inside the access token
- Calling an API with an access token
- Authorization terminology
- Refresh token diagram
- What are refresh tokens and why do we need them?
- Requesting refresh tokens: offline_access scope
- Using a refresh token
- Refresh tokens and sessions
- Refresh tokens and persistence, token caching
- Access tokens vs ID tokens recap
- Getting ID tokens on the back channel
- Userinfo endpoint
- Userinfo usage diagram
- Hybrid grant
- Trusted subsystem
- Client credentials grant diagram
Up Next
-
41:01
Desktop and Mobile Apps
Authentication and delegated authorization for desktop and mobile applications and a public client overview.
-
37:29
Single Page Apps
Authentication and delegated authorization for single page applications.
Previous
-
48:54
Introduction to Identity
A whirlwind tour of identity history, concepts, and terminology: protocols, open standards, SSO, OAuth2, OpenID Connect and more.
-
14:58
OpenID Connect and OAuth2
OpenID Connect and OAuth specifications, roles, and grants.
-
34:56
Web Sign-In
Authentication for web applications using OpenID Connect.