I have started a new Youtube video series to explain the concepts of OAuth 2.0 to non-technical people. The series name is “2 minutes OAuth”. As the name suggests, each video will be around two minutes and explains one concept at a time.

The episode #1 explains how OAuth works by taking metro as an example.

You might think

Wait a moment. Is protected resource a train or the gate?

You asking that question is quite correct. In fact, it is one of the shortcomings of the OAuth. It does not distinguish between Policy Enforcement Point and the resource. These are going to be explained later in the series.

For now, what I have in mind for the series are:

  1. Basic concepts
  2. Bearer and Sender constrained tokens
  3. Where are Sender constrained tokens used in RFC6749?
  4. Different Endpoints in OAuth
    1. Authorization Request and Response
    2. Token Request and Response
  5. Confidential and public clients
  6. Access tokens and Refresh tokens
  7. Proof Key for Code Exchange (PKCE)
  8. Implicit flow and code flow
  9. Integrity protected authorization response
  10. JWS Authorization Request (JAR)
  11. PAP, PDP, PEP
  12. (… continues)

I might combine some of them, or split one subject to multiple sub-subjects. They are yet to be seen.

To get updates on my youtube channel, you can subscribe to my channel from here.

I hope you will enjoy it.