1
00:00:00,270 --> 00:00:06,780
In this video, let's try to understand the third grant that we have inside what to floor, which is

2
00:00:06,960 --> 00:00:09,160
resource Warner credentials Grant.

3
00:00:09,780 --> 00:00:17,070
So before going into the details, I just wanted to give a scenario where both the Observer and Resourcehouse

4
00:00:17,220 --> 00:00:25,260
and client everything belongs to the same organization like my bank, which is easy bank application.

5
00:00:25,620 --> 00:00:32,310
If they have multiple independent applications where they're maintaining different details like loans

6
00:00:32,310 --> 00:00:33,570
cards and accounts.

7
00:00:33,900 --> 00:00:40,260
But since the customer is common for all of them, they decided to implement the authentication, logic

8
00:00:40,260 --> 00:00:48,150
and alteration logic in a separate overcall operations over like as an user, I'll go to the loan application

9
00:00:48,150 --> 00:00:52,890
or card application or account application if I click login.

10
00:00:53,220 --> 00:01:00,210
If you follow previous grant types like Autrey's grant type and implicit grant by the client will redirect

11
00:01:00,210 --> 00:01:04,050
me to the Observer where I have to enter my credentials.

12
00:01:04,260 --> 00:01:11,790
But that looks very peculiar to me, are annoying to me for multiple redirects because it's not making

13
00:01:11,790 --> 00:01:12,000
sense.

14
00:01:12,000 --> 00:01:12,320
Right?

15
00:01:12,410 --> 00:01:19,230
I go to Easy Bank application and while it is redirecting me to address you are where I have to enter

16
00:01:19,230 --> 00:01:19,970
credentials.

17
00:01:20,310 --> 00:01:28,650
So in such scenarios where we have lots of resources, our and our clients belong to the same organization,

18
00:01:28,830 --> 00:01:36,390
to our multiple redirects, and to use some good experience to the user, we don't redirect the user

19
00:01:36,390 --> 00:01:37,170
to the Utsav.

20
00:01:37,740 --> 00:01:45,300
So due to this reason, when our user went to some application like loan application, there'll be a

21
00:01:45,300 --> 00:01:52,980
login page and again, I will not be asked like you will be related to were very happy and were because

22
00:01:52,980 --> 00:01:55,800
Azzaro also belongs to the same organization.

23
00:01:55,980 --> 00:02:00,090
So I enter my credentials on the loans application login page.

24
00:02:00,360 --> 00:02:07,950
My client application will capture my username and password and it will send that request to the Odzala

25
00:02:07,950 --> 00:02:12,420
in the back and without real direct experience to the user.

26
00:02:12,600 --> 00:02:14,430
And this perfectly makes sense, right?

27
00:02:14,430 --> 00:02:16,950
Because even the observer also belongs to me.

28
00:02:16,950 --> 00:02:24,570
Only my organization and I can completely believe my client and utter words that they won't misuse the

29
00:02:24,570 --> 00:02:26,850
user details that they result from that is so.

30
00:02:26,900 --> 00:02:31,290
Swapna So for such instances, we use resources on our credentials.

31
00:02:31,290 --> 00:02:33,870
Granted, let's try to see what is a flaw here.

32
00:02:34,110 --> 00:02:39,930
First, the user will go to the client application and he will directly argue, Here are my credentials

33
00:02:40,260 --> 00:02:41,270
in the login page.

34
00:02:41,520 --> 00:02:43,530
Next, the client application.

35
00:02:43,770 --> 00:02:49,080
It will send the request to one of the orzo like here at the user.

36
00:02:49,080 --> 00:02:50,190
Details are resource.

37
00:02:50,190 --> 00:02:51,090
Worner details.

38
00:02:51,390 --> 00:02:57,180
Please validate and provide me access to one observer validated the credentials.

39
00:02:57,330 --> 00:03:03,690
It will provide a token to the client and in the last two steps the client will make a request for the

40
00:03:03,690 --> 00:03:04,020
resource.

41
00:03:04,020 --> 00:03:08,310
So by providing the token which it received from the alteration.

42
00:03:08,310 --> 00:03:10,230
So what if the token is valid?

43
00:03:10,470 --> 00:03:15,720
That is also what will provide the resources requested by the client.

44
00:03:15,960 --> 00:03:21,780
As you can see in the step to where we are making a request to the alteration software for generating

45
00:03:21,780 --> 00:03:27,090
access token, the client has to generate a request with all the following parameters.

46
00:03:27,090 --> 00:03:33,840
One is a client ID and client secret, which is belongs to the application that we are trying to login,

47
00:03:34,200 --> 00:03:39,540
whether it is a loan application or cards application or account application.

48
00:03:39,750 --> 00:03:45,660
So every application will have a different client alien client secret, which can be used by the Observer

49
00:03:45,660 --> 00:03:51,890
to identify from which client I'm getting the requests so that we can use them for auditing purposes

50
00:03:51,890 --> 00:03:52,270
as well.

51
00:03:52,530 --> 00:03:59,640
Next is a scope like similar to authorities and third one is a very important one username and password.

52
00:03:59,730 --> 00:04:03,900
The client itself now holds the username and password.

53
00:04:04,260 --> 00:04:12,270
The reason is the client application and also where they both belong to see marginalisation due to this

54
00:04:12,270 --> 00:04:18,420
reason and to avoid that real direct effect to the user, we are sharing the user name and password

55
00:04:18,420 --> 00:04:25,560
that we received from the login page of the claim to the Observer directly and the last one granted

56
00:04:25,650 --> 00:04:33,480
where we have to tell with the value of string password, which indicates that my application want to

57
00:04:33,480 --> 00:04:37,260
follow resource Worner are user credentials granted?

58
00:04:37,410 --> 00:04:46,110
Again, to reiterate this resource, one of Clinton's grant type will be used only if the claimed authorization

59
00:04:46,120 --> 00:04:50,430
server and the resource servers are maintained by the same organization.

60
00:04:50,580 --> 00:04:57,870
Like many organizations, they have multiple sub applications, multiple internal applications where

61
00:04:58,320 --> 00:04:59,610
they will isolate all the.

62
00:05:00,320 --> 00:05:06,650
And authentication logic to separate our colored observer and all these multiple applications that that

63
00:05:06,650 --> 00:05:11,930
organization is maintaining, they will make a request to the server to generate a token, but they

64
00:05:11,930 --> 00:05:12,900
don't redirect.

65
00:05:12,920 --> 00:05:15,020
And all this will happen only in the back.

66
00:05:15,740 --> 00:05:21,110
And one of the primary reason why we are using these grant types to give a better experience to the

67
00:05:21,110 --> 00:05:27,370
user by avoiding multiple redirects since all these applications belong to the same organization.

68
00:05:27,500 --> 00:05:33,500
With this, I'm assuming that now you have a clear understanding what is resource credentials grandpap

69
00:05:33,500 --> 00:05:39,190
type what to flow in next video we will discuss about client credentials.

70
00:05:39,320 --> 00:05:40,850
Granted, thank you.

71
00:05:40,850 --> 00:05:42,350
And see you in the next video by.