Collaborate Disseminate
We have 3 different applications which have the same top level domain.
a.example.com
b.example.com
example.com
We have a login mechanism where the user provides a username + password and logs in. Each of these websites wants to have cont… Continue reading SSO Using API based login (not through UI redirection)
We have 3 different applications which have the same top level domain.
a.example.com
b.example.com
example.com
We have a login mechanism where the user provides a username + password and logs in. Each of these websites wants to have cont… Continue reading SSO Using API based login (not through UI redirection)
As per the below resource: https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-validation/
we should validate the redirect url at 3 points:
at time of app registration
when the auth flow begins
when granting an access token
A… Continue reading Oauth: redirect uri validation [duplicate]
EDIT: adding more details to make this more suited to security stackexchange.
The solutions that are listed below are not exhaustive, these are some potential ways i think this type of functionality can be implemented. Each of the suggeste… Continue reading One way session sharing between mobile app and web [closed]
We have an oauth implementation, which was chosen because of the following reasons:
session sharing across different applications
easy to reason about the security considerations as oauth is well known and documented
As part of our explo… Continue reading Oauth: native UI for internal / first party apps
I have an oauth implementation (uses phone number for authentication) which is used across several applications. These applications want to maintain the same identity of the user as the user moves across applications.
Example scenario 1:
… Continue reading Oauth: only allow login with a certain id
I have an application where the frontend app talks to 2 set of API servers: be1.domain.com and be2.domain.com
both these servers are independent entities (they do share the same top level domain, in case that is useful for this discussion)… Continue reading Oauth: Authorizing multiple clients at once
I understand that oauth is an Authorization protocol, but it is possible to use it for authentication when clubbed with something like open ID Connect.
I am trying to understand why do we need an extra token in the redirect url to prove au… Continue reading Using oauth for authentication
COOP: cross origin opener policy
COEP: Cross origin embedder policy
Most of the articles on the web, related to COOP / COEP, point to the fact that by enabling COOP / COEP , your web page can use the sharedArrayBuffer and some other precis… Continue reading COOP and COEP: Is there an advantage to enabling COOP / COEP if I don’t need to use the sharedArrayBuffer or other features?
Take an example of google maps. google maps provides a javascript client SDK, which means any web app running javascript can access the google maps sdk. You need to use an API_KEY so that google can rate limit your requests, and apply some… Continue reading How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?