Collaborate Disseminate
Typically for user passwords we store their hashes and salt alongside in the database – one per user.
I wonder the security implications of hashing the same password twice and storing locally both.
hash(pwd, salt1) # => $digest1$salt1
… Continue reading Storing two hashes of same password?
I’ve spent a few weeks on GCP and GKE (Kubernetes) trying to figure out how to store customer secrets. The secrets are used by some application even when the user is not logged on so I want to ensure no human can reach to them.
A lot of pl… Continue reading Keeping customer secrets safe from sysadmins and devs in Kubernetes
I have been dwelling into OAuth2 and and OpenID Connect for Authorization flow. And I’m still a bit confused.
I do understand that during the code exchange for an access token the user receives an access_token and on top of that also an i… Continue reading How verify id_token from the browser in OAuth2?
I’ve spent more than 10 days trying to understand the Authorization Code Flow for a web application where I’m supposed to implement OpenID Connect for a single sign on. It feels that there is a lot of conflicting information … Continue reading Does the browser get the access_token in OAuth2?