Collaborate Disseminate
Stateless authentication using e.g. JWT can be dangerous as they are non-revocable and can leak giving full access. But they are really flexible.
I’m considering a scenario where the issued JWT is bound to some asymmetric key pair. It coul… Continue reading CryptoKey with IndexedDB to secure stateless authentication
I have to secure HTTP requests`s body on application layer, so I wanted to generate signatures with hash of body and the receiver will validate it.
But I can do it in different way and apply it into existing architecture. My server already… Continue reading Applying application-level signing in HTTP
This spec defined DPoP mechanism to bind cryptographically bind access tokens. There is also mention about authorization code binding.
But hey, do you see any sense in it? Ok, it obviously is a way to prevent authorization code injection a… Continue reading Is there any sense in use of Authorization Code Binding To DPoP Key when client is confidential and uses PKCE?
I need to provide high security for user data. So I would have to encrypt userinfo_endpoint response (despite using TLS, these are the requirements I got).
But encrypting userinfo_endpoint response require a some mechanism to do key exchan… Continue reading Using id_token for all user data instead of userinfo endpoint in OIDC
I use OAuth2 private_key_jwt authentication scheme to authenticate clients. Also, I need to be sure that request body isn’t modified.
I see two ways:
In token which I use to authenticate client I can add claim that contains hash of entire… Continue reading Sign vs hash HTTP body request
In OAuth2 access token is typically JWT signed by authorization server. Assuming that we will use Ed25519 to sign the JWT, we will have 128 bits of security.
But what about access tokens that would be encrypted with XChaCha20-Poly1305 inst… Continue reading Encrypted instead of signed access tokens in OAuth2
I have a OIDC provider that can’t use mutual TLS authentication due to mTLS problems like certificates expiration (what if client didn’t rotate certificate and it’s expired now? Client cant authenticate to server to e.g. inform server that… Continue reading Using certificate-constrained access tokens created by private key used to authentication (with private_key_jwt)
I need to use public PASETO tokens with proof fast and reliable proof that footer wasnt modified. Implicit assertions seems good choice for me as they are authenticated data. So technically I would be able to set footer and implicit assert… Continue reading Can PASETO implicit assertion provide that footer wasn’t modified?
When last time I was thinking about mTLS, I came to a conclusion that this is too hard to implement but at the same time it provides high security. The reason why it’s hard to implement is that it’s not done on application layer, so e.g we… Continue reading Mutual TLS replacement
I need high security for my app, so I have to add security headers for my views. However, I’m not entirely sure I understood the CSP header correctly (specifically its parameters). Is my combination safe and provides high security against … Continue reading The most safe combination for Content Security Policy