Collaborate Disseminate
When the law requires consent screen to be displayed for user? Should it be displayed only for third party applications (e.g. signing to stackoverflow by google account) or is it also necessary for first party apps?
And if user give consen… Continue reading When need I to display consent and should deprecated consents be stored? [migrated]
When we use mTLS we can use access tokens constrained to client certificate that was sent to token endpoint to receive the access token. In this case, if only the client that send this request can use this access token even if access token… Continue reading Access token lifetime when tokens are client certificate constrained
Imagine a authorization_code flow which MUST use PAR and after succeded authorization at authorization_endpoint instead of returning code and state returns only code, but this response is encrypted with state sent earlier in PAR request. N… Continue reading Encrypting authorization response with state
When we use PAR and PKCE, then I see that some of required parameters are useless. See it:
Using pre-registered redirect_uri is now useless, because when we use PAR and set our redirect_uri client is authenticated.
Using state in authoriz… Continue reading Useless request parameters in OpenID Connect
Following FAPI we should use JARM within authorization response (redirection to client with state and code parameter). Does it make any sense, when we use PKCE and PAR? Even if attacker take over code he still isn’t able to get access toke… Continue reading Does using JARM make sense when we use PKCE and PAR?
As in title, I want to know that is TLS encryption end-to-end encryption when between sender and receiver there’s no any middleman? E.g.:
We are sure that TLS in case 2 doesn’t provide end to end encryption because proxy can read sent dat… Continue reading Is TLS encryption between sender and receiver without middlemans end to end encryption and TLS security
Assume that we have a client X and client Y. There’s also api resources: api-resource-1 and api-resource-2, and api scopes: test.read and test.write.
Client X is allowed to test.read within api-resource-1 and api-resource-2. It’s also allo… Continue reading Attack using the same scope names within differents api resources with OpenID Connect / OAuth2
I have an web app that provides login page. User can use this login page while he has valid session verifier in cookie. Full flow looks like this:
User is redirected with some code in query param to login page
This code is validated by th… Continue reading Session verifier giving access to the login action
When we use PAR, I see some problems:
When we redirect user to login page we have to store (while user is on the login page) the same data as contained in request object referenced by request_uri (because the login page must redirect user… Continue reading Handle authorization_code flow with Pushed Authorization Requests
As we can see on this page, BLAKE-3 is about 14 times faster than SHA-256. Is it as safe as SHA-256? I would like to use it for my passwords which are 32 cryptographically random bytes, because my API uses application-layer encryption whic… Continue reading BLAKE-3 vs SHA-256 security