Collaborate Disseminate
My app so far was using only access tokens. And whenever the token expired, the user had to log-in again. That’s the reason I want to start using refresh tokens. They can apparently be stored server side in the client app as written here, … Continue reading How to map refresh token, stored server side in the client app, to a specific user?
setup
I have inherited this infrastructure setup
app A handles the frontend. The server is very small and it mainly just calls app B.
app B is an API server. It’s both a resource server and the gateway for oauth (which I feel is not ideal… Continue reading Is it okay to use an expired access token to look up its corresponding refresh token?
I would like to ask whether accessing bank transactions via Android spending details management Android apps is safe.
In particular, I would like to know, apart from the fact that exchanges with bank servers occur via tokens and encryption… Continue reading Is accessing bank transactions via Android spending details management Android apps safe? [closed]
I am trying to understand the complete flow and I have put together an implementation draft.
Please forgive any silly mistakes.
Here’s the draft:
https://github.com/arjunballa/api-security/blob/main/token-exchange-delegation-flow.md
In a header you can have—for example—"Authorization: Basic " xor "Authorization: Bearer ".
If I use my Bearer token as Basic, then can this endpoint double as a give me fresh tokens for this access token"?
https://… Continue reading Bearer token in header as Basic token? – Does that violate the RFC6749 spec?
We have an ASP.NET Core MVC web application that signs in users (assuming that this is the correct app type). It is pretty simple, users can sign-in via their Entra ID account. Within Entra ID they can be assigned app roles. Various contro… Continue reading Using ID token for role-base authorization in ASP.NET Core MVC
I came across a site that allows the client-security-token in CORS requests:
Access-Control-Allow-Headers: …, client-security-token
I have not found any request yet that includes this header. But it also does not seem to be application-… Continue reading What is the client-security-token header typically used for?
I have a server exposing a REST service. I am thinking about a way to prevent unauthorized access to the service.
Setup
My current setup is as follows:
The server uses SSL.
There are exactly three clients that are allowed to access the RE… Continue reading Can I sufficiently protect my REST Service using shared Tokens?
I’m working on an app called AwesomeApp that uses Google Sign-In for user authentication. When users sign in, the app receives a Google ID token.
We are integrating with a third-party service, ScoreboardService, which also needs to identif… Continue reading Is it safe to pass Google ID tokens to third-party services for user authentication?
A random Discord user, who is probably a hacker, sent me an alleged "Parts of Discord Token of Mine", while I was using the browser version of Discord. It really freaks me out as I soon found out it really is my token.
I’m worrie… Continue reading Discord token got leaked?