Collaborate Disseminate
In a header you can have—for example—"Authorization: Basic " xor "Authorization: Bearer ".
If I use my Bearer token as Basic, then can this endpoint double as a give me fresh tokens for this access token"?
https://… Continue reading Bearer token in header as Basic token? – Does that violate the RFC6749 spec?
We have an ASP.NET Core MVC web application that signs in users (assuming that this is the correct app type). It is pretty simple, users can sign-in via their Entra ID account. Within Entra ID they can be assigned app roles. Various contro… Continue reading Using ID token for role-base authorization in ASP.NET Core MVC
I came across a site that allows the client-security-token in CORS requests:
Access-Control-Allow-Headers: …, client-security-token
I have not found any request yet that includes this header. But it also does not seem to be application-… Continue reading What is the client-security-token header typically used for?
I have a server exposing a REST service. I am thinking about a way to prevent unauthorized access to the service.
Setup
My current setup is as follows:
The server uses SSL.
There are exactly three clients that are allowed to access the RE… Continue reading Can I sufficiently protect my REST Service using shared Tokens?
I’m working on an app called AwesomeApp that uses Google Sign-In for user authentication. When users sign in, the app receives a Google ID token.
We are integrating with a third-party service, ScoreboardService, which also needs to identif… Continue reading Is it safe to pass Google ID tokens to third-party services for user authentication?
A random Discord user, who is probably a hacker, sent me an alleged "Parts of Discord Token of Mine", while I was using the browser version of Discord. It really freaks me out as I soon found out it really is my token.
I’m worrie… Continue reading Discord token got leaked?
I am currently trying to build an authentication flow where the front end lives on one domain, say X.com and the backend lives on Y.com. I have implemented a refresh/access token system where when a user logs in with username and password … Continue reading Where to store Refresh Token in custom Authentication
I’m writing system which is SPA+BFF+Backend. The BFF is a confidential client. Is responsibe for Authentication and stores AccessToken in Redis. To the browser only goes generated ID of the token in the encrypted cookie. We do not have ext… Continue reading Is refresh token in SPA+BFF (confidential client) necessary?
When a user signs in they receive a authorisation token that is then sent along with each subsequent request to authorise the user, and the token is refreshed every server call or once per minute. I heard about attacks where the tokens wer… Continue reading How to tie an authorisation token to a device?
I’m trying to build a cli tool for an application that provides a web-based API. The use-case is to allow performing common tasks through a command-line client, and perform quick admin actions from a cli without having to gnaw at the gui t… Continue reading User token in command line tool