Collaborate Disseminate
At first, for MVP, I want to basically allow API requests to only come from my domains, or from a server-side script I control.
For the server-side script, I can simply use a "secret API token" sent in the Authorization Bearer he… Continue reading How do you prevent hackers from taking a "publicly used API key" and using it in their own script?
I have an admin screen, once I access it, it asks for login credentials, then after I login, I get a token that is saved under local storage (see screenshot below)
Noting that I am using edge browser in private mode, when I opem a new tab… Continue reading Does saving the cookie or jwt token in the browser raise a security risk?
If we consider that having a valid refresh token allows you to get a valid access token, then the two can be considered to have the same ‘informational value’ right?
Then why are they treated differently in terms of security aspects like e… Continue reading Why are refresh tokens treated differently than access tokens
I am trying to figure out how to handle access and refresh tokens securely on the front end in a SPA. After doing a lot of reading, I still have questions/doubts about the proposed solutions I found on the internet.
Basically, the internet… Continue reading Secure access and refresh token handling in a SPA
In our development context we have a lot of different tokens. If a developer gets "permission denied", it is often not immediately clear which token was used.
I would like to improve the error message and show a prefix of the tok… Continue reading Showing prefix of token in error message?
Let’s say I got an access token of the "authorization code" grant type. After the expiration of it, I would refresh it using the refresh grant. Then I’ll get a new token. Is the grant type of the new token still the same as the &… Continue reading How should the grant type of an oauth2 access token be preserved after refreshing it using refresh grant?
Will a random-generated-session-key be enough, so that I can end the usage of csrf token? The front end, will receive the token when logged in. It will be stored in «local storage» at the client’s device and check for every request to back… Continue reading No csrf token, instead sessiontokens?
I have read a number of posts of many people expressing their confusion around the extra security gained from using an access token and a refresh token to control access to a resource API.
Picking up from this post how-does-a-jwt-refresh-t… Continue reading Do we really need refresh tokens?
I want to create a server where after the user logs the server gives them a randomly generated access token that is hashed using SHA256, that I store in the database a long with an expiration date, I thought this was secure, until I rememb… Continue reading is access token using SHA256 secure?
The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time.
The setup: There is a client, application server and authentication server.
The client stores… Continue reading can we use access token as session cookie in browser? and how to protect it?