Collaborate Disseminate
The web app I’m developing makes use of the concepts of "access token" and "refresh token", even though it uses its own auth scheme.
In certain situations, the web app needs to get an "impersonation token" fro… Continue reading Refresh tokens for impersonating user credentials: how to implement them?
Applications using a Google service account can use that service account’s key (a long-lived credential) to obtain a short-lived access token for Google Artifact Registry and documentation strongly urges against using a service account to … Continue reading Why use access token for Google Artifact Registry access?
Our implementation for authentication works like this
User provides username/password to /login API
API returns access token and refresh token in payload
We store the access token and refresh token in session storage
After a period of tim… Continue reading "Duplicate" of Chrome Tabs causes stale tokens
I’m working on a personal project that is an app that deals with user mental health data. Because of the sensitivity of the data, and the fact that the app syncs with the cloud as apposed to loading data directly from the cloud, I decided … Continue reading Is there any benefit to using refresh tokens if the session token is an opaque token stored in a database?
At first, for MVP, I want to basically allow API requests to only come from my domains, or from a server-side script I control.
For the server-side script, I can simply use a "secret API token" sent in the Authorization Bearer he… Continue reading How do you prevent hackers from taking a "publicly used API key" and using it in their own script?
I have an admin screen, once I access it, it asks for login credentials, then after I login, I get a token that is saved under local storage (see screenshot below)
Noting that I am using edge browser in private mode, when I opem a new tab… Continue reading Does saving the cookie or jwt token in the browser raise a security risk?
If we consider that having a valid refresh token allows you to get a valid access token, then the two can be considered to have the same ‘informational value’ right?
Then why are they treated differently in terms of security aspects like e… Continue reading Why are refresh tokens treated differently than access tokens
I am trying to figure out how to handle access and refresh tokens securely on the front end in a SPA. After doing a lot of reading, I still have questions/doubts about the proposed solutions I found on the internet.
Basically, the internet… Continue reading Secure access and refresh token handling in a SPA
In our development context we have a lot of different tokens. If a developer gets "permission denied", it is often not immediately clear which token was used.
I would like to improve the error message and show a prefix of the tok… Continue reading Showing prefix of token in error message?
Let’s say I got an access token of the "authorization code" grant type. After the expiration of it, I would refresh it using the refresh grant. Then I’ll get a new token. Is the grant type of the new token still the same as the &… Continue reading How should the grant type of an oauth2 access token be preserved after refreshing it using refresh grant?