Collaborate Disseminate
Stateless authentication using e.g. JWT can be dangerous as they are non-revocable and can leak giving full access. But they are really flexible.
I’m considering a scenario where the issued JWT is bound to some asymmetric key pair. It coul… Continue reading CryptoKey with IndexedDB to secure stateless authentication
I started noticing this kind of token in a lot of CTF tasks from different authors:
eyJlbWFpbCI6ImVtYWlsQG1haWxib3guZG9tYWluIiwiaWQiOjN9.ZLNCAQ.MxwKVKj_dramWyfT5XxT6g9U3xk
The structure is as follows:
Payload (usually a json string). In m… Continue reading What type of token is this?
My mobile app has this (fairly common) authentication user experience:
user signs in with email and password
user is prompted to enable biometrics for faster access next time
when user returns to app after a time of inactivity
if they en… Continue reading Re-authentication with biometrics in a mobile app using access token
I would like to make a key/string/token encrypted string to send it to the user via email.
This encrypted KEY would have encrypted data (resource id) and would be stored in the database along with valid column. It is meant to be used only… Continue reading Is create a key to access resources than send it to client instead of login/password system , a good idea?
I saw a setup recently where frontend and resource servers were hosted on subdomains of the same second level domain. E.g. ui.example.com and api.example.com.
It had an interesting authentication flow that seemed like a variant of the refr… Continue reading Security implications of using the current session to mint new access tokens
I’m implementing a JWT-based REST API for the first time and I’m trying to figure out what information to send back on the response entity when a user logs in. The strategies I am considering are:
Just an access token, encoded with claims… Continue reading Data Model for JWT claims
I will implement a chat bot web app that can be used on other websites. I plan to to host this app in www.mysite.com and customers will be able display this chat bot inside an iframe on their sites. Website owners that want to use my chat … Continue reading How to pass authentication to iframe from host app?
Our sports site is unlocking one of its main services so it is no longer necessary to sign up to use it for a few days. Anonymous users would have access for a few days, then we would lock them out and prompt them to sign up.
I figured out… Continue reading Does a web access token need to be encoded?
I have a monitoring service website where users can create an account to monitor their websites. I want to develop a WordPress plugin that allows the user to authenticate with the service using oauth2. The plugin can then send and receive … Continue reading Simple ways to secure a webhook?
I have a monitoring service website where users can create an account to monitor their websites. I want to develop a WordPress plugin that allows the user to authenticate with the service using oauth2. The plugin can then send and receive … Continue reading Simple ways to secure a webhook?