Collaborate Disseminate
In the implementation of an IPN listener: https://developer.paypal.com/api/nvp-soap/ipn/IPNImplementation/
I understand the IPN listener verifies that the message sent to it comes from paypal by using these steps:
Your listener sends the c… Continue reading what is the security/verification system paypal IPN use called?
Just to elaborate a bit more:
User A owns a directory of files on my server
User A wants to share a link with a token that grants anyone with the link access to that directory
I have an API user A can hit (GenerateDirectoryToken)
User A s… Continue reading I need to generate a token in order to share an ‘invite’ link, what should the token be?
I’m trying to improve security in my single page application.
Before I had only one JWT that was stored in the browser’s localStorage and expired in one day.
I’ve improved security by adding refresh token.
Right now access token lives for … Continue reading The reasoning behind having access and refresh tokens for a single user SPA
in our organization we have our own OpenId server (Identity Server) that we use to authenticate people into our applications, let me explain how we currently handle our web clients.
so we have an API that handles the authentication of user… Continue reading Best Way to handle Authorization tokens on mobile apps
An authorization server issues an access token with issuer details which are exposed in a well-known API of that server. This server uses client authentication JWT tokens with clients configured. These JWT tokens are sent as a part of a re… Continue reading Bearer JWT client authentication and access token issued by authorization server
I’m learning Azure Storage and I am doing my best to make sure access from Internet is as safe as possible.
When I generate a connection string there is a SAS token embedded in the URL.
That token has different permissions parameters and t… Continue reading Azure Shared Access Signature (SAS) token security
In OAuth2 access token is typically JWT signed by authorization server. Assuming that we will use Ed25519 to sign the JWT, we will have 128 bits of security.
But what about access tokens that would be encrypted with XChaCha20-Poly1305 inst… Continue reading Encrypted instead of signed access tokens in OAuth2
I need to use public PASETO tokens with proof fast and reliable proof that footer wasnt modified. Implicit assertions seems good choice for me as they are authenticated data. So technically I would be able to set footer and implicit assert… Continue reading Can PASETO implicit assertion provide that footer wasn’t modified?
I had a card like a credit card that I used to use for work. It was an ID card, and it had an access code, a swiper, a barcode, my picture, my name, my rank, my license, the name of the company, and the address of the building where my com… Continue reading Shred, cut, melt, smash, grind, then flush, is it secure disposal of a security access id card?
We want users of our service to be able to write programs/scripts that act on their (i.e. the user’s) behalf.
I’ve seen various services (github, digital ocean, gitlab) use Personal Access Tokens (PATs) for that purpose.
Is this not someth… Continue reading Personal Access Tokens vs OAuth