Collaborate Disseminate
My understanding is that the OAuth Authorization Code Flow is used to avoid exposing the access token from the User Agent. But why?
I was reading this article (Common OAuth Vulnerabilities) by Doyensec.
It says that the Authorization Code … Continue reading Why hide the access token from the User Agent? (OAuth Authorization Code Grant)
Why would an OAuth implementation choose to use the Authorization Code Grant — when it means that the access tokens are leaked to a third party?
I’ve been using API keys for a package on my server to communicate with a service provider’s … Continue reading When not to use Authorization Code Grant?
What questions should I ask to determine if a given OAuth implementation is secure?
I’ve been using a wordpress plugin for payments that authenticates with the payment gateway with an API key. I like this method, because:
When I generate … Continue reading How to assess poor OAuth security implementations?
Researchers have uncovered a critical vulnerability (CVE-2025-29927) in Next.js middleware, allowing authorization bypass. Learn about the exploit and fixes. Continue reading Next.js Middleware Flaw Lets Attackers Bypass Authorization
Now for some context, i have some private API endpoints that i want to secure, ideally i want the clients to have a single token in their config (these clients are other servers), along with a encrypted token in a db that can be revoked,
N… Continue reading What authorization should be used for a private API
Basically I am doing a GET on this URL from SAP:
https://www.thirdparty.be/webservices.php?m=get_private_information&o=json&u=username&p=password
The third party webservice does use IP-whitelisting, and they have whitelisted o… Continue reading I’m calling the API of a third party, and have to pass the credentials as parameters in a HTTPS URL. Is that safe?
Basically I am doing a GET on this URL from SAP:
https://www.thirdparty.be/webservices.php?m=get_private_information&o=json&u=username&p=password
The third party webservice does use IP-whitelisting, and they have whitelisted o… Continue reading I’m calling the API of a third party, and have to pass the credentials as parameters in a HTTPS URL. Is that safe?
I am studying the security considerations chapter of oauth2 RFC 6749, but I am a bit confused about Authorization Code Redirection URI Manipulation paragraph 10.6:
"When requesting authorization using the authorization code grant
t… Continue reading Authorization Code Redirection URI Manipulation Doubts
Scenario: A user logs-in to a web application and receives a JWT Token. The Token Service looks up user roles and adds them to the JWT Claims and all necessary signatures to the token.
When the receiving application receives the token, it… Continue reading JWT Token Claim Validation after it has been granted
This isn’t new, but it’s increasingly popular:
The technique is known as device code phishing. It exploits “device code flow,” a form of authentication formalized in the industry-wide OAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support browsers, making it difficult to sign in using more standard forms of authentication, such as entering user names, passwords, and two-factor mechanisms.
Rather than authenticating the user directly, the input-constrained device displays an alphabetic or alphanumeric device code along with a link associated with the user account. The user opens the link on a computer or other device that’s easier to sign in with and enters the code. The remote server then sends a token to the input-constrained device that logs it into the account…