Collaborate Disseminate
I want to provide authorization for our native application. Requirements are like:
It is a to-customer product.
All features are integrated in the software provided to customer, like product = {feature0, feature1, feature2}. When a custom… Continue reading Is OAuth2 a Good Choice for Small First-party Native Application?
I want to provide authorization for our native application. Requirements are like:
It is a to-customer product.
All features are integrated in the software provided to customer, like product = {feature0, feature1, feature2}. When a custom… Continue reading Is OAuth2 a Good Choice for Small First-party Native Application?
In the OAuth2 authorization code grant, in the case of a public client, what is the point of exchanging the authorization code for a token, rather than issuing a token directly?
In the oauth2 authorization code grant flow, if the client is not a web application, but rather a mobile application, how can the authorization server redirect to the client?
Continue reading OAuth2 authorization code grant: how does redirection work for mobile applications?
I’ve been using the Microsoft ASP.NET Identity Library. It’s a basic authentication and authorization system that is a DLL that stores everything in my app’s DB. It has screens for forgotten password, verify email, etc. It supports roles &… Continue reading Microsoft Identity vs ASP.NET Core Identity
I’ve been using the Microsoft ASP.NET Identity Library. It’s a basic authentication and authorization system that is a DLL that stores everything in my app’s DB. It has screens for forgotten password, verify email, etc. It supports roles &… Continue reading Microsoft Identity vs ASP.NET Core Identity
I have seen applications use both the Authentication HTTP header, as well as a cookie, or sometimes even both, to store & transmit BEARER tokens (JWT) when they send requests. For example, I am currently looking at an application where… Continue reading What are the security implications of receiving a secret (e.g. OAuth BEARER) token via cookie vs. Authorization header?
I’m wondering: when the user changes their password or their e-mail address, should I expect the current password in the request body and verify it at my backend? The advantage seems to be that a stolen JWT doesn’t suffice to steal one’s i… Continue reading Changing credentials: Should I send the password next to the JWT?
Is this a good approach to preventing the leakage of secrets?
Say I had a simple setup where Alice holds the secret to access Bob, and Charlie has basic shell access to Alice (with a different auth method). Charlie echoing "$BOB_SECRE… Continue reading Intercept calls to authenticated 3rd-party APIs, to automatically add auth keys?
according to https://darutk.medium.com/diagrams-of-all-the-openid-connect-flows-6968e3990660
there are two access tokens, one from Authorization endpoint and one from Token endpoint, which is kind of hybrid flow.
I have two questions (the… Continue reading why there is a need to use two access tokens in OpenID Connect?