Collaborate Disseminate
we know that we need to pass both client_id and redirect_uri in the authorization request.
https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#step-1-get-the-users-permission
But isn’t that client app already registered its redirec… Continue reading Why redirect_uri is needed when client_id is supplied in OAuth2?
I am doing a security audit on a command line tool. The tool is java based and it runs on the server side, it collects some info and generate a report at the end of the run.
This tool can run nevertheless of which user has run this, so any… Continue reading how to apply authentication/authorization on CLI tools
Let say I have “transactions” and “users” services managing transactions and users data respectively. Transaction record only has sender user id, but on display I want to show sender’s email. I also want to keep “transactions” as decoupled… Continue reading Encrypted ids to break inter-service dependencies
I am dealing with a coworker who keeps insisting there is no need to protect requests to our Web API. His rationale is, the only client to it (our Web front end) already makes sure only the authorized users can access the functions at the … Continue reading Resources on best practices to support why we need to protect Web API
In Kubernetes clusters, we often wish to provide temporary credentials to the containerised processes running in a particular pod, usually marked by associating the pod with a service account.
Recently (in late 2023) AWS introduced "… Continue reading How do AWS "Pod Identities" compare to (OIDC) IRSA?
How to troubleshoot this error which is thrown when trying to connect my neighboring (windows) system via the simple evil-winrm command:
Evil-WinRM shell v3.5
Warning: Remote path completions is dis… Continue reading evil-winrm utility error [closed]
Disclaimer: question orignally posted here but i was encouraged to ask it in this stack instead.
Introduction part
I’m writing an application that requires authentication to be used, specifically the database and config file can only be re… Continue reading Login with roles without internet
I wrote a login backend with express.js to provide authentication (through LDAP) and authorization (through a database of authorized users for each app on mysql). This backend generates jwt and sends them back in the form of an http only c… Continue reading Should I validate json web tokens on my app backend or login backend?
There is a particular class of vulnerability that I’ve seen on enough ASP.NET applications that I’m starting to wonder what the underlying cause it. The pattern goes as follows
The application has multiple levels of permission
When a user… Continue reading Why does ASP.NET enforce authorization through page rendering rather than on the server?
Assume we have a platform which has some crypto functionalities.
the infrastructure is as follows:
We have two nodes in a cluster, Computer A and Computer B.
Computer A is the main server which handles many types of requests from clients … Continue reading How to check authority of sensitive requests between two nodes in cluster?