Collaborate Disseminate
in our organization we have our own OpenId server (Identity Server) that we use to authenticate people into our applications, let me explain how we currently handle our web clients.
so we have an API that handles the authentication of user… Continue reading Best Way to handle Authorization tokens on mobile apps
I read about a concept that went something like "access equals authorization," the idea being that there is something secured, and if someone manages to get into it, then they have proven themselves to be allowed to see it. Essen… Continue reading What’s the term/aphorism for a security practice where access equals authorization?
Google accounts have a "Digital Legacy" feature, where accounts that go inactive for a long period (3 months, 6 months, etc.) and do not respond to alerts will eventually trigger Inactive Acccount Notifications to select recipien… Continue reading Digital legacy: safe to save password manager login info in Gmail draft?
I have a hypothetical server and client app.
The server needs to know if a POST request came from my custom client application or regular browser.
what can i do to check who made a request. I mean I want it to be secure so changing user-ag… Continue reading http request authorization [duplicate]
As per the below resource: https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-validation/
we should validate the redirect url at 3 points:
at time of app registration
when the auth flow begins
when granting an access token
A… Continue reading Oauth: redirect uri validation [duplicate]
EDIT: adding more details to make this more suited to security stackexchange.
The solutions that are listed below are not exhaustive, these are some potential ways i think this type of functionality can be implemented. Each of the suggeste… Continue reading One way session sharing between mobile app and web [closed]
We have an oauth implementation, which was chosen because of the following reasons:
session sharing across different applications
easy to reason about the security considerations as oauth is well known and documented
As part of our explo… Continue reading Oauth: native UI for internal / first party apps
I recently completed Azure OAuth2 integration with my existing web application. Upon user’s successful login into my application user can configure multiple outlook accounts using OAuth2 flow.
As for CSRF prevention for my web application … Continue reading Using CSRF token as state parameter for OAuth request
Let say you have a REST API, which you want to use as the backend for React application. The application supports user login. You use JWT authorization to make that REST API stateless. Now the problem I have with that is that the JWT expir… Continue reading REST API authorization
I have an oauth implementation (uses phone number for authentication) which is used across several applications. These applications want to maintain the same identity of the user as the user moves across applications.
Example scenario 1:
… Continue reading Oauth: only allow login with a certain id