Collaborate Disseminate
In oauth2 client credentials grant, does the authorization server always return an opaque access token? Or could this also be a signed JWT which the client can then use with an API without requiring the use of introspection?
I have used frida to bypass certificate pinning of an app and was able to capture http traffic. But I notice that the authorization bearer uses JWT with a signature (over a timetamp). So I was wondering if I can hook any functions in frida… Continue reading Possible to use Frida to capture secret for jwt signature?
I am a bit confused. Every tutorial I found for JWT authentication method mentions that the token produced shouldn’t be valid for more that 5 minutes. Thats why the method should cowork with cookies (known as refresh-token in JWT). On the … Continue reading Doesn’t JWT authentication need cookies?
Context
I’ve read somewhere that one should not match by email (e.g. the email given by the Google JWT token) when using SSO (e.g. OpenID Connect) but it’s not clear to me why.
The recommended approach seems to be using aud and sub claims … Continue reading What are the downsides of matching by email in SSO logins (e.g. Google, Facebook, Apple, Microsoft)?
If I sign JWT (as per JWS spec) with a private key, the receiver of JWT will want to validate the signature and they need public key to do that.
The public key can be "baked" into the app validating or it can be retrieved from an… Continue reading Why is JWT claim x5t (thumbprint) useful?
I’m working on an app called AwesomeApp that uses Google Sign-In for user authentication. When users sign in, the app receives a Google ID token.
We are integrating with a third-party service, ScoreboardService, which also needs to identif… Continue reading Is it safe to pass Google ID tokens to third-party services for user authentication?
Background
Hashicorp Vault provides an auth method to enable Kubernetes Pods to authenticate to Vault by configuring integration between a Kubernetes cluster and Vault.
Question
The docs recommend setting up OIDC discovery endpoint integra… Continue reading Risks in using JWKS URL over OIDC discovery endpont?
I apologise in advance if this is a dumb question. But this seems like one of those straight forward things that are so straight forward that its not even mentioned and I am not getting it.
Perhaps I am too used to the simplistic client / … Continue reading How does JWE secure the Content Encryption Key
I’m developing jwt auth feature with Spring WebFlux. And, I found the blocking calls in jjwt library by using BlockHound.
The reason of blocking calls was SecureRandom use /dev/random to make random number in default on Linux system.
To pr… Continue reading Is it ok to use NativePRNGNonBlocking SecureRandom for making jwt? [duplicate]
According to the OIDC specification:
The issuer value returned MUST be identical to the Issuer URL that was
used as the prefix to /.well-known/openid-configuration to retrieve
the configuration information. This MUST also be identical to … Continue reading What are the risks of disabling issuer URL validation?