Collaborate Disseminate
I know JWT: Why is Audience is important (in fact I give a demonstration in that question). However, I fail to understand why validating Issuer is the standard and can’t think of any good scenario where it is needed.
Say I accept JWTs from… Continue reading JWT: why is Issuer important?
I want to implement a passwordless authentication flow with a code sent by email but I can’t find a clear best practice on how to securely implement it on the server side.
On the client side, the flow would be:
User enter their email and … Continue reading Passwordless authentication with email OTP
I was just wondering what the downsides of the following approach would be:
The email address I store is hashed (with a pepper that is db wide). This should (in my theory) better protect users in case of a data breach compared to storing t… Continue reading Hashed email addresses in database and plain text emails in JWT
Scenario: A user logs-in to a web application and receives a JWT Token. The Token Service looks up user roles and adds them to the JWT Claims and all necessary signatures to the token.
When the receiving application receives the token, it… Continue reading JWT Token Claim Validation after it has been granted
Can anyone please shed some light on the difference between the following two OAuth grant type scenarios?
JWT grant with JWT assertion
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
assertion=${JWT}
Defined in RFC 7523 § 2.1. An … Continue reading JWT-bearer grant with JWT assertion vs. client credentials grant with JWT client assertion?
So I’m currently learning about Demonstrating Proof-of-Possession (DPoP) in Oauth after previously learnt about Proof Key for Code Exchange (PKCE). one interesting idea i’ve been thinking is, is it possible to replace the challenge/verifie… Continue reading OAuth 2.0: Is it possible to replace PKCE with DPoP-like proof-of-possession?
In oauth2 client credentials grant, does the authorization server always return an opaque access token? Or could this also be a signed JWT which the client can then use with an API without requiring the use of introspection?
I have used frida to bypass certificate pinning of an app and was able to capture http traffic. But I notice that the authorization bearer uses JWT with a signature (over a timetamp). So I was wondering if I can hook any functions in frida… Continue reading Possible to use Frida to capture secret for jwt signature?
I am a bit confused. Every tutorial I found for JWT authentication method mentions that the token produced shouldn’t be valid for more that 5 minutes. Thats why the method should cowork with cookies (known as refresh-token in JWT). On the … Continue reading Doesn’t JWT authentication need cookies?
Context
I’ve read somewhere that one should not match by email (e.g. the email given by the Google JWT token) when using SSO (e.g. OpenID Connect) but it’s not clear to me why.
The recommended approach seems to be using aud and sub claims … Continue reading What are the downsides of matching by email in SSO logins (e.g. Google, Facebook, Apple, Microsoft)?