Collaborate Disseminate
Websockets don’t support sending auth tokens during websocket handshake as part of HTTP headers, rather only via query parameters. This has a security risk of leaking these tokens in server logs. However, if we create these JWT tokens with… Continue reading Is it secure to send JWT tokens in url query parameters if we use nonce to make it a one time token?
I have an admin screen, once I access it, it asks for login credentials, then after I login, I get a token that is saved under local storage (see screenshot below)
Noting that I am using edge browser in private mode, when I opem a new tab… Continue reading Does saving the cookie or jwt token in the browser raise a security risk?
Currently looking into OpenPubKey and more specifically into OpenPubkey SSH:
https://github.com/openpubkey/openpubkey
https://docs.bastionzero.com/openpubkey-ssh
Terminology:
OPK => OpenPubkey
OIDC => OpenID Connect
OP => OpenI… Continue reading Openpubkey SSH workflow details
I am using auth0, and I have a setup a custom domain. As a result, depending on how I login, I can have multiple iss claims, for example :
https://example.auth0.com
https://auth.example.com
So I have to configure all my backend services … Continue reading Is it necessary to verify iss claim in a jwt if the jwk_urls are configured?
If we consider that having a valid refresh token allows you to get a valid access token, then the two can be considered to have the same ‘informational value’ right?
Then why are they treated differently in terms of security aspects like e… Continue reading Why are refresh tokens treated differently than access tokens
I’m implementing an authentication mechanism using JWT tokens and exploring best practices for securely storing these tokens on the client side.
My JWT includes a jti claim populated with random bytes to ensure the claims are not easily gu… Continue reading Single JWT as authentication and refresh token
This may be just an academic question, but I have been wondering about something, OK so for this purpose all we care about is AuthN, not AuthZ. Also, there are no users at all, just daemon-to-daemon communications.
So of course we’re all … Continue reading OIDC identity token authentication using JWKS instead of token_introspection
I’m working on a project where we aim to have a separate database for each tenant. In our setup, there is a central database (and API) containing a "users" table that stores usernames and passwords for all users. Additionally, th… Continue reading How to keep membership in sync in a multi tenant architecture with per tenant database?
We are integrating Google login in our app and we intend to use the idToken for authentication. We are already sending the idToken from the app to the back-end server, and intend to verify the token as explained at:
https://developers.goog… Continue reading Google Login with idToken and JWT (Java)
The existing system involves storing the bearer token in a cookie to fulfill a customer request of not only downloading an attachment within the application but also opening it in another tab. This is achieved by utilizing the client appli… Continue reading Storing bearer token in cookie for file retrieval in another tab