Collaborate Disseminate
My question is : Is this approach correct given I have a non-Oauth service? My goal is to use the simplest amount of security features while still being as strong as possible.
My approach is as follows and I am asking for feedback on wheth… Continue reading I have a non-Oauth service and am using this approach with Server initiated HttpOnly cookies with stripped JWT
I have an API server (ASP.NET Core 5) and SPA client (ASP.NET Blazor). Nothing else: no external oauth servers, identity providers and whatnot
To secure access, the server issues and validates access tokens (JWTs) and refresh tokens.
A JWT… Continue reading Should I specify JWT audience and issuer if I have only one SPA client?
I have a stateless backend app, session data is stored on the front-end in a JWT token, so the front-end app passes this token in Authorization header to all the requests.
I need to add 3rd party API integration that will use OAuth2.
I imp… Continue reading Access to JWT session after OAuth redirects
For simple authentication with backend services, without more sophisticated needs (e.g. roles and scopes), is there any security benefit in using JWTs instead of sending HMAC hashes to verify a payload?
HMAC:
Client generates a timestamp … Continue reading HMAC hashing vs JWTs for stateless authentication
Many popular reverse proxies (tomcat, nginx, …) seem to handle OpenID Connect and act as a Relying Party to hide the authentication complexity to all applications behind the reverse proxy, which just receive http headers containing user … Continue reading OpenID Connect with or without reverse proxy?
I have an application with a server-client architecture. The server is a REST/JSON API and the client reaches to the server via HTTPS. I currently have a short-lived access token (JWT, stateless, 15 minutes) that is attached for each authe… Continue reading Can I reuse the refresh token as the remember me token?
I am currently testing a website that appears to make a refresh token request every time I focus away from the web browser and back, or away from the tab the website is open in and back to it. I’ve confirmed these requests are refreshing m… Continue reading Is there a risk involved in refreshing a JWT token every time you refocus the webpage?
The big picture is:
an android application which authenticate user with an external openid provider (such as azure AD)
a Java EE server which expose rest endpoints securized with the validation of the jwt token generated by the openid pr… Continue reading How to encrypt REST body with openid connect OIDC
When we are talking about JWT authentication, how big of a security risk would it be to eliminate the concept of a refresh token and just have a single JWT have an expiration time of, let’s say 30 days.
The refresh token could still be acc… Continue reading Extended expiration on JWT
As per my understanding, JWTs are signed tokens which can be used to identify users, if used as session tokens, they can eliminate need to store session on server ie. they are stateless.
Suppose I store user_id in JWT token and use it to v… Continue reading Logout functionality with JWT Session tokens