Collaborate Disseminate
I have an application with a server-client architecture. The server is a REST/JSON API and the client reaches to the server via HTTPS. I currently have a short-lived access token (JWT, stateless, 15 minutes) that is attached for each authe… Continue reading Can I reuse the refresh token as the remember me token?
I am currently testing a website that appears to make a refresh token request every time I focus away from the web browser and back, or away from the tab the website is open in and back to it. I’ve confirmed these requests are refreshing m… Continue reading Is there a risk involved in refreshing a JWT token every time you refocus the webpage?
The big picture is:
an android application which authenticate user with an external openid provider (such as azure AD)
a Java EE server which expose rest endpoints securized with the validation of the jwt token generated by the openid pr… Continue reading How to encrypt REST body with openid connect OIDC
When we are talking about JWT authentication, how big of a security risk would it be to eliminate the concept of a refresh token and just have a single JWT have an expiration time of, let’s say 30 days.
The refresh token could still be acc… Continue reading Extended expiration on JWT
As per my understanding, JWTs are signed tokens which can be used to identify users, if used as session tokens, they can eliminate need to store session on server ie. they are stateless.
Suppose I store user_id in JWT token and use it to v… Continue reading Logout functionality with JWT Session tokens
I have a static react app which users login via an Okta SPA app.
The app receives a JWT, which it is stored in the browser, and passed to the backend API via Authentication header on every request.
The API using Azure API Management. They… Continue reading Does "validating" a JWT token from prove authentication with OpenId?
I’ve set up a firebase passport strategy on a NestJS server which works fine, but I did not like the long load times it would incur on all requests that went through it. So I decided to cache decoded tokens until they are expired, and this… Continue reading Is it bad practice or major security risk to cache decoded auth tokens in my backend?
I recently came across a source code where they save a user’s refresh token and the access token upon sign in through Google into the database. This is done to access the Google APIs later on through the server.
My question is, isn’t this … Continue reading Is it a good practice to store both the Google Oauth2 access token and the refresh token in the database un hashed?
We use JWT tokens in our Rest API(Bank API) authentication with a normal payload like:
{
"user_id": "cdda338f-50e2-4e14-9f84-33b8a158db9f",
"tenant_id": "cdda338f-50e2-4e14-9f84-33b8a158db9e",
… Continue reading Is masking JWT custom claims a good practice?
The app is divided into two parts, the fronted – written with the Angular framework and the backend, simple PHP files which handle the login, API calls, etc.
My current flow is the following:
User creates an account/login. Credentials are… Continue reading Am I handling JWT token correctly?