Collaborate Disseminate
If I understand correctly, a JSON Web Token (JWT) can be asymmetrically signed with a special private key (JWK). At least in some common configurations, the public part of the signing key can’t be obtained via classic x.509 certificates, b… Continue reading What is the point of signing a JWT with a JWK if you need to communicate with the token issuer?
I have two servers and frontend client:
one server authorize and authenticate user, after that issue jwt token to client.
Frontend client also visits second backend server using jwt token as Authorization Header.
JWT secret is the same on… Continue reading Frontend authenticates in server using jwt token issued by another server
I am currently thinking about alternative ways for my native iOS Application (written in Swift) to receive access- & refresh-tokens. As of now, user sessions are established using revokable JWTs, issued by my API once a POST request is… Continue reading Alternatives to OAuth 2 for first-party native applications
We’re using artifactory to store binaries and conan to retrieve them.
What’s the best way to securely authenticate to artifactory via conan on test clients (and in production)?
Currently we’re authenticating to artifactory with the API key… Continue reading how to securely authenticate to artifactory in deployment (with conan)
I’m currently in need of some clarification for an authentication/overall strategy. First I will describe the use case and then the questions that arise for me.
Use Case
I want to have a single docker container consisting of an API and a d… Continue reading Multiple user specific APIs with a single Authentication Server
OWASP states:
Non-public REST services must perform access control at each API
endpoint. Web services in monolithic applications implement this by
means of user authentication, authorisation logic and session
management. This has several … Continue reading Access Control for REST APIs – OWASP recommendation
I am comparing implementation complexity of JWS and Client Certificate and troubleshooting Client Certificate at the same time.
I understand that both methods require to prove that the certificate (x5c in JWS or the actual Client Certifica… Continue reading Verification of certificate trustworthiness (e.g. in JWS and Client Certificate)
Since most people seem to caution against storing JWT tokens in the localStorage and recommend keeping them in the HttpOnly cookies, in this case I don’t really see the advantage of using JWT auth. Why not just use Cookie auth to begin wit… Continue reading Using HMAC signed cookies instead of JWT for authentication
I have a an endpoint, it redirects to an image which is stored on a storage service, I am considering if it is safe to embed the JWT in the url endpoint as such https://host/image?token=. This is the same JWT token which the system uses to… Continue reading Security risk of embedding JWT in URL?
Say we have multiple instances of application X deployed on site1.com, site2.com, site3.com, etc. And we have a centralized server at example.com serving all of these.
All the instances of X are static sites, that is, they do not have a se… Continue reading Is it bad practice to use only one token for a SPA (no applications, only user)?