Collaborate Disseminate
The W3C working group is working on the standardization of Decentralized Identifiers (DIDs). I watched a video presentation about DIDs and the presenter mentioned several times the possibility of generating unique pseudonymous identities f… Continue reading Use-case for decentralized identifiers (DIDs) with unique identities for each relationship
As per my understanding both JWT and Basic Auth used to store login credentials on client side and avoid sessions for better scalability. I understand with Basic Auth login credentials will be sent along with each request which is a secur… Continue reading What are the advantages of using JWT over Basic Auth with Https?
Reading around I gather that for a Restful API since you don’t use cookies,then you send the token in the Auth header.Correct so far?
When on a traditional MVC app ,do you send the token inside a httponly cookie? Does then the server have … Continue reading JWT token. Send in a cookie or Auth header depending on Rest vs MVC?
(I try to understand different concepts regarding web development in general)
Most information I find is about Single Page Applications, but how does a dynamic site make use of (for example) OAuth2/tokens? Maybe we want the pages to be ren… Continue reading How can OAuth2 (tokens) fit into dynamic sites that still wants to call protected API’s via JavaScript?
I’m building an app where the client will be issued a JWT. The JWT will be passed to my API for every request. I’m leaning in the direction of hosting my webserver and SQL server separately from each other using EC2 and RDS.
SECRET = bin2h… Continue reading JSON Web Token secret storage
I’m building a REST API resource server with JWT authorization for an Angular web app. I’m looking for a method to perform an additional check if the request body sent from the client application has not been modified by the attacker.
The … Continue reading Additional check for request integrity
I am working on an authentication server that can act as a central place to manage authentication for multiple projects, sort of like keycloak or ory kratos.
While working on implementing refresh_tokens (RT) I got an idea for an alternativ… Continue reading Cookieless Authentication
This doing a Spring Boot application (Rest API, JPA, etc) uses (via Rest) from a website (Angular) and a mobile app (Android).
The user using the mobile app (in the future) will be able to authenticate via Facebook, Google, etc, and store … Continue reading Authentication for website and mobile app
JWT tokens are self-contained. If a valid JWT token contains username and the token is valid, then the endpoint will think user is authenticated.
The token can be decoded and all fields seen.
What if I generate token on my side and fill it… Continue reading Why can’t I generate my own JWT to fake authentication?
Consider an API that requires a JWT for authorisation. For each JWT presented, it has to validate the signature, including base64 decoding, hashing and asymmetric encryption, which is stated noted as being more computationally expensive t… Continue reading How susceptible are JWTs to being used for denial of service?