Collaborate Disseminate
We have a current microservice architecture where we secure communication between microservices via Machine-To-Machine access tokens (these tokens are obtained using the Client Credentials grant flow).
We do this for all communications bet… Continue reading Propagating user context between microservices secured with M2M JWT tokens
I am reading this OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
where the authorization server issues a client a JSON web token with the following format
{
"iss": "https://server.example.com&… Continue reading Difference between JSON web token, bearer token, and MAC token in OAuth2
In most examples I’ve read, I see people mentioning that when the server returns a 401 the client should hit the jwt refresh endpoint, passing in the refresh token somehow (i.e as a cookie), and then continuing on from there with the new J… Continue reading Should the API automatically renew the expired JWT or wait for the client to?
I’m finding it really hard to find a solution to make secure requests via our API without a potential hacker being able to see sensitive secret information via Google Chrome dev tools (or any browser’s dev tools), as React tends to show ev… Continue reading How do I protect a Laravel backend API from hijacking/CSRF when there is a React frontend?
Hello I am currently working in an e-commerce website and I am working in Authentication I read a lot of articles about how to secure the API and this the recap of what I did
when I log in or register I create 3 tokens (access-token, refr… Continue reading Confused about Authentication with JWT
I’m currently working on a project. The apis on the backend will support both mobile and web clients. I’m attempting to design a user management flow for both clients and a bit confused about how to go about this. I came across a few ways … Continue reading Designing a user session API for both mobile and web clients
I have been reading about authentication and authorization for the past few days and I still have not figured out what would be a reasonable way to deal with this for both mobile and web applications.
From what I read, when it comes to a w… Continue reading Secure REST API for mobile and web application usage
I am an application developer and am building a token-based auth mechanism for my application. Essentially, the user will log in with username+password, if the credentials are valid, my code will generate a JWT (probably going with a 30-mi… Continue reading Placing authorization data on JWT claims
I’m trying to figure out where the security benefits of having a refresh token and an access token for JWT are.
Another post on stackexchange says:
But why is it safe to have a refresh token that can last for months
when the JWT can’t? Th… Continue reading Do JWT refresh tokens have security benefits?
I am using a JWT token implementation of this https://jwt-auth.readthedocs.io/en/develop/quick-start/
I need to update the secret key and is there a way to update it without logging out every user? I presume it’s not possible to reuse the … Continue reading Is that possible to update JWT Token secret without logging out every user?