Collaborate Disseminate
From my understanding, the current standard when using JWTs for user sessions is to have a short-lived (expires after maybe 15 minutes) access token and a long-lived refresh token (expires after 24+ hours) which can be used to obtain more … Continue reading Concerns about a typical JWT setup
I am looking at implementing an API Gateway for a system using WS02 as the IdP. Users will be signing in using OAuth via federated SSO with social providers (initially Google). The users will also need to pass access to a device with limit… Continue reading OAuth device code grant – JWT
Which are vulnerabilities in JWT authentication in Node.js?
I use this npm package
I think the big vulnerability is in refresh token and algorithm of encryption, right?
Continue reading Which are vulnerabilities in JWT authentication? [closed]
Most security specialist teams, OWASP, Auth0, Okta to name some, agree on that keeping access token in browser should be avoided. And one of the alternatives to this approach is having a proxy server between the web application server and … Continue reading What if session cookie is stolen? Doesn’t it have a similar effect with getting access token stolen
I’m implementing an OAuth 2.0 Authorization Code grant type flow and considering to use a very short-lived JWT as the authorization code so this step doesn’t require a database.
I understand that this code is usually persisted and removed … Continue reading Is it safe to use a JWT as an Authorization Code?
I was reading this question and still have doubts about my use case.
I know it’s unsafe to store a JWT in local/session storage due to XSS attacks. But what if it’s for a JWT that only lasts 1 min when they first login? The client would th… Continue reading Is storing a short lived JWT on initial login in LocalStorage safe?
I have the below openssl code to decode json content. It works fine if the encoded data is
eyJ0ZXN0MSI6eyJ2YWwyIjotOTEuNiwidmFsMyI6NDAuMTIzNH19
but it does not work if the encoded data is
eyJ0ZXN0MSI6eyJsYXRpdHVkZSI6LTkxLjYsInZhbDMiOjQwfX0… Continue reading Issue with openssl base64 decode function while decoding jwt payload [closed]
As a developer I do have some understanding of OWASP, I am also a member of OWASP community, official due paying one. Anyway, what I may not understand is information security in that I am not a security engineer and so I pose the followin… Continue reading Is it necessary to encrypt a JSON Web Token more than what is built-in?
I’m reading up on some OpenID Connect documentation trying to get my head around the protocol. I came across the issuer property that is common in the JWT tokens. How come this is required if we should always check the signature of the tok… Continue reading Is `iss` property in JWT tokens redundant?
My problem boils down to the use of Okta’s access tokens to secure api endpoint.
I followed this okta guide to set up a react single-page application with their wiget.
When I log into the site I get a access token to use with my api.
I tri… Continue reading How do I make sure access token comes from authenticated user?