Collaborate Disseminate
I want to enable "Sign-in with apple" in my application.
As you can see here App sends Token authorization code to the backend, and then backend needs to talk with Apple ID to verify the user.
This is the recommended way from iO… Continue reading Sign-in with Apple user verification
I’d like to use JWTs for user authorization. My intention is use an auth server and an app server to keep them separate. This way my auth server will be the only JWT issuing server and the only server w/login and sign up logic.
I’ve recent… Continue reading Refresh token using a separate auth server?
Say I have a gateway which provides authorization mechanisms by validating a JWT, behind an api-gateway there are different micro-services but only the gateway port is public. As a software designer you decide to make all micro services un… Continue reading How to prevent horizontal escalation attacks when a centralized authorization service as gateway is used?
Is it a bad practice to store my user’s ObjectId in a JWT in the sub claim?
I could create an alternate UUID field in the user database and use this instead, but I wondered if I should?
I use this sub claim in both the refreshToken and acc… Continue reading Is it a bad practice to store my user’s ObjectId in a JWT in the sub claim?
By convention, I see a lot of folks using this approach to generate a private key from a nodejs console:
require(‘crypto’).randomBytes(64).toString(‘hex’)
But considering I could input other values besides 0-9 and A-Z, I wondered if my ke… Continue reading How hard is it to hack the JWT HS256 algo?
I have a Node.js/Express 4/JWT user authentication service using Passport.js, with Sequelize and MySQL for database.
In my service, upon signing up/resetting a password, the user will be redirected to a page telling them to
click the link… Continue reading Best practice for authenticating resend email requests
I have been analyzing the security process in 3gpp specs (pg 11) and the registration process in the spec explained with that flow. The flow represents the registration of a client to the server..
I am not a security specialist and I do … Continue reading Registration process by OAuth2
I am writing a mobile app that uses a read only REST service that sits behind our company firewall. The actual data supplied by the REST service is not private but I am concerned with a hacker using it to get behind the firewall. I have f… Continue reading Securing a read-only REST service for mobile access
I’ve decided to implement JWT as an authorization method for a webapp I’m building. I choose this method because I like not needing to query my database on every request and because horizontal scaling is easier (I won’t need to use sticky … Continue reading Opinion on a particular strategy for JWT authorization?
In my web application I am using JWT. After a user loggs in, they are issued a refresh token and an access token. The refresh token is sent to cookie storage with the HTTP-only flag, while the access token is only saved in the memory of th… Continue reading How to implement "remember me" with JWT?