Collaborate Disseminate
I’m reading up on some OpenID Connect documentation trying to get my head around the protocol. I came across the issuer property that is common in the JWT tokens. How come this is required if we should always check the signature of the tok… Continue reading Is `iss` property in JWT tokens redundant?
My problem boils down to the use of Okta’s access tokens to secure api endpoint.
I followed this okta guide to set up a react single-page application with their wiget.
When I log into the site I get a access token to use with my api.
I tri… Continue reading How do I make sure access token comes from authenticated user?
I want to enable "Sign-in with apple" in my application.
As you can see here App sends Token authorization code to the backend, and then backend needs to talk with Apple ID to verify the user.
This is the recommended way from iO… Continue reading Sign-in with Apple user verification
I’d like to use JWTs for user authorization. My intention is use an auth server and an app server to keep them separate. This way my auth server will be the only JWT issuing server and the only server w/login and sign up logic.
I’ve recent… Continue reading Refresh token using a separate auth server?
Say I have a gateway which provides authorization mechanisms by validating a JWT, behind an api-gateway there are different micro-services but only the gateway port is public. As a software designer you decide to make all micro services un… Continue reading How to prevent horizontal escalation attacks when a centralized authorization service as gateway is used?
Is it a bad practice to store my user’s ObjectId in a JWT in the sub claim?
I could create an alternate UUID field in the user database and use this instead, but I wondered if I should?
I use this sub claim in both the refreshToken and acc… Continue reading Is it a bad practice to store my user’s ObjectId in a JWT in the sub claim?
By convention, I see a lot of folks using this approach to generate a private key from a nodejs console:
require(‘crypto’).randomBytes(64).toString(‘hex’)
But considering I could input other values besides 0-9 and A-Z, I wondered if my ke… Continue reading How hard is it to hack the JWT HS256 algo?
I have a Node.js/Express 4/JWT user authentication service using Passport.js, with Sequelize and MySQL for database.
In my service, upon signing up/resetting a password, the user will be redirected to a page telling them to
click the link… Continue reading Best practice for authenticating resend email requests
I have been analyzing the security process in 3gpp specs (pg 11) and the registration process in the spec explained with that flow. The flow represents the registration of a client to the server..
I am not a security specialist and I do … Continue reading Registration process by OAuth2
I am writing a mobile app that uses a read only REST service that sits behind our company firewall. The actual data supplied by the REST service is not private but I am concerned with a hacker using it to get behind the firewall. I have f… Continue reading Securing a read-only REST service for mobile access