Collaborate Disseminate
I have a Node.js/Express 4/JWT user authentication service using Passport.js, with Sequelize and MySQL for database.
In my service, upon signing up/resetting a password, the user will be redirected to a page telling them to
click the link… Continue reading Best practice for authenticating resend email requests
I have been analyzing the security process in 3gpp specs (pg 11) and the registration process in the spec explained with that flow. The flow represents the registration of a client to the server..
I am not a security specialist and I do … Continue reading Registration process by OAuth2
I am writing a mobile app that uses a read only REST service that sits behind our company firewall. The actual data supplied by the REST service is not private but I am concerned with a hacker using it to get behind the firewall. I have f… Continue reading Securing a read-only REST service for mobile access
I’ve decided to implement JWT as an authorization method for a webapp I’m building. I choose this method because I like not needing to query my database on every request and because horizontal scaling is easier (I won’t need to use sticky … Continue reading Opinion on a particular strategy for JWT authorization?
In my web application I am using JWT. After a user loggs in, they are issued a refresh token and an access token. The refresh token is sent to cookie storage with the HTTP-only flag, while the access token is only saved in the memory of th… Continue reading How to implement "remember me" with JWT?
I see many articles about how to invalidate JWT tokens but none about when to invalidate them before their expiry.
When a user resets there password being an obvious time.
What are the best practices here?
Continue reading What conditions should trigger an invalidation of JWT Tokens?
A recent penetration test has discovered that my org is using the JWT authentication scheme that allows the ‘none’ algorithm. How exploitable is this in the real world?
I understand that the issue can be used by an attacker to change the p… Continue reading How exploitable is a none JWT?
I’ve recently learned about JWT tokens, but I don’t understand why I need them. Considering:
HTTPS is enabled, thus the access token can’t be stolen along the way. it’s encrypted.
If at anytime, the hacker finds a way to read incoming JSO… Continue reading How does a JWT refresh token improve security?
I have the following setup with a keycloak authentication server and an application:
user logs in on application client side, send un/pw to server
application server sends un/pw to keycloak server for a token
keycloak server sends a token… Continue reading Why does keycloak use HS256 algorithm to sign access token when client settings specify RS256?
On this https://jwt.io/ application, you can paste a jwt and it returns you a public key. How is this public key generated, and how is it exported? Is it contained inside the JWT, and if it is, then how? In raw format?