Collaborate Disseminate
We’ve recently overhauled the backend to our mobile app from having a very basic authentication mechanism that went through the API to having both an authentication server and an API server, with the auth server issuing OAuth2 JWT tokens (… Continue reading Where should ‘reset password’ functionality be?
I’ve been reading about access tokens and refresh tokens, and am implementing it in my own site. Right now, based on an example codebase on GitHub, a refresh token of random characters is created and stored in the database with some detail… Continue reading Should a refresh token be linked to a single access token, and what is the ideal refresh flow?
We are building a public-facing API. The consumers of this API will be business partners of ours – we will probably have a personal relationship with each one, and I suspect there will only ever be 10-40 of these customers. So we’re not de… Continue reading Should we use API keys for authorization on a public API (instead of JWT)?
I’m building a Spring app and a React app which also contains Chat functionality. I use WebSocket with RabbitMQ as message broker.
I store the chat history as encrypted messages with AES, and before I send them to the client, I decrypt t… Continue reading Can GET Requests with Spring Rest controllers be intercepted by attackers?
With the traditional session system where only the session ID is stored on the client possibly even encrypted, the user won’t be able to assume the identity of another user or escalate their privileges without accessing the database or the… Continue reading Why aren’t we scared of our signing key being stolen with JWTs?
I’m building an authentication system that I want to be secure. I plan on using JWT tokens as the main authentication mechanism. When the token expires, the server will return a “401 unauthorized” response, and I would like the client to b… Continue reading Using the user’s password hash as their refresh token (with the password hash in their JWT)?
So I’m building an application that needs authentication, I’m wondering if there’s an security concerns with using a persistent httpOnly cookie to store user authentication with a SPA? (only 1 server. OAuth is not an option) I could set th… Continue reading Using a persistent httpOnly cookie for authentication? (SPA)
I would like to learn more about protocols using a JWT as a Token.
I’m aware of OIDC but I can’t find any other well defined and robust protocols for user authentication using JWTs.
Sure, I can use a simple REST endpoint providing a JWT… Continue reading Are there standard protocols for user authentication over JWT?
I would like to learn more about protocols using a JWT as a Token.
I’m aware of OIDC but I can’t find any other well defined and robust protocols for user authentication using JWTs.
Sure, I can use a simple REST endpoint providing a JWT… Continue reading Are there standard protocols for user authentication over JWT?
I’ve spent a while reading about this, and I know it’s a common topic, but I was hoping to get some feedback on my authentication approach.
I have an SPA. It needs to authenticate to 1) my application backend and 2) some APIs on AWS. I’m… Continue reading In memory JWT for API auth with HTTP-only cookie for sessions?