Collaborate Disseminate
I’ve been reading countless articles about login flows and what’s the best for user auth, but it’s all even more confusing now.
My scenario:
I have a simple app (capacitor spa) that has a simple username/password login. I essentially have … Continue reading Best login flow for username and password authentication
I have a matchmaking server that I’ve wanted to use for a game I’m making in the future.
My issue lies with the JWT token.
How do I go about storing dynamic values in JWT tokens efficiently? I prefer not to break the stateless part of JWT … Continue reading Dynamic values in JWT token
I’m developing a web application and I want to use token based authentication, but after implementing the feature on the server side I got stuck on trying to figure out what is the best approach to storing JWTs on the client.
I found mysel… Continue reading What’s the best approach to storing JWTs on the client
I have an IAM system where each entity entry for client credential flow will be associated with a tenant.
I have two scenarios:
one client app that can access target entity to access only client specific data
another one that can access t… Continue reading How can client credential authorisation work for multiple clients in an IAM system?
I have built a basic REST API that uses Json Web Tokens for authentication. Currently, I have built my frontend to store the JWTs in localStorage. I have read this is insecure and want to switch to cookies. The login route on my API return… Continue reading Should I return JWT tokens on a login route even if I am using cookies?
I started noticing this kind of token in a lot of CTF tasks from different authors:
eyJlbWFpbCI6ImVtYWlsQG1haWxib3guZG9tYWluIiwiaWQiOjN9.ZLNCAQ.MxwKVKj_dramWyfT5XxT6g9U3xk
The structure is as follows:
Payload (usually a json string). In m… Continue reading What type of token is this?
This question came across my mind when I sent an ajax request from html to a backend django server and forgot to add a csrf token to the request payload and recieved this error.
403 error means that the request was unauthorized.
I know th… Continue reading What happens first in a request having both CSRF Token and JWT token, authentication or authorization?
I am implementing a web service with a front end and back end. Everything but the login endpoint requires authentication. For authentication I use Authentik. However, I have trouble wrapping my head around which tokens to give to the user,… Continue reading OIDC + Authentik: Which token to give to user for authentication?
First of all, I know that passwords generally do not have to be stored in a JWT or JWS since the token in itself can be used to authenticate. My circumstances are very specific though.
In my program, I need to startup a process as the user… Continue reading Is it bad practice to store passwords in a JWE? If so, why?
I’ve been reading about how clients can verify JWT signatures using a public key provided by the server. I’m struggling to understand how this solves any issues.
The only attack I’ve seen which this claims to solve is when a reverse proxy … Continue reading How is client side JWT signature validation beneficial from a security perspective?