Collaborate Disseminate
I just ran into something strange IMO.
I created a RSA Key using nodejs cryptoutils to use with my JWT auth server.
What I observer using jwt.io was the following:
The last letter of the signature can be changed, and the jwt is still consi… Continue reading JWT – Able to change signature and its still verified?
I have an application that I want to secure with JWT tokens. For what I have read, the common practice is to have very short lived access tokens and very long lived refresh tokens, so that when an access token is required a refresh token c… Continue reading JWT access vs refresh tokens
We’ve got an Angular app that calls APIs with JWT token authentication (so an auth token and a refresh token). Now at some point the user changes his password (while normally logged in, so not with a "reset password" logic when h… Continue reading Do you need to invalidate JWT token upon password change?
I would like to ask how I should go about securely transmitting the password between two applications. I have two projects that work with each other. The first one is a project called AuthApi, which authenticates the user and creates token… Continue reading ow do I move password securely between api and web?
I’ve been reading countless articles about login flows and what’s the best for user auth, but it’s all even more confusing now.
My scenario:
I have a simple app (capacitor spa) that has a simple username/password login. I essentially have … Continue reading Best login flow for username and password authentication
I have a matchmaking server that I’ve wanted to use for a game I’m making in the future.
My issue lies with the JWT token.
How do I go about storing dynamic values in JWT tokens efficiently? I prefer not to break the stateless part of JWT … Continue reading Dynamic values in JWT token
I’m developing a web application and I want to use token based authentication, but after implementing the feature on the server side I got stuck on trying to figure out what is the best approach to storing JWTs on the client.
I found mysel… Continue reading What’s the best approach to storing JWTs on the client
I have an IAM system where each entity entry for client credential flow will be associated with a tenant.
I have two scenarios:
one client app that can access target entity to access only client specific data
another one that can access t… Continue reading How can client credential authorisation work for multiple clients in an IAM system?
I have built a basic REST API that uses Json Web Tokens for authentication. Currently, I have built my frontend to store the JWTs in localStorage. I have read this is insecure and want to switch to cookies. The login route on my API return… Continue reading Should I return JWT tokens on a login route even if I am using cookies?
I started noticing this kind of token in a lot of CTF tasks from different authors:
eyJlbWFpbCI6ImVtYWlsQG1haWxib3guZG9tYWluIiwiaWQiOjN9.ZLNCAQ.MxwKVKj_dramWyfT5XxT6g9U3xk
The structure is as follows:
Payload (usually a json string). In m… Continue reading What type of token is this?