Collaborate Disseminate
An authorization server issues an access token with issuer details which are exposed in a well-known API of that server. This server uses client authentication JWT tokens with clients configured. These JWT tokens are sent as a part of a re… Continue reading Bearer JWT client authentication and access token issued by authorization server
As the title says, I want to create a RESTful API (stateless) that will access Google API endpoints. First I want to authenticate the user and then use that token provided by Google to access Google Calendar API.
This is the current flow o… Continue reading RESTful API with Google API and OAuth2
I am developing an application where users need to provide an API key to a 3rd party service, our app (a serverless app on AWS with a dynamo db) then makes requests to that 3rd party service on behalf of the user. Users are authenticated … Continue reading 3rd Party API Key in cognito custom attribute JWT
When working with authentication through JWT, I understand that it’s the combination of iss/sub that identifies a principle for authentication. But with cases where authorization is shortly followed, is there typically a way that JWTs pass… Continue reading How is group membership passed in with JWTs?
As always: entertaining, informative and educational… and not bogged down with jargon! Listen (or read) now… Continue reading S3 Ep118: Guess your password? No need if it’s stolen already! [Audio + Text]
I have an application that uses an OAUTH2 flow based on JWT and JWKS.
JWT and JWKS are used for the "client authentication": when the application needs to call the endpoint to flip the authorization code to an access token, inste… Continue reading JWT and JWKS for server to server calls
We are using JWT (Json Web Token), with HS256 algorithm.
Is it ok to use PHP’s password_hash() functions output for the secret part?
It’s output is a 128 bit random salt with the user’s password hashed together with bcrypt.
(the reason we … Continue reading JWT secret part from php password_hash() (128bit random salt and password hashed together)?
It’s remotely triggerable, but attackers would already have pretty deep network access if they could “prime” your server for compromise. Continue reading Popular JWT cloud security library patches “remote” code execution hole
I have found an issue in a laravel site; its .env file is public. I need a way to decode and decrypt the jwt session cookie used by default in laravel using the app key found in .env file.
I don’t know PHP at all. Is there an online tool l… Continue reading How to decode laravel cookie using app_key
After seeing the many articles and talks stating that JWTs are not a good choice for user auth, I have create a proxy service which uses a simple session cookie to authenticate a user’s request, exchange it for a JWT bearer token (currentl… Continue reading Using JWTs for internal service authentication