Collaborate Disseminate
So I wrote the following logic for my web app:
When a user interacts with the website it initiates a Backend call. In the backend every endpoint has multiple middlewares, of which there is a JWT verification step, if it succeeds it goes to… Continue reading Is there any danger in refreshing JWT tokens directly without a refresh token?
I’m trying to understand what the best practice is here.
When a user signs in with Google, they then send you an ‘id_token’ which contains a bunch of information about the user, and the token generally.
This is the example Google provides:… Continue reading Google Auth – should you send the ID token to the FE, or create a new JWT?
I’m testing an application that sends JWT token in the request body (in JSON) instead of the header. Is it less secure than sending JWT token in the request header (like Authorization header), which is more popular?
The Google Identity openid discovery url https://accounts.google.com/.well-known/openid-configuration, has a .jwks_uri of https://www.googleapis.com/oauth2/v3/certs. If we look at the first key in that JWK Set
curl -s https://www.googleapi… Continue reading Azure AD has an "issuer" attribute on JWK keys in the JWK Set but Google ID does not, what is its purpose?
I am building an application and I want users to be able to log in from multiple devices without logging out of other devices.
How should I implement this functionality?
I am using Jwt token for authentication and MySQL database for storin… Continue reading How to enable multiple logins from the same user at the same time on different devices? [closed]
I have an authorization server that generate JWTs, the JWTs are signed with a private key (RS256) stored on a hardware security module. The tokens are generated only after a successful authentication.
What measures can be taken to prevent … Continue reading JWT forgery by an internal attacker
I want to use jwt tokens that are validated on my servers and for storing the token I am spliting the token into 2 parts the signature and the payload the signature is stored in an httponly samesite cookie with crsf protection and the payl… Continue reading How secure is my auth system?
I was reading the OAuth protocol docs https://datatracker.ietf.org/doc/html/rfc6749#section-6 where it implies that you don’t need a client_id and client_secret to refresh an access token, just a grant_type and the refresh token.
I was of … Continue reading refresh token without client_id and client_secret
We are retrieving external users using OpenID with the PKCE flow. We are using the JWT returned from the auth server to authenticate the user. If it is valid, we extract the subject field from the token and use it as an ID in our users tab… Continue reading Can I store subject from a JWT from an external auth server in my DB?
Is it possible to crack a JSON Web Token (JWT) using HS-256 algorithm with hashcat on a normal PC?
hashcat password.txt -m 16500 -a3
How can I calculate how much time it will take?
JWT first section for example eyJhbGciOiJIUzI1NiIsInR5cCI… Continue reading Crack JWT HS256 with hashcat