Collaborate Disseminate
Context
I’ve read somewhere that one should not match by email (e.g. the email given by the Google JWT token) when using SSO (e.g. OpenID Connect) but it’s not clear to me why.
The recommended approach seems to be using aud and sub claims … Continue reading What are the downsides of matching by email in SSO logins (e.g. Google, Facebook, Apple, Microsoft)?
In 2024, is it considered safe to encrypt user data, store the encryption keys in the database, and protect them with user credentials? Deriving keys from user password is not ideal in my design. My plan is to allow OAuth-based authentica… Continue reading Is it currently considered strong security to store the encrypted data and encryption key in the same database? [duplicate]
I’m building a web REST API. Users must be able to authenticate themselves to this API.
I don’t know ahead of time which clients will want to use the API. I want to allow for the possibility of anyone creating their own client, like a cust… Continue reading Why shouldn’t I use the OAuth password grant if I have to implement a custom username+password login anyway?
I’m adding 2FA to my app and have set it up for users who have registered with email. I also have users who log in with Facebook and others who use their mobile number.
Should I also add TOTP for users who log in with Facebook, or is that … Continue reading Do I need to add TOTP 2FA for Facebook and mobile number logins in my app?
we know that we need to pass both client_id and redirect_uri in the authorization request.
https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#step-1-get-the-users-permission
But isn’t that client app already registered its redirec… Continue reading Why redirect_uri is needed when client_id is supplied in OAuth2?
I am trying to understand how refresh tokens and access tokens works, and I ready several threads and documentations. It seems that I am not the only one confused around this topic.
Based on this thread: How does a refresh token help?, wha… Continue reading Security doubts around the refresh token and how it works
I have a mobile and backend applications. And I am trying to communicate with Microsoft Graph API and I obtain access and refresh tokens through their OAuth. I get these tokens from my mobile app at the first place so a webpage is prompted… Continue reading Saving access and refresh tokens securely
As technology adoption has shifted to be employee-led, IT and security teams are contending with an ever-expanding SaaS attack surface. At the same time, they are often spread thin, meaning they need ways to quickly identify and prioritize the highest-… Continue reading Product showcase: How to track SaaS security best practices with Nudge Security
To help developers with integrating with our SAML/OAuth/OIDC Identity Provider on their local dev environments, I’m thinking about configuring a demo client/app in our production IdP that has localhost configured as valid redirect url (OAu… Continue reading Risks with having a "localhost" service configured on a production SAML/OAuth/OIDC Identity Provider
In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that […]
The post From federation to fabric: IAM’s evolution appeared first on Security Intelligence.