Collaborate Disseminate
Understand that Grant Negotiation and Authorization Protocol (gnap) is still in draft status at the IETF.
I am looking to evaluate GNAP and be the first to put in production. Are there any working Code for Grant Negotiation and Authorizati… Continue reading Working Code for Grant Negotiation and Authorization Protocol (gnap) for evaluation? Performance vs OAuth/OIDC
CONTEXT
There is a SPA that uses Authorization Code Grant flow with PKCE to get info from an API all the info is highly sensitive
RESEARCH
Here is what I found of how Authorization Code Grant flow with PKCE works:
THE FLOW
v = code_verifie… Continue reading Is OAuth2.0 Authorization Code Grant flow with PKCE really secure?
I recently came across a source code where they save a user’s refresh token and the access token upon sign in through Google into the database. This is done to access the Google APIs later on through the server.
My question is, isn’t this … Continue reading Is it a good practice to store both the Google Oauth2 access token and the refresh token in the database un hashed?
The United Kingdom’s Ministry of Defence (MoD) announced the conclusion of its first bug bounty challenge with HackerOne. The Ministry of Defence program was a 30-day, hacker-powered security test aimed at surfacing vulnerabilities before they can be e… Continue reading United Kingdom’s MoD announces the results of its bug bounty program with HackerOne
Dremio announced its cloud-native SQL-based data lakehouse service, Dremio Cloud. Purpose-built for the cloud, Dremio Cloud makes cloud data lakes 10x easier, while delivering infinite scale and security. Dremio Cloud enables organizations of any size … Continue reading Dremio Cloud empowers self-service and interactive analytics on the data lake
We are looking to implement some REST services to be called from partner servers (not end users via a browser).
The out-of-the-box implementation seems to flow thusly:
Partner server passes a client id and client secret to our OAuth serve… Continue reading How to authenticate OAuth2 confidential client is making a REST call?
I’m looking to setup an integration between GitHub and Service Now and I can use OAuth2 using JWT Tokens, the steps to take can be found here.
There is a specific step that states:
Create a CA signed certificate using the GitHub App priva… Continue reading Implications of using a self-signed certificate to sign JWT tokens in OAuth
I am connecting to a third party which authenticates with OAuth2. Once the user has logged in, I want to store the access & refresh tokens for the user. Which is more secure & proper – to save the refresh to the database & fore… Continue reading Where should I store an OAuth refresh token for a third party?
I tried reading few articles, however I’m not able to understand the merit of POP over Bearer token. Bearer token if lost (during transit over the wire) can give the holder of the token same privileges as the genuine owner. POP token is su… Continue reading How is pop token more secure than bearer token?
Say there are 2 servers a.example and b.example.
b.example uses 3rd party authentication from a.example via OAuth or other protocols.
Now a user user1 with account xyz@a.example logs in and sets up a account on b.example using auth from a…. Continue reading Whose fault/bug is it in the below case?