Collaborate Disseminate
As per my understanding both JWT and Basic Auth used to store login credentials on client side and avoid sessions for better scalability. I understand with Basic Auth login credentials will be sent along with each request which is a secur… Continue reading What are the advantages of using JWT over Basic Auth with Https?
From what I have understood, for public facing clients such as JavaScript apps that run on the browser or mobile apps which have no backend there is no secure place to store client id and secret. Therefore, the client will generate a rando… Continue reading Is PKCE really protecting public facing clients? Can’t a rogue app steal the ClientID and Secret and make a AuthCode request of its own?
I’m testing a REST API.
To get the access-token and refresh-token you need first to authenticate using Basic Authentication with user and password.
Then you get access-token and refresh-token pair and you can use the first to interact with… Continue reading Can be this considered token race condition vulnerability?
I’ve been asked to write an app with registration and login systems. In essence, I’ve already wrote the first version of their app using PHP, some javascript/jquery and storing data in MySQL. It worked for a time but now they are growing a… Continue reading What are the best practices to create a safe and performant user registration and validation with Nodejs and Postgres?
Say we signup and login to an OAuth 2.0 enabled security application called "AI Car Command Center" via Google OAuth 2.0
We then logout.
Does Google then have the capability to then grant itself access to "AI Car Command Cen… Continue reading Does signing in via OAuth 2.0 compromise account security if the OAuth 2.0 service decides to become malicious?
For SPA/frontend apps, you should be using PKCE these days for OAuth flow. But the backend apps have this additional complexity of having to have a secret key and use that key to talk to the token endpoint. Why not just use PKCE on the bac… Continue reading Why not use PKCE for backend apps, too?
Consider a use-case in which a single page application using an OAuth identity flow has to use one of many possible identity providers, as determined by what user is logged in. More specifically, I log in using my credentials for Company A… Continue reading Delegating to multiple auth providers from a single page application
I don’t mean to start another OAuth vs OpenID discussion, but I want to share the underlying cause of my confusion.
When I want a Client to process my google docs for something, I have to go through my google account. But if its only use i… Continue reading Why do some "OAuth" providers ask for personal info?
We have some API’s we are calling from a mobile app. These API’s require an OAuth (JWT) token with certain scopes from the app, even though they are not security critical at all. We want to remove authorization from these endpoints in the … Continue reading Get an oAuth token without any validation
I created a large backend+frontend project for a client. They recently started a different project, and contracted an other company to develop and host it. Since they need some of the data from my project, they asked me to develop an api, … Continue reading How could a server to server rest api communication be more secure, by using OAuth 2?