OAuth – Page 13 – WindowsTechs.com

I found that I could delete the state parameter in an OAuth request and the response was validated and e-mail was still verified

Posted on January 9, 2021 by Vardhaman Jain

I was fiddling around with an OAuth2.0 request on burpsuite and I found that it validated the account even after I deleted the state parameter completely and forwarded the request through burpsuite. I would like to report this as a bug so … Continue reading I found that I could delete the state parameter in an OAuth request and the response was validated and e-mail was still verified→

Propagating user context between microservices secured with M2M JWT tokens

Posted on January 4, 2021 by Spongeboy

We have a current microservice architecture where we secure communication between microservices via Machine-To-Machine access tokens (these tokens are obtained using the Client Credentials grant flow).
We do this for all communications bet… Continue reading Propagating user context between microservices secured with M2M JWT tokens→

Keycloak and Open ID Connect best practices

Posted on December 25, 2020 by Luke

I’m a bit lost as to the best practice surrounding a production-ready access management based on keycloak and open id connect.
My understanding is that if you use Keycloak’s provided adapters, instead of writing your own, you end up with a… Continue reading Keycloak and Open ID Connect best practices→

Benefits of Token Exchange protocol in OAuth 2

Posted on December 25, 2020 by Maro

Beginner question here, I don’t seem to be able to wrap my head around the security benefits of the token exchange protocol as specified by RFC8693. To me it seems like a delegation pattern where a webservice (service A) impersonates the … Continue reading Benefits of Token Exchange protocol in OAuth 2→

Logout on OIDC Provider Refresh Token validity in comparison to OAuth

Posted on December 10, 2020 by BenjaminH

I have an Relying Party that has obtained an Access Token and Refresh Token (as well as an ID Token) from an OpenID Provider (not an offline token).
In all cases I have seen, the Refresh Token is invalidated when the user logs out from the… Continue reading Logout on OIDC Provider Refresh Token validity in comparison to OAuth→

Why is SAML still used for enterprise SSO instead of OIDC?

Posted on December 6, 2020 by user1028270

I’m trying to wrap my head around the difference between SAML/OIDC/and OAuth.
Is the only reason SAML is the most popular choice for enterprise SSO that it’s been around much longer? Is it expected to eventually be replaced by OIDC and OAu… Continue reading Why is SAML still used for enterprise SSO instead of OIDC?→

Twitter OAuth signing process explanation

Posted on November 26, 2020 by user246368

I was going through this process https://developer.twitter.com/en/docs/authentication/oauth-1-0a/obtaining-user-access-tokens and there are two points that do not make clear sense to me:

Step 1: POST OAuth/request_token

response includes… Continue reading Twitter OAuth signing process explanation→

How OAuth sends jwt with information about the user?

Posted on October 27, 2020 by j.ss

What method does OAuth use to transfer jwt with user information to the final website (client)?
Unfortunately, jwt cannot be passed to the client via localStorage or cookies as the domains are different.
postMessage doesn’t seem to work ei… Continue reading How OAuth sends jwt with information about the user?→

Best practices for generating and storing authorization codes and access tokens in OAuth server

Posted on October 26, 2020 by Jakub Žitný

I’ve recently implemented an OAuth server functionality to our service. I’ve consulted OAuth 2.0 Threat Model and Security Considerations and addressed most of the concerns. I am curious about any best practices for generating authorizatio… Continue reading Best practices for generating and storing authorization codes and access tokens in OAuth server→

Oauth2: should I increase the refresh token expiring date?

Posted on October 21, 2020 by Luke

I want my clients to be able to schedule a purchase for a given date. When they perform this scheduling action, they are authenticated with an oauth2 token. However the date could be so far from now that the token might have expired when t… Continue reading Oauth2: should I increase the refresh token expiring date?→