OAuth – Page 14 – WindowsTechs.com

Office 365 OAuth Attack Targets Coinbase Users

Posted on October 20, 2020 by Lindsey O'Donnell

Attackers are targeting Microsoft Office 365 users with a Coinbase-themed attack, aiming to take control of their inboxes via OAuth. Continue reading Office 365 OAuth Attack Targets Coinbase Users→

OAuth Consent Phishing Ramps Up with Microsoft Office 365 Attacks

Posted on September 30, 2020 by Tara Seals

Attackers gain read-only permissions to snoop around Office 365 accounts, including emails, contacts and more. Continue reading OAuth Consent Phishing Ramps Up with Microsoft Office 365 Attacks→

OAuth 2.0: what’s stopping a client from lying to the Resource owner about scopes

Posted on September 30, 2020 by Luka

I’m seeing token scopes as more of a contract between what a third-party application can do on behalf of some user’s consent.
Therefore, let’s say a client asks a Resource owner to authenticate and includes scopes telling the user it’s onl… Continue reading OAuth 2.0: what’s stopping a client from lying to the Resource owner about scopes→

Why doesn’t Keycloak allow user sign-up and sign-in through a client?

Posted on September 14, 2020 by aIKid

I’m in need of an authentication & authorization service that can manage our app’s pool of users. I stumbled upon Keycloak and have been checking it for the past few days, but I’m wondering why Keycloak doesn’t provide an API for a cli… Continue reading Why doesn’t Keycloak allow user sign-up and sign-in through a client?→

Authentication in Next.js application (SSR SPA with long sessions)

Posted on September 10, 2020 by Daniel

We’re currently developing a Next.js application (server side rendering) and are looking for secure ways to keep the users logged in for longer periods of time.
AFAIK this can either be done using silent authentication or refresh tokens. G… Continue reading Authentication in Next.js application (SSR SPA with long sessions)→

Is OAuth 1 less secure than OAuth 2 in an SPA

Posted on August 20, 2020 by Jan Hudec

We are writing a pure javascript front-end (in angular) for an API that still uses OAuth 1 for legacy reasons. Being pure javascript means the consumer secret is part of the code that gets downloaded at the start, before authentication, an… Continue reading Is OAuth 1 less secure than OAuth 2 in an SPA→

Is it safe to use a JWT as an Authorization Code?

Posted on August 6, 2020 by Duncan Luk

I’m implementing an OAuth 2.0 Authorization Code grant type flow and considering to use a very short-lived JWT as the authorization code so this step doesn’t require a database.
I understand that this code is usually persisted and removed … Continue reading Is it safe to use a JWT as an Authorization Code?→

What is the right way to let user retrieve client secret in OAuth 2?

Posted on August 5, 2020 by ThunderSea

In the OAuth website here it says "Most services provide a way for developers to retrieve the secret of an existing application, although some will only display the secret one time and require the developer store it themselves immedia… Continue reading What is the right way to let user retrieve client secret in OAuth 2?→

Auth0 privacy and confidentiality

Posted on August 4, 2020 by Raydar

I’m studying Auth0 and I would like to know if using a third party application like this for authentication and authorization can be a problem for privacy and data confidentiality.

Continue reading Auth0 privacy and confidentiality→

Microsoft Warns on OAuth Attacks Against Cloud App Users

Posted on July 9, 2020 by Tara Seals

Application-based attacks that use the passwordless “log in with…” feature common to cloud services are on the rise. Continue reading Microsoft Warns on OAuth Attacks Against Cloud App Users→