Collaborate Disseminate
I’ve implemented Auth Code flow with PKCE on my server, but I’m still not entirely clear on why I’m doing it. I’ve read through the IETF documentation and I get flashes of what seems like understanding but it always seems to fade.
The nea… Continue reading Why does Authorization Code flow need the authorization code?
I am currently trying to implement my own Authorization Server following the OAuth2 protocol PKCE flow, coupled with my own Identity Provider. The idea is to be able to reuse the same identity provider across multiple SPA.
To get a clearer… Continue reading Custom OAuth2 Authorization Server / Identity Provider
We have a web app where the back end is composed of APIs. We use OAuth to authorize the web app’s call to the APIs. We all know that in OAuth, there is always the Authorization endpoint used to get the Authorization code, which in turn is … Continue reading Exploitation of client_id in OAuth
I am trying to find the best OAuth2 mechanism for our VueJS Single Page Application (SPA) hosted on our own backend. From my research, Authorization Code should be sufficient, as long as the redirect URI happens on the backend. If it happe… Continue reading Difference between Form Post Response and Authorization Code
Consider the following architecture:
An on premise Web API 2 [Written in C# hosted in IIS] which uses OAuth 2 authentication [ Implicit Flow ] to secure itself. This API acts as the data source by external apps [ Currently an angular 9 APP… Continue reading Risks associated with a compromised external Security token server
Consider the following architecture:
An on premise Web API 2 [Written in C# hosted in IIS] which uses OAuth 2 authentication [ Implicit Flow ] to secure itself. This API acts as the data source by external apps [ Currently an angular 9 APP… Continue reading Risks associated with a compromised external Security token server
I’ve recently migrated my application to use external provider for login so that my application doesn’t have to deal with auth and storing user credentials. For this I’m using OpenID Connect (OIDC) over OAuth2 and so the auth flow is quite… Continue reading OIDC/OAuth2 id_token and it’s usage in the client application
I’m working on an API that I’d like to be accessible internally by other servers as well as devices that I consider both as confidential private clients. Devices are considered private clients because the client_secret is stored in an encr… Continue reading OAuth2 – Sending a hash of your client_secret when using the client credentials grant instead of the secret
I’m developing an API and different apps to access to it, each with different scopes, including a native mobile app, and I’m wondering what would be a good strategy to authenticate my own native app to my own API (or more specifically my u… Continue reading How to ensure your own native app is talking to your own API [duplicate]
We have had a security consultant make a recommendantion of an approach that does not follow the IEFF best-practice document (https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-04#section-6). I am looking for reasons why this … Continue reading Authorization Code Grant Flow for web-app with backend on separate domain (same origin)