OAuth2: Is it good practice to store multiple information in state parameter then encrypt it?

I’m implementing the Authorization code flow with PKCE and planning to have my redirect_uri as the backend.
In this case, while making the code to token exchange call (in the backend), I won’t be having information like the clientId and co… Continue reading OAuth2: Is it good practice to store multiple information in state parameter then encrypt it?

How does microsoftonline.com know which device I am on, and whether it is a registered device?

Most of the webprogramming and IT security I know is from ten years ago. I’m far from being a pro, so please keep my ignorance in mind when answering.
Back then, browsers sometimes sent details about the client in the headers. Eg browser v… Continue reading How does microsoftonline.com know which device I am on, and whether it is a registered device?

OAuth2 public clients cant use client secret and still achieve a secure workflow, why is it used for confidential clients?

In an OAuth2 authorization flow, if I understand correctly the request made to receive a token with PCKE is almost identical between that of a public client and that of a confidential client. The only real difference is that a confidential… Continue reading OAuth2 public clients cant use client secret and still achieve a secure workflow, why is it used for confidential clients?