Collaborate Disseminate
I have an admittedly-vague understanding of how OAUTH works, but I recently went through the rigmarole of installing rclone and having it sync some files from my Google Drive to my Linux laptop.
As part of rclone’s documentation, it is rec… Continue reading If I login to a mobile/web app with a Google account, what stops the developer also using that account?
We want users of our service to be able to write programs/scripts that act on their (i.e. the user’s) behalf.
I’ve seen various services (github, digital ocean, gitlab) use Personal Access Tokens (PATs) for that purpose.
Is this not someth… Continue reading Personal Access Tokens vs OAuth
I’m implementing the Authorization code flow with PKCE and planning to have my redirect_uri as the backend.
In this case, while making the code to token exchange call (in the backend), I won’t be having information like the clientId and co… Continue reading OAuth2: Is it good practice to store multiple information in state parameter then encrypt it?
I’m updating an application from javax.servlet to jakarta.servlet. The application uses some net.oauth classes that don’t seem to be available in jakarta variants. Newer OAuth implementations will require a lot of recoding. I don’t have a … Continue reading What is the best way to migrate OAuth to use Jakarta [migrated]
This is the architecture I want to follow
Source:
https://stackoverflow.com/questions/73075156/what-exactly-is-redirect-uri-in-google-oauth2-request-for-getting-authorization
I’m using a backend to exchange tokens with the authorization c… Continue reading OAuth2: Is PKCE required if the callback is located in the backend?
Most of the webprogramming and IT security I know is from ten years ago. I’m far from being a pro, so please keep my ignorance in mind when answering.
Back then, browsers sometimes sent details about the client in the headers. Eg browser v… Continue reading How does microsoftonline.com know which device I am on, and whether it is a registered device?
I have an application where the frontend app talks to 2 set of API servers: be1.domain.com and be2.domain.com
both these servers are independent entities (they do share the same top level domain, in case that is useful for this discussion)… Continue reading Oauth: Authorizing multiple clients at once
These days, mobile apps commonly leverage Oauth /OpenIdConnect-based authentication and authorization frameworks. To achieve this, the Oauth clients (the App running on android/IOS) must have a few credentials – e.g., Client_ID and Client_… Continue reading How to handle the Oath2.0 credentials in the APK files
Microsoft calls it “Modern Auth”, though it’s a decade old, and is finally forcing Exchange Online customers to switch to it. Continue reading Serious Security: OAuth 2 and why Microsoft is finally forcing you into it
In an OAuth2 authorization flow, if I understand correctly the request made to receive a token with PCKE is almost identical between that of a public client and that of a confidential client. The only real difference is that a confidential… Continue reading OAuth2 public clients cant use client secret and still achieve a secure workflow, why is it used for confidential clients?