Collaborate Disseminate
I understand that oauth is an Authorization protocol, but it is possible to use it for authentication when clubbed with something like open ID Connect.
I am trying to understand why do we need an extra token in the redirect url to prove au… Continue reading Using oauth for authentication
Microsoft investigated a new kind of attack where malicious OAuth applications were deployed on compromised cloud tenants before being used for mass spamming.
The post Malicious Oauth app enables attackers to send spam through corporate cloud tenants … Continue reading Malicious Oauth app enables attackers to send spam through corporate cloud tenants
By Deeba Ahmed
According to Microsoft 365 Defender Research Team, in an incident they analyzed, malicious OAuth applications were deployed on compromised cloud tenants, and eventually, attackers took over Exchange servers to carry out spam campaigns.
… Continue reading New Spam Attack Abusing OAuth Apps to Target Microsoft Exchange Servers
I am using Oauth1 to connect to NetSuite Restlet API for multiple customers.
To do so I make use of these values to authenticate and sign the request
API URL (unique per customer)
Realm (unique per customer)
ConsumerToken (64 char hexade… Continue reading OAuth1 tokens: Is consumerToken and ConsumerSecret considered a secret value
As I understand it, OAuth is the natural evolution of authentication protocols
I understand in a general way that evolution is as follows:
basic authentication
cookies
tokens, at this point you want to separate the front from the back.
OA… Continue reading Why do big sites use cookies and not OpenID connect?
In April 2022, GitHub suffered an attack involving stolen OAuth tokens:
Security alert stolen oauth user tokens.
Github stolen oauth tokens used in breaches.
Interestingly, GitHub OAuth tokens have a very long expiry — they expire only … Continue reading Would token expiry have prevented the GitHub stolen OAuth token attack?
I want to set up an OAuth2.0 flow on a web application for users that have access to GCP.
The user will login to a web app.
Then, the OAuth2.0 flow will need to ask for the consent that will allow the app to perform things on their behalf,… Continue reading Act as another google cloud platform user in a web app
I am implementing OAuth (more specifically "Sign in with Google") for a website that has been using only email and password for years.
Now the guide that I’m reading suggests to read the uid in the OAuth callback. However the exi… Continue reading Is it safe to use email from OAuth for authentication?
We are retrieving external users using OpenID with the PKCE flow. We are using the JWT returned from the auth server to authenticate the user. If it is valid, we extract the subject field from the token and use it as an ID in our users tab… Continue reading Can I store subject from a JWT from an external auth server in my DB?
I want to build a application which having following architecture:
According to the BCP, I am going to implement Authorization Code Flow with PKCE. I am wondering:
Do I need to implement a separate BFF between frontend and backend ?
If B… Continue reading Oauth 2.0 current best practice for SPA and backends