Collaborate Disseminate
Learn how to find out which apps you’ve given access rights to, and how to revoke those rights immediately in an emergency. Continue reading GitHub issues final report on supply-chain source code intrusions
By Deeba Ahmed
GitHub has revealed that attackers have abused OAuth user tokens issued to Heroku and Travis-CI, popular third-party OAuth…
This is a post from HackRead.com Read the original post: GitHub: Hackers Stole OAuth Access Tokens to Targe… Continue reading GitHub: Hackers Stole OAuth Access Tokens to Target Dozens of Firms
I am adding Single Sign-On (SSO) via Google and Microsoft identity providers to a web application where many thousands of user accounts already have existing credentials stored by username and password. Each account also has a primary emai… Continue reading Adding SSO to an existing website – should SSO login link to matching email address?
Scenario: a user enters his password incorrectly x times, so his account is locked for y minutes.
Should I revoke all his refresh tokens?
Problems:
user is logged out of all devices, not just the one he’s on currently (where he entered th… Continue reading Revoke all refresh tokens when account locked?
I’m trying to detect refresh token reuse / replay.
A typical approach:
send refresh token (on login or refresh)
create refresh token as opaque value (e.g. buffer from a CSPRNG)
base64 encode value and send to user
salt and hash value, st… Continue reading Refresh token replay detection
I’m not using an identity provider. I have a small system with access and refresh tokens and it works well.
Assume the system follows the "typical" approach:
when user authenticates or refreshes: he gets a new refresh token
refr… Continue reading Should refresh tokens be signed?
I’m not using an identity provider. I have a small system with access and refresh tokens and it works well.
Assume the system follows the "typical" approach:
when user authenticates or refreshes: he gets a new refresh token
refr… Continue reading Should refresh tokens be signed?
I am trying to learn OAuth and I keep reading that "OAuth is only used for authorization." However, if you add an email or profile scope, doesn’t that identify who the user is? So can it be used for both authorization and authent… Continue reading Why can’t an email or profile scope used to authenticate in OAuth?
I am trying to learn OAuth and I keep reading that "OAuth is only used for authorization." However, if you add an email or profile scope, doesn’t that identify who the user is? So can it be used for both authorization and authent… Continue reading Why can’t an email or profile scope used to authenticate in OAuth?
Restrictions:
Access token will be short lived (2 minutes)
Access token will be one-time use only.
Given a strong random algorithm, would it be considered good practice to generate an opaque access-token by generating 256/512 random bits… Continue reading Good practice for generating opaque access-token