Collaborate Disseminate
I’m working with the Strava API, which uses OAuth. When the user authenticates my third party app, they are redirected to my application with a code querystring, which I can exchange with the Strava API for a refresh token of the user.
Mos… Continue reading Is it ok to store user Refresh Tokens in Firestore?
Attackers are trying out a new technique to widen the reach of their phishing campaigns: by using stolen Office 365 credentials, they try to connect rogue Windows devices to the victim organizations’ network by registering it with their Azure AD…. Continue reading Attackers connect rogue devices to organizations’ network with stolen Office 365 credentials
I am developing a mobile and web application that need the user to re-authenticate if they have been idled for a specific duration.
The authentication flow is just a typical OAuth password grant type with a combination of JWT accessToken a… Continue reading Stateless session inactivity timeout using refreshToken and accessToken
I am developing a mobile application for financial usage. I want to make it as secure as the existing apps in the market. Many apps ask the user to enter a PIN code to unlock the app after period of time or when the user wants to perform s… Continue reading Reverse-engineering the pin code authentication flow for mobile apps
I am slowly accepting that OAuth2 is quite amazing, but I’m still worried about the fact that an IdP could theoretically impersonate me as discussed in Can an identity provider impersonate me? (Can Facebook post Stack Overflow questions un… Continue reading Would having two identity providers prevent the theoretical possibility of impersonation by an IdP?
Scenario
I’m working in the oAuth flow for a new app, which is currently laid out like this
A React web App
A Rails backend
FusionAuth as an Authorization server
We are using the oAuth2.0 authorization code grant flow:
To login, the brow… Continue reading When using a cookie to header CSRF protection with JWTs, how to implement refresh tokens?
I recently signed into an account on a website using my Google account. I already have an username+password account on the website, where I have also enabled 2FA with a TOTP code. Upon signing in with my Google account, I noticed I wasn’t … Continue reading Should a website ask me for my TOTP code, if I auth using OAuth?
I just created a GitLab application to connect it with StackEdit.io. I created it by following the instructions on this GitLab docs page. I had to create the GitLab application with api scope and I had to uncheck confidential due to 1 and … Continue reading GitLab with api scope and confidentiality unchecked. What are the privacy risks?
I have a native windows app that can connect to multiple external API’s using OAuth (Authorization Code + PKCE). I store the refresh tokens locally encrypted with the Windows Data Protection Api.
Now I’m running into the situation where I … Continue reading Native client OAuth without API supporting PKCE
In a new project, we try to clarify how authorization should look like. I’ve been reading up on this for days, but it’s not really clear to me which solution would be the right one to use. Some solutions are not recommended anymore, some s… Continue reading Refresh token rotation or Authorization Code Flow with PKCE