Collaborate Disseminate
I am studying the security considerations chapter of oauth2 RFC 6749, but I am a bit confused about Authorization Code Redirection URI Manipulation paragraph 10.6:
"When requesting authorization using the authorization code grant
t… Continue reading Authorization Code Redirection URI Manipulation Doubts
I needed a way to sync user data across multiple domains that I own, so I figured I might as well implement an OAuth server, since others have already spent lots of effort in making sure its design is secure.
But it occurred to me that the… Continue reading Why doesn’t OAuth/OpenID Connect use window.open() and postMessage() instead of redirects
I am adding to my web app the ability for a user to log in using their Google or Microsoft account. The default way the ASP.NET Identity Library implements this is on the first use, when they get registered, it prompts for their email with… Continue reading Using Google/Microsoft login – no email change?
I am creating an browser(chrome) extension that will serve as a youtube-music last-fm scrobbler(detect songs and send them to last.fm).
I created a last.fm application(docs) which granted me
an api key
a shared secret
Then i followed thi… Continue reading Last.fm client application: How should secrets be handled
I am creating a browser(chrome) extension that will serve as a youtube-music last-fm scrobbler(detect songs and send them to last.fm).
I created a last.fm application(docs) which granted me
an api key
a shared secret
Then I followed this… Continue reading Last.fm client application: How should secrets be handled
Can anyone please shed some light on the difference between the following two OAuth grant type scenarios?
JWT grant with JWT assertion
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
assertion=${JWT}
Defined in RFC 7523 § 2.1. An … Continue reading JWT-bearer grant with JWT assertion vs. client credentials grant with JWT client assertion?
So I’m currently learning about Demonstrating Proof-of-Possession (DPoP) in Oauth after previously learnt about Proof Key for Code Exchange (PKCE). one interesting idea i’ve been thinking is, is it possible to replace the challenge/verifie… Continue reading OAuth 2.0: Is it possible to replace PKCE with DPoP-like proof-of-possession?
I am trying to understand the complete flow and I have put together an implementation draft.
Please forgive any silly mistakes.
Here’s the draft:
https://github.com/arjunballa/api-security/blob/main/token-exchange-delegation-flow.md
I want to provide authorization for our native application. Requirements are like:
It is a to-customer product.
All features are integrated in the software provided to customer, like product = {feature0, feature1, feature2}. When a custom… Continue reading Is OAuth2 a Good Choice for Small First-party Native Application?
I want to provide authorization for our native application. Requirements are like:
It is a to-customer product.
All features are integrated in the software provided to customer, like product = {feature0, feature1, feature2}. When a custom… Continue reading Is OAuth2 a Good Choice for Small First-party Native Application?