Collaborate Disseminate
In a header you can have—for example—"Authorization: Basic " xor "Authorization: Bearer ".
If I use my Bearer token as Basic, then can this endpoint double as a give me fresh tokens for this access token"?
https://… Continue reading Bearer token in header as Basic token? – Does that violate the RFC6749 spec?
I have seen applications use both the Authentication HTTP header, as well as a cookie, or sometimes even both, to store & transmit BEARER tokens (JWT) when they send requests. For example, I am currently looking at an application where… Continue reading What are the security implications of receiving a secret (e.g. OAuth BEARER) token via cookie vs. Authorization header?
I’m working on an app called AwesomeApp that uses Google Sign-In for user authentication. When users sign in, the app receives a Google ID token.
We are integrating with a third-party service, ScoreboardService, which also needs to identif… Continue reading Is it safe to pass Google ID tokens to third-party services for user authentication?
I’m building a web REST API. Users must be able to authenticate themselves to this API.
I don’t know ahead of time which clients will want to use the API. I want to allow for the possibility of anyone creating their own client, like a cust… Continue reading Why shouldn’t I use the OAuth password grant if I have to implement a custom username+password login anyway?
I’m having a really hard time understanding why the state should be used to protect against CSRF at the OAuth 2.0 login flow.
Imagine I have an Authorization Server with a legitimate client registered with the client_id of my-app-123 and t… Continue reading OAuth 2.0 – why is the state parameter needed in order to prevent CSRF at authorization code login flow?
I’ve been researching UK Open Banking and getting to know the in and outs of the FAPI advanced security profile.
My question is based on the following premises (and I think I’m probably either misunderstanding something or missing a key fa… Continue reading Open Banking: How can a TPP integrate their mobile app with a bank’s APIs without breaking the security profile
I’d like to know if in PKCE Oauth (authorization code) flow, hosting a redirect URI in public CDN would introduce any security risks?
according to https://darutk.medium.com/diagrams-of-all-the-openid-connect-flows-6968e3990660
there are two access tokens, one from Authorization endpoint and one from Token endpoint, which is kind of hybrid flow.
I have two questions (the… Continue reading why there is a need to use two access tokens in OpenID Connect?
we know that we need to pass both client_id and redirect_uri in the authorization request.
https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#step-1-get-the-users-permission
But isn’t that client app already registered its redirec… Continue reading Why redirect_uri is needed when client_id is supplied in OAuth2?
I am trying to understand how refresh tokens and access tokens works, and I ready several threads and documentations. It seems that I am not the only one confused around this topic.
Based on this thread: How does a refresh token help?, wha… Continue reading Security doubts around the refresh token and how it works