Collaborate Disseminate
I’m currently running a single-instance SaaS application backend where multiple tenants’ data is stored in the same database, separated by tenant IDs. I’m looking to implement authentication that supports multiple tenants while ensuring da… Continue reading How to achieve multi-tenant Authentication in my SaaS application? [closed]
I am a developer responsible for mobile app and a couple of SPA web apps. Our customers are organizations ("tenants") with multiple users. Our authentication is built on OAuth2 (OpenID Connect).
We have recently had requests from… Continue reading Best Practices for how to implement in-app user account switching
I am trying to implement "Login with Google/Apple etc…" on a web platform and I can’t wrap my head around how you can trust the response that supposedly comes from the resource server owned by these platforms.
For comparison, w… Continue reading How OpenID over OAuth 2.0 can be trusted?
If I’m understanding OAuth2 PKCE right, it is to be used in cases where a client cannot be trusted to hold onto a client secret. I also understand (reading RFC 6749) that a client id is not a secret.
This means that a PKCE authorization t… Continue reading Why do OAuth2 PKCE authorization codes have client_id?
I understand the different purposes the two parameters serve, but is there anything speaking against the state and nonce parameters being the same string?
Continue reading Can the state and nonce have the same value?
CVE-2020-27838 describes that Keycloak has an open endpoint where it’s possible to obtain client_secret information, as shown in the example below:
/auth/realms/{realm}/clients-registrations/default/{client_id}
Through other discussions, … Continue reading Analyzing impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838)
I’m working on configuring my suite of services (in different domains) so that they can all be accessed via Single Sign-On. I’m using AWS Cognito as a wrapper around a SAML Idp (Azure AD).
What I would like to figure out is: how can I make… Continue reading OAuth2 System Design for Single Sign-On | Auto-Detect Session?
I’m working within a spec that uses the OpenID Connect third party initiated login + implicit flow. I first have to register my application with the third party, providing them a login initiation url, redirect uri, target link uri. Then th… Continue reading OAuth2 OpenID Connect Third Party Initated Login with implicit flow
To help developers with integrating with our SAML/OAuth/OIDC Identity Provider on their local dev environments, I’m thinking about configuring a demo client/app in our production IdP that has localhost configured as valid redirect url (OAu… Continue reading Risks with having a "localhost" service configured on a production SAML/OAuth/OIDC Identity Provider
I am tasked with moving away from implicit flow in a SPA. It is a basic solution consisting of a react SPA and a .net API, on the same domain. This web app is a case management solution that deals with medical data, running in a private ne… Continue reading Session/cookie expire time, match access token or refresh token from AD?