Collaborate Disseminate
Does the OAuth client attach the client secret along with the access token for each API call to the resource server ?
Continue reading Is the OAuth client secret sent for every API call along with the access token?
There is really not that great information on what the best practices are for auth in SPA/API solutions. Most of them just say use JWTs and auth code flow in the SPA. There is a ton of information regarding auth in a SPA where you are requ… Continue reading Best practises regarding authentication in SPA/API solutions with SSO
I have implemented OAuth2 for a web app. Everything is stored in the session, and I am switching this to a database. This makes sense for the subject and roles, but it also includes the temporary values like state and the redirect uri that… Continue reading OAuth2: Storing temp values in session vs database
I have implemented OAuth2 for a web app. Everything is stored in the session, and I am switching this to a database. This makes sense for the subject and roles, but it also includes the temporary values like state and the redirect uri that… Continue reading OAuth2: Storing temp values in session vs database
All recommendations related to user authentication in mobile applications indicate that we should use oauth2 with pkce, in this case we have to use the custom tabs solution, but no browser redirection is used in any financial application (… Continue reading Oauth2 without browser on native apps
Let’s say I got an access token of the "authorization code" grant type. After the expiration of it, I would refresh it using the refresh grant. Then I’ll get a new token. Is the grant type of the new token still the same as the &… Continue reading How should the grant type of an oauth2 access token be preserved after refreshing it using refresh grant?
I have a Gmail account that uses POP to download emails from a GWS (Google Workspace) inbox, effectively another Gmail account.
In order for this to work, I had to turn on LSA (Less Secure App) for that GWS account.
Now Google is ending L… Continue reading Googles shutting down LSA and its effect on Gmail IMAP/POP [migrated]
There is a new article explaining the details of the new Google OAuth2 exploit where a Google session can be restored using a Chrome token. But what I can’t seem to find on Google or in the article itself is…
Am I correct in understandi… Continue reading Does the New Google Session Hijacking Technique Require Access to my Computer
The OAuth2.0 Implicit Flow allows to obtain an Access Token directly with just one call to the Authorization Server (AS), without the need of a second POST request to the same AS.
According to this article, the OAuth2.0 Implicit Flow was c… Continue reading why was implicit flow conceived?
The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time.
The setup: There is a client, application server and authentication server.
The client stores… Continue reading can we use access token as session cookie in browser? and how to protect it?