Collaborate Disseminate
I’m exploring the possibility of implementing OpenID Connect (OIDC) with an HTTP-only cookie to keep my frontend code completely authentication-agnostic, instead of passing the Authorization header around through Javascript code.
The idea … Continue reading OIDC with JWT in HTTP-only cookie instead of HTTP Authorization bearer header
I am trying to ascertain if Google Cloud Pub/Sub supports OAuth 2.0 with Mutual TLS (mTLS). Despite conducting an internet search, I couldn’t find any pertinent information regarding mTLS support (it currently only supports OAuth 2.0). Doe… Continue reading Mtls in Google Cloud pub/sub oauth 2.0
I’m currently implementing a system which consists of a collection of apps. Similar to the way Microsoft 365 consists of Word, Excel, etc.
Ideally I’d like to log in once, then navigate between apps. However, each app requires different … Continue reading OAuth2 component scopes
We are getting hundreds of bots creating accounts using sign-in with google, like this in this format:
Colin Bush: colinbush.81466@example.com
Tambra Lockett: tambralockett.97742@example.com
Marjorie Flowers: marjorieflowers.44615@example… Continue reading Hundreds of bots creating accounts using sign-in with Google
I’ve read some blogs and did some labs regarding OAuth’s implicit flow,
but it seems to me everyone just turn a blind eye to a very critical point in the flow.
Assuming that site A uses the implicit flow for authentication,
it will redirec… Continue reading Isn’t there a critical built-in vulnerability in OAuth’s Implicit flow?
Considering an attacker may be able to leverage the information gathered from standard endpoints/configuration files such as /.well-known/oauth-authorization-server and /.well-known/openid-configuration, is it considered best practice to n… Continue reading Should standard OAuth endpoints/configuration files be kept private?
I work in game development and we want to implement anonymous "guest" accounts on mobile devices for users who don’t want to create a full account. Our normal account use an OAuth2 based library.
We don’t want to track the user’s… Continue reading How to limit guest account creation [closed]
We all know that the /authorize endpoint is a standard endpoint of OAuth 2. Below is how it’s commonly called:
GET /oauth2/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code&tenantId={tenantId}&u… Continue reading Man in the Middle Attack for OAuth 2’s Authorize endpoint
I am looking for any specifications, prior art, and known security considerations for a specific OAuth2 use case where:
an authorization code grant is being performed.
the client does not know the resource server ahead of time.
the resour… Continue reading OAuth2 authorization server dictating the resource server to the client
The video from Okta says that it’s possible to hijack the access token when on public wifi. But if HTTPS is used, the headers are encrypted. And therefore the Location returned by the Auth Server won’t be visible to the attacker.
Replay at… Continue reading OAuth2 implicit flow – is it still possible to hijack the token with HTTPS?