Collaborate Disseminate
I have a non-browser client (Desktop app) that makes HTTP requests to my API.
I have the desktop client configured to use RFC-8252 (spawn an ephemeral HTTP server to handle the auth code flow’s HTTP redirect) so that the user enters creden… Continue reading Should I use separate OIDC clients for RFC-8252 (OIDC w/ PKCE) client and my HTTP API?
I am implementing a web service with a front end and back end. Everything but the login endpoint requires authentication. For authentication I use Authentik. However, I have trouble wrapping my head around which tokens to give to the user,… Continue reading OIDC + Authentik: Which token to give to user for authentication?
During token refresh, the auth server may issue new refresh token.
https://datatracker.ietf.org/doc/html/rfc6749#page-11
…
(H) The authorization server authenticates the client and validates
the refresh token, and if valid, issu… Continue reading Why oauth2 token refresh may issue new refresh token? (is this mitigation of some kind of threat)
My mobile app has this (fairly common) authentication user experience:
user signs in with email and password
user is prompted to enable biometrics for faster access next time
when user returns to app after a time of inactivity
if they en… Continue reading Re-authentication with biometrics in a mobile app using access token
I’ve been playing around with Oauth 2.0 Playground to understand Google’s Oauth implementation and Oauth in general.
And, I had an idea. I generated an access token running under user_A. Then, I took that access token and used it in Postma… Continue reading Must the refresh_token request come from the same URI origin as in the original redirect_uri?
EDIT: I’ve looked into the issue more and I can find some documentation for getting an OAuth token with OpenID Connect but not with OpenID 2.0. Can it be done?
We have a server application that is returning our OAuth tokens using the Pytho… Continue reading Using OpenID 2.0 to return an Oauth token
[Laurence Tratt]’s washing machine blew up, so he sprung for a brand new model with all the bells and whistles. Of course, these days, that means it has an Internet …read more Continue reading Internet of Washing Machines Solves an Annoyance
OAuth 2 supported a flow called the Implicit Flow where the authorization server on response just provided the access token directly to the browser without requiring a back-channel communication from the client to the authorization server…. Continue reading In OAuth 2.1, can the Access Token and Authorization Code be the same?
This spec defined DPoP mechanism to bind cryptographically bind access tokens. There is also mention about authorization code binding.
But hey, do you see any sense in it? Ok, it obviously is a way to prevent authorization code injection a… Continue reading Is there any sense in use of Authorization Code Binding To DPoP Key when client is confidential and uses PKCE?
OAuth2 requires clients to register allowed values for redirect_uri.
Otherwise, an attacker could receive the authorization code. For example:
https://authorization.example/oauth/authorize
?client_id=abc
&response_type=code
&redire… Continue reading Why doesn’t client_secret prevent authorization code OAuth2 redirect attacks?