Collaborate Disseminate
We have a situation of the session_state param on an OpenID Connect/Oauth app is sent on GET. We asked the developers to send it on POST. Developers claim that because standard OIDC/OAuth use 302 redirects, GET is the only option and they … Continue reading Can OpenID session_state be sent on POST?
We are integrating our application with SSO using Entra ID App Registrations and configuring OIDC.
When our application receives the ID token from Microsoft Entra, the iap and exp values seem invalid. This has been occurring for a few mon… Continue reading Entra ID issuing expired ID Tokens
In the OpenID Connect "authorisation-code flow" what security vulnerability is exposed, if the application relies on claims in the ID Token without validating that token?
For example, Google suggests that validating the token is … Continue reading Does an OIDC ID Token need validation in authorization-code flow?
I would like to initialise a React application with an OIDC token.
This token will be stored in a private field of the "api client" object. This object will be used to execute API calls and it will automatically add the OIDC toke… Continue reading Is it safe to store the OIDC token in a private field of a javascript object?
We all know that the /authorize endpoint is a standard endpoint of OAuth 2. Below is how it’s commonly called:
GET /oauth2/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code&tenantId={tenantId}&u… Continue reading Man in the Middle Attack for OAuth 2’s Authorize endpoint
I have a non-browser client (Desktop app) that makes HTTP requests to my API.
I have the desktop client configured to use RFC-8252 (spawn an ephemeral HTTP server to handle the auth code flow’s HTTP redirect) so that the user enters creden… Continue reading Should I use separate OIDC clients for RFC-8252 (OIDC w/ PKCE) client and my HTTP API?
I’m currently looking to replace the IAM component of a project. The project is a very common setup, at the base there is a NodeJS application running in containers.
The IAM functions currently used are:
HTML form for authentication
OIDC … Continue reading Looking for self-hosted IAM platform [closed]
I am implementing a web service with a front end and back end. Everything but the login endpoint requires authentication. For authentication I use Authentik. However, I have trouble wrapping my head around which tokens to give to the user,… Continue reading OIDC + Authentik: Which token to give to user for authentication?
Disclaimer: I know The OIDC implicit flow has been discouraged for a long time and I should use code flow on greenfields. Reasons include but are not limited to leakage of the authorization server redirect URL (via several means) essential… Continue reading Use of nonce to prevent access token leakage in OIDC implicit flow?
We use ADFS within our organisation, and it is available via HTTP externally.
All of the applications we protect with ADFS are SP-initiated, so I want to disallow requests to ADFS other than SP-initiated SSOs. (e.g. https://adfs.mydomain.c… Continue reading Secure ADFS behind HAProxy