Collaborate Disseminate
I’m currently looking to replace the IAM component of a project. The project is a very common setup, at the base there is a NodeJS application running in containers.
The IAM functions currently used are:
HTML form for authentication
OIDC … Continue reading Looking for self-hosted IAM platform [closed]
I am implementing a web service with a front end and back end. Everything but the login endpoint requires authentication. For authentication I use Authentik. However, I have trouble wrapping my head around which tokens to give to the user,… Continue reading OIDC + Authentik: Which token to give to user for authentication?
Disclaimer: I know The OIDC implicit flow has been discouraged for a long time and I should use code flow on greenfields. Reasons include but are not limited to leakage of the authorization server redirect URL (via several means) essential… Continue reading Use of nonce to prevent access token leakage in OIDC implicit flow?
We use ADFS within our organisation, and it is available via HTTP externally.
All of the applications we protect with ADFS are SP-initiated, so I want to disallow requests to ADFS other than SP-initiated SSOs. (e.g. https://adfs.mydomain.c… Continue reading Secure ADFS behind HAProxy
Details: traditional web-application with react frontend & nodejs API backend. FE & BE served on the same domain. FE -> example.com, API -> example.com/api
We have users and some of the private API routes (the majority of the… Continue reading Is it worth replacing session based traditional auth with OpenID-Connect?
I’m building a multi-tenant app that has the unusual requirement of allowing tenants to use their own choice of external systems for login/authentication
ie: tenant 1 uses Azure AD, tenant 2 uses Auth0, tenant 3 uses Github etc.
The plan i… Continue reading Multi-tenant SPA with multiple OIDC providers
Let’s say we have a web application with SSO/OIDC implemented and there are multiple authentication providers.
The workflow so far:
Click "Login via Microsoft"
Enter your email-address.
Forward to the corresponding authenticatio… Continue reading Single Sign-On: multiple authentication providers [migrated]
We are implementing SAML/OIDC-based SSO across our enterprise and wanted to get a feel for best practices when it comes to using Personal/Signer Certificates within our IdP.
Historically we’ve utilised the personal certificate that came wi… Continue reading IdP Personal/Signer Certificates
I am looking for a "best practises" approach for creating SPAs protected using OIDC + PKCE.
Most of our applications are hosted on two independent web servers with a load balancer routing requests to them in a round-robin configu… Continue reading Using `react-oidc-context` and storing the `access_token` and `refresh_token` together
Imagine I host some API. Its exact function is irrelevant to the question, but it needs to have some sort of authorization put in front of it. I want to call Google’s APIs, so users can interact with their Google data, so I add the necessa… Continue reading What risks are there in using an OAuth2 access_token from an IdP that I do not control to secure an API that I do control?