Collaborate Disseminate
Details: traditional web-application with react frontend & nodejs API backend. FE & BE served on the same domain. FE -> example.com, API -> example.com/api
We have users and some of the private API routes (the majority of the… Continue reading Is it worth replacing session based traditional auth with OpenID-Connect?
I’m building a multi-tenant app that has the unusual requirement of allowing tenants to use their own choice of external systems for login/authentication
ie: tenant 1 uses Azure AD, tenant 2 uses Auth0, tenant 3 uses Github etc.
The plan i… Continue reading Multi-tenant SPA with multiple OIDC providers
Let’s say we have a web application with SSO/OIDC implemented and there are multiple authentication providers.
The workflow so far:
Click "Login via Microsoft"
Enter your email-address.
Forward to the corresponding authenticatio… Continue reading Single Sign-On: multiple authentication providers [migrated]
We are implementing SAML/OIDC-based SSO across our enterprise and wanted to get a feel for best practices when it comes to using Personal/Signer Certificates within our IdP.
Historically we’ve utilised the personal certificate that came wi… Continue reading IdP Personal/Signer Certificates
I am looking for a "best practises" approach for creating SPAs protected using OIDC + PKCE.
Most of our applications are hosted on two independent web servers with a load balancer routing requests to them in a round-robin configu… Continue reading Using `react-oidc-context` and storing the `access_token` and `refresh_token` together
Imagine I host some API. Its exact function is irrelevant to the question, but it needs to have some sort of authorization put in front of it. I want to call Google’s APIs, so users can interact with their Google data, so I add the necessa… Continue reading What risks are there in using an OAuth2 access_token from an IdP that I do not control to secure an API that I do control?
I understand that a nonce is used to prevent replay attacks. I have been going through documentations, specs, posts and blog posts and I am a little confused.
Consider the following attack scenario.
Mary wants to login to https://photos.c… Continue reading OpenId Connect and proper usage of nonce
I’m using Keycloak for my authentication needs. It allows me to use * as wildcard when whitelisting redirect_uris for OIDC clients. What are the risks of using * in context path of redirect_uri? For example, what could attacker do if I reg… Continue reading What are the risks of using wildcard in context path of OIDC/OAuth redirect_uri?
I am trying to understand OAuth2 and OIDC. The OIDC glossary is a good starting point, and while it defines "Authentication", but does not actually define "Authorization". I suspect it leaves to the OAuth2 specificat… Continue reading Definition of Authorization according to OAuth2
I have seen some similar questions a few years old and I am not sure if there are any new changing views on this.
I see that this flow is not recommended for mobile native apps. What are the practical downsides security wise of using this … Continue reading Downside of resource owner password flow for native mobile apps?