Collaborate Disseminate
Are any of the "control characters" legal? That is, those in the range 0x00 to 0x1F, legal? For instance, carriage return, line feed, tab, or zero? What about 0x7F?
The OIDC spec just says "The sub value is a case-sensitive … Continue reading Which characters are legal in OpenID Connect subject identifiers?
Context
I’ve read somewhere that one should not match by email (e.g. the email given by the Google JWT token) when using SSO (e.g. OpenID Connect) but it’s not clear to me why.
The recommended approach seems to be using aud and sub claims … Continue reading What are the downsides of matching by email in SSO logins (e.g. Google, Facebook, Apple, Microsoft)?
I have seen applications use both the Authentication HTTP header, as well as a cookie, or sometimes even both, to store & transmit BEARER tokens (JWT) when they send requests. For example, I am currently looking at an application where… Continue reading What are the security implications of receiving a secret (e.g. OAuth BEARER) token via cookie vs. Authorization header?
according to https://darutk.medium.com/diagrams-of-all-the-openid-connect-flows-6968e3990660
there are two access tokens, one from Authorization endpoint and one from Token endpoint, which is kind of hybrid flow.
I have two questions (the… Continue reading why there is a need to use two access tokens in OpenID Connect?
we know that we need to pass both client_id and redirect_uri in the authorization request.
https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#step-1-get-the-users-permission
But isn’t that client app already registered its redirec… Continue reading Why redirect_uri is needed when client_id is supplied in OAuth2?
I am trying to implement "Login with Google/Apple etc…" on a web platform and I can’t wrap my head around how you can trust the response that supposedly comes from the resource server owned by these platforms.
For comparison, w… Continue reading How OpenID over OAuth 2.0 can be trusted?
In Kubernetes clusters, we often wish to provide temporary credentials to the containerised processes running in a particular pod, usually marked by associating the pod with a service account.
Recently (in late 2023) AWS introduced "… Continue reading How do AWS "Pod Identities" compare to (OIDC) IRSA?
When searching for information about Openid Connect, I read some confusing, incorrect claims about it. Since others may see results indicating an incorrect answer to the question of whether Openid Connect is obsolete, I am asking it here. … Continue reading Is OpenID Connect obsolete? [closed]
I’m working within a spec that uses the OpenID Connect third party initiated login + implicit flow. I first have to register my application with the third party, providing them a login initiation url, redirect uri, target link uri. Then th… Continue reading OAuth2 OpenID Connect Third Party Initated Login with implicit flow
I am tasked with moving away from implicit flow in a SPA. It is a basic solution consisting of a react SPA and a .net API, on the same domain. This web app is a case management solution that deals with medical data, running in a private ne… Continue reading Session/cookie expire time, match access token or refresh token from AD?