Collaborate Disseminate
When searching for information about Openid Connect, I read some confusing, incorrect claims about it. Since others may see results indicating an incorrect answer to the question of whether Openid Connect is obsolete, I am asking it here. … Continue reading Is OpenID Connect obsolete? [closed]
I’m working within a spec that uses the OpenID Connect third party initiated login + implicit flow. I first have to register my application with the third party, providing them a login initiation url, redirect uri, target link uri. Then th… Continue reading OAuth2 OpenID Connect Third Party Initated Login with implicit flow
I am tasked with moving away from implicit flow in a SPA. It is a basic solution consisting of a react SPA and a .net API, on the same domain. This web app is a case management solution that deals with medical data, running in a private ne… Continue reading Session/cookie expire time, match access token or refresh token from AD?
I’m exploring the possibility of implementing OpenID Connect (OIDC) with an HTTP-only cookie to keep my frontend code completely authentication-agnostic, instead of passing the Authorization header around through Javascript code.
The idea … Continue reading OIDC with JWT in HTTP-only cookie instead of HTTP Authorization bearer header
In the OpenID Connect "authorisation-code flow" what security vulnerability is exposed, if the application relies on claims in the ID Token without validating that token?
For example, Google suggests that validating the token is … Continue reading Does an OIDC ID Token need validation in authorization-code flow?
During a pentest I have found a JWT that seems to be a refresh-token issued by some IAM software.
The scope field in the JWT lists all the applications as URLs that this token can be used to obtain access tokens for.
From an attacker persp… Continue reading URLs in JWT scope
What alternatives for authentication and authorization technologies besides OAuth, SAML, OpenID Connect, and WebAuthn can be used for cloud apps?
I am currently writing my thesis and would like to look into the future and see if there are … Continue reading alternatives for OAuth, SAML, OpenID Connect, and WebAuthn [closed]
I have several apps connected to a single Identity Provider, which allows a Single SignOn experience for our users, and requires also a Single LogOut one.
For the logout, any app will start the logout request, calling the Identity Provider… Continue reading Is it dangerous to expose a front-channel logout endpoint that does not require authentication?
I’m trying to figure out how to implement authentication for an application using OpenID Connect.
The application’s frontend is a single-page application, written in React.js. The application has a backend API. The frontend makes APIs call… Continue reading OIDC for SPAs with backend API – PKCE vs traditional auth code flow
This spec defined DPoP mechanism to bind cryptographically bind access tokens. There is also mention about authorization code binding.
But hey, do you see any sense in it? Ok, it obviously is a way to prevent authorization code injection a… Continue reading Is there any sense in use of Authorization Code Binding To DPoP Key when client is confidential and uses PKCE?