Collaborate Disseminate
In the OpenID Connect "authorisation-code flow" what security vulnerability is exposed, if the application relies on claims in the ID Token without validating that token?
For example, Google suggests that validating the token is … Continue reading Does an OIDC ID Token need validation in authorization-code flow?
During a pentest I have found a JWT that seems to be a refresh-token issued by some IAM software.
The scope field in the JWT lists all the applications as URLs that this token can be used to obtain access tokens for.
From an attacker persp… Continue reading URLs in JWT scope
What alternatives for authentication and authorization technologies besides OAuth, SAML, OpenID Connect, and WebAuthn can be used for cloud apps?
I am currently writing my thesis and would like to look into the future and see if there are … Continue reading alternatives for OAuth, SAML, OpenID Connect, and WebAuthn [closed]
I have several apps connected to a single Identity Provider, which allows a Single SignOn experience for our users, and requires also a Single LogOut one.
For the logout, any app will start the logout request, calling the Identity Provider… Continue reading Is it dangerous to expose a front-channel logout endpoint that does not require authentication?
I’m trying to figure out how to implement authentication for an application using OpenID Connect.
The application’s frontend is a single-page application, written in React.js. The application has a backend API. The frontend makes APIs call… Continue reading OIDC for SPAs with backend API – PKCE vs traditional auth code flow
This spec defined DPoP mechanism to bind cryptographically bind access tokens. There is also mention about authorization code binding.
But hey, do you see any sense in it? Ok, it obviously is a way to prevent authorization code injection a… Continue reading Is there any sense in use of Authorization Code Binding To DPoP Key when client is confidential and uses PKCE?
In absence of better solutions, is the nonce is an OpenID Connect ID Token usable to serve as digital signature. The process would be as follows:
A hash is created from the to-be-signed document/transaction.
This hash is then used as the … Continue reading OIDC ID Token nonce as "poor mans digital signature"
in our organization we have our own OpenId server (Identity Server) that we use to authenticate people into our applications, let me explain how we currently handle our web clients.
so we have an API that handles the authentication of user… Continue reading Best Way to handle Authorization tokens on mobile apps
An authorization server issues an access token with issuer details which are exposed in a well-known API of that server. This server uses client authentication JWT tokens with clients configured. These JWT tokens are sent as a part of a re… Continue reading Bearer JWT client authentication and access token issued by authorization server
I am exploring the Cookies and their behaviour with Identity Server and I have a sample instance of IdentityServer4 running with the basic config in memory.
I have my Identity Server 4 Cookie set to 1 minute, and I have set the MVC client … Continue reading Does IdentityServer4 trigger front or back-channel log-out when the Local/External Session Cookie expires?