Collaborate Disseminate
In absence of better solutions, is the nonce is an OpenID Connect ID Token usable to serve as digital signature. The process would be as follows:
A hash is created from the to-be-signed document/transaction.
This hash is then used as the … Continue reading OIDC ID Token nonce as "poor mans digital signature"
in our organization we have our own OpenId server (Identity Server) that we use to authenticate people into our applications, let me explain how we currently handle our web clients.
so we have an API that handles the authentication of user… Continue reading Best Way to handle Authorization tokens on mobile apps
An authorization server issues an access token with issuer details which are exposed in a well-known API of that server. This server uses client authentication JWT tokens with clients configured. These JWT tokens are sent as a part of a re… Continue reading Bearer JWT client authentication and access token issued by authorization server
I am exploring the Cookies and their behaviour with Identity Server and I have a sample instance of IdentityServer4 running with the basic config in memory.
I have my Identity Server 4 Cookie set to 1 minute, and I have set the MVC client … Continue reading Does IdentityServer4 trigger front or back-channel log-out when the Local/External Session Cookie expires?
Details: traditional web-application with react frontend & nodejs API backend. FE & BE served on the same domain. FE -> example.com, API -> example.com/api
We have users and some of the private API routes (the majority of the… Continue reading Is it worth replacing session based traditional auth with OpenID-Connect?
I need to provide high security for user data. So I would have to encrypt userinfo_endpoint response (despite using TLS, these are the requirements I got).
But encrypting userinfo_endpoint response require a some mechanism to do key exchan… Continue reading Using id_token for all user data instead of userinfo endpoint in OIDC
I use OAuth2 private_key_jwt authentication scheme to authenticate clients. Also, I need to be sure that request body isn’t modified.
I see two ways:
In token which I use to authenticate client I can add claim that contains hash of entire… Continue reading Sign vs hash HTTP body request
In OAuth2 access token is typically JWT signed by authorization server. Assuming that we will use Ed25519 to sign the JWT, we will have 128 bits of security.
But what about access tokens that would be encrypted with XChaCha20-Poly1305 inst… Continue reading Encrypted instead of signed access tokens in OAuth2
I have a OIDC provider that can’t use mutual TLS authentication due to mTLS problems like certificates expiration (what if client didn’t rotate certificate and it’s expired now? Client cant authenticate to server to e.g. inform server that… Continue reading Using certificate-constrained access tokens created by private key used to authentication (with private_key_jwt)
I have an oauth implementation (uses phone number for authentication) which is used across several applications. These applications want to maintain the same identity of the user as the user moves across applications.
Example scenario 1:
… Continue reading Oauth: only allow login with a certain id