Collaborate Disseminate
Details: traditional web-application with react frontend & nodejs API backend. FE & BE served on the same domain. FE -> example.com, API -> example.com/api
We have users and some of the private API routes (the majority of the… Continue reading Is it worth replacing session based traditional auth with OpenID-Connect?
I need to provide high security for user data. So I would have to encrypt userinfo_endpoint response (despite using TLS, these are the requirements I got).
But encrypting userinfo_endpoint response require a some mechanism to do key exchan… Continue reading Using id_token for all user data instead of userinfo endpoint in OIDC
I use OAuth2 private_key_jwt authentication scheme to authenticate clients. Also, I need to be sure that request body isn’t modified.
I see two ways:
In token which I use to authenticate client I can add claim that contains hash of entire… Continue reading Sign vs hash HTTP body request
In OAuth2 access token is typically JWT signed by authorization server. Assuming that we will use Ed25519 to sign the JWT, we will have 128 bits of security.
But what about access tokens that would be encrypted with XChaCha20-Poly1305 inst… Continue reading Encrypted instead of signed access tokens in OAuth2
I have a OIDC provider that can’t use mutual TLS authentication due to mTLS problems like certificates expiration (what if client didn’t rotate certificate and it’s expired now? Client cant authenticate to server to e.g. inform server that… Continue reading Using certificate-constrained access tokens created by private key used to authentication (with private_key_jwt)
I have an oauth implementation (uses phone number for authentication) which is used across several applications. These applications want to maintain the same identity of the user as the user moves across applications.
Example scenario 1:
… Continue reading Oauth: only allow login with a certain id
I try to understand how the integration we are using with OpenID works. I have read documents and different websites, but I feel that something escapes me related with SSO – I didnĀ“t find so much information about this. If you could help m… Continue reading How SSO with OpenID and Azure AD works?
When the law requires consent screen to be displayed for user? Should it be displayed only for third party applications (e.g. signing to stackoverflow by google account) or is it also necessary for first party apps?
And if user give consen… Continue reading When need I to display consent and should deprecated consents be stored? [migrated]
When we use mTLS we can use access tokens constrained to client certificate that was sent to token endpoint to receive the access token. In this case, if only the client that send this request can use this access token even if access token… Continue reading Access token lifetime when tokens are client certificate constrained
Imagine a authorization_code flow which MUST use PAR and after succeded authorization at authorization_endpoint instead of returning code and state returns only code, but this response is encrypted with state sent earlier in PAR request. N… Continue reading Encrypting authorization response with state