Collaborate Disseminate
I have a OIDC provider that can’t use mutual TLS authentication due to mTLS problems like certificates expiration (what if client didn’t rotate certificate and it’s expired now? Client cant authenticate to server to e.g. inform server that… Continue reading Using certificate-constrained access tokens created by private key used to authentication (with private_key_jwt)
I have an oauth implementation (uses phone number for authentication) which is used across several applications. These applications want to maintain the same identity of the user as the user moves across applications.
Example scenario 1:
… Continue reading Oauth: only allow login with a certain id
I try to understand how the integration we are using with OpenID works. I have read documents and different websites, but I feel that something escapes me related with SSO – I didnĀ“t find so much information about this. If you could help m… Continue reading How SSO with OpenID and Azure AD works?
When the law requires consent screen to be displayed for user? Should it be displayed only for third party applications (e.g. signing to stackoverflow by google account) or is it also necessary for first party apps?
And if user give consen… Continue reading When need I to display consent and should deprecated consents be stored? [migrated]
When we use mTLS we can use access tokens constrained to client certificate that was sent to token endpoint to receive the access token. In this case, if only the client that send this request can use this access token even if access token… Continue reading Access token lifetime when tokens are client certificate constrained
Imagine a authorization_code flow which MUST use PAR and after succeded authorization at authorization_endpoint instead of returning code and state returns only code, but this response is encrypted with state sent earlier in PAR request. N… Continue reading Encrypting authorization response with state
When we use PAR and PKCE, then I see that some of required parameters are useless. See it:
Using pre-registered redirect_uri is now useless, because when we use PAR and set our redirect_uri client is authenticated.
Using state in authoriz… Continue reading Useless request parameters in OpenID Connect
Following FAPI we should use JARM within authorization response (redirection to client with state and code parameter). Does it make any sense, when we use PKCE and PAR? Even if attacker take over code he still isn’t able to get access toke… Continue reading Does using JARM make sense when we use PKCE and PAR?
Assume that we have a client X and client Y. There’s also api resources: api-resource-1 and api-resource-2, and api scopes: test.read and test.write.
Client X is allowed to test.read within api-resource-1 and api-resource-2. It’s also allo… Continue reading Attack using the same scope names within differents api resources with OpenID Connect / OAuth2
When we use PAR, I see some problems:
When we redirect user to login page we have to store (while user is on the login page) the same data as contained in request object referenced by request_uri (because the login page must redirect user… Continue reading Handle authorization_code flow with Pushed Authorization Requests