Collaborate Disseminate
When we use PAR and PKCE, then I see that some of required parameters are useless. See it:
Using pre-registered redirect_uri is now useless, because when we use PAR and set our redirect_uri client is authenticated.
Using state in authoriz… Continue reading Useless request parameters in OpenID Connect
Following FAPI we should use JARM within authorization response (redirection to client with state and code parameter). Does it make any sense, when we use PKCE and PAR? Even if attacker take over code he still isn’t able to get access toke… Continue reading Does using JARM make sense when we use PKCE and PAR?
Assume that we have a client X and client Y. There’s also api resources: api-resource-1 and api-resource-2, and api scopes: test.read and test.write.
Client X is allowed to test.read within api-resource-1 and api-resource-2. It’s also allo… Continue reading Attack using the same scope names within differents api resources with OpenID Connect / OAuth2
When we use PAR, I see some problems:
When we redirect user to login page we have to store (while user is on the login page) the same data as contained in request object referenced by request_uri (because the login page must redirect user… Continue reading Handle authorization_code flow with Pushed Authorization Requests
I understand that oauth is an Authorization protocol, but it is possible to use it for authentication when clubbed with something like open ID Connect.
I am trying to understand why do we need an extra token in the redirect url to prove au… Continue reading Using oauth for authentication
When to use application layer encryption? Is it important in backchannel communication (machine-to-machine) without users?
And e.g. when we create state in OpenID Connect’s client and redirect the user to an identity provider, shouldn’t we… Continue reading When to use application layer encryption
I am designing an ecosystem of web applications that uses an Open ID Connect (OIDC) authorization server. The users authenticate to the authorization server using the Authorization Code Flow with Proof Key for Code Exchange (PKCE). This au… Continue reading How to manage long-term access to profile data using OIDC?
When client redirects user to identity provider with OpenID Connect then it have to save state, nonce and code_verifier e.g. in cookie. But are they any disadvantages/security issues of storing all these values (state, nonce, code_verifier… Continue reading Storing state, nonce and code_verifier in session cookie OpenID Connect
I want to accomplish the following:
Having a web application or mobile app authenticating users using openid connect.
Having a REST Api authenticated using openid connect using the same user as for point 1.
The user should not have to con… Continue reading OpenID Connect for authenticating a web-api
As I understand it, OAuth is the natural evolution of authentication protocols
I understand in a general way that evolution is as follows:
basic authentication
cookies
tokens, at this point you want to separate the front from the back.
OA… Continue reading Why do big sites use cookies and not OpenID connect?